PayloadsAllTheThings/Upload insecure files/Ffmpeg HLS/README.md
2017-06-26 21:32:10 +02:00

917 B

FFmpeg HLS vulnerability

FFmpeg is an open source software used for processing audio and video formats. You can use a malicious HLS playlist inside an AVI video to read arbitrary files.

Exploits

1. `./gen_xbin_avi.py file://<filename> file_read.avi`
2. Upload `file_read.avi` to some website that processes videofiles
3. (on server side, done by the videoservice) `ffmpeg -i file_read.avi output.mp4`
4. Click "Play" in the videoservice.
5. If you are lucky, you'll the content of `<filename>` from the server.

Thanks to