From beb7e19ffb5c354e61ac40badbc7cf7977cd50e6 Mon Sep 17 00:00:00 2001
From: Yasin Soliman <yasinS@users.noreply.github.com>
Date: Wed, 27 Sep 2017 17:27:43 +0100
Subject: [PATCH] Add explanation and PoC for FFmpeg LFD

---
 cheatsheets/lfi.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/cheatsheets/lfi.md b/cheatsheets/lfi.md
index 36c0501..4233520 100644
--- a/cheatsheets/lfi.md
+++ b/cheatsheets/lfi.md
@@ -21,3 +21,17 @@
 ```
 /%5c..
 ```
+
+**FFmpeg Local File Disclosure**
+
+This [script](https://github.com/neex/ffmpeg-avi-m3u-xbin/blob/master/gen_xbin_avi.py) by @neex can be used to disclose local files on FFmpeg hosts which parse externally-referencing [HLS playlists](https://ffmpeg.org/ffmpeg-formats.html#hls-2).
+
+_Steps to reproduce_
+
+1. Please download the script from @neex to your "attacker" instance
+2. Execute the script with your desired parameters: `python3 gen_xbin_avi.py file:///etc/hostname bugbounty.avi`
+3. Upload the generated AVI file to your target site (e.g. within a 'video upload page')
+4. The target may process the malicious HLS inclusion with FFmpeg on the server-side.
+5. Play the uploaded AVI via the target site. If successful, your desired file will be disclosed within the video.
+
+Alternative scripts exist which may generate different HLS formats or lead to the desired file being disclosed in a different manner.