Twonky Server Exposure Vulnerability

漏洞信息

漏洞名称: Twonky Server Exposure Vulnerability

漏洞类型: 未授权访问

漏洞等级: 高危

漏洞描述: Twonky Server是一款媒体服务器软件,支持通过DLNA/UPnP协议流式传输多媒体内容。该软件广泛应用于家庭和企业环境中,用于共享和流式传输媒体文件。当Twonky Server暴露在互联网或不受信任的网络中,且未设置适当的认证或访问限制时,可能会允许未授权用户浏览和访问媒体文件、与服务器设置交互或收集敏感的网络信息。此漏洞属于未授权访问类型,其技术根源在于缺乏有效的访问控制机制,使得攻击者无需认证即可访问服务器资源。这种漏洞可能导致敏感数据泄露、服务器设置被篡改,甚至可能被用作进一步攻击的跳板。由于攻击者无需认证即可利用此漏洞,因此其风险等级被评估为高危。

产品厂商: Lynx Technology

产品名称: Twonky Server

搜索语法: http.favicon.hash:-915768386

来源: https://github.com/projectdiscovery/nuclei-templates/blob/185a9d25508146c31e1980e98acb045efdf893db/http%2Fmisconfiguration%2Ftwonky-server-exposure.yaml

类型: projectdiscovery/nuclei-templates:github issues

POC详情

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

id: twonky-server-exposure

info:
  name: Twonky Server - Exposure
  author: DhiyaneshDk
  severity: high
  description: |
    Twonky Server is a media server software that allows streaming of multimedia content over DLNA/UPnP protocols. When exposed to the internet or an untrusted network without proper authentication or access restrictions, it may allow unauthorized users to browse and access media files, interact with server settings, or gather sensitive network information.
  reference:
    - https://lynxtechnology.com/twonky-server.html
    - https://download.twonky.com/
  metadata:
    verified: true
    max-request: 1
    shodan-query: http.favicon.hash:-915768386
  tags: twonky,exposure,unauth

http:
  - method: GET
    path:
      - "{{BaseURL}}"

    matchers:
      - type: dsl
        dsl:
          - "contains_all(body, '<title>TwonkyMedia</title>','Settings')"
          - "status_code == 200"
        condition: and


Github Poc
#projectdiscovery/nuclei-templates:github issues #未授权访问
Twonky Server Exposure Vulnerability
http://example.com/2025/07/06/github_2047793357/
作者
lianccc
发布于
2025年7月6日
许可协议