ch0ic3/PayloadsAllTheThings
1
0
Fork 0
mirror of https://github.com/swisskyrepo/PayloadsAllTheThings.git synced 2024-12-19 02:46:10 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
220e9cb8bd
PayloadsAllTheThings/Upload insecure files/Ffmpeg HLS
History
Swissky 220e9cb8bd FFMpeg HLS - read passwd/shadow
2017-06-26 21:32:10 +02:00
..
gen_xbin_avi.py FFMpeg HLS - read passwd/shadow 2017-06-26 21:32:10 +02:00
read_passwd.avi FFMpeg HLS - read passwd/shadow 2017-06-26 21:32:10 +02:00
read_shadow.avi FFMpeg HLS - read passwd/shadow 2017-06-26 21:32:10 +02:00
README.md FFMpeg HLS - read passwd/shadow 2017-06-26 21:32:10 +02:00

README.md

FFmpeg HLS vulnerability

FFmpeg is an open source software used for processing audio and video formats. You can use a malicious HLS playlist inside an AVI video to read arbitrary files.

Exploits

1. `./gen_xbin_avi.py file://<filename> file_read.avi`
2. Upload `file_read.avi` to some website that processes videofiles
3. (on server side, done by the videoservice) `ffmpeg -i file_read.avi output.mp4`
4. Click "Play" in the videoservice.
5. If you are lucky, you'll the content of `<filename>` from the server.

Thanks to