module
AVideo Unauthenticated SQL Injection Credential Dump
| Disclosed | Created |
|---|---|
| Mar 5, 2026 | Apr 10, 2026 |
Disclosed
Mar 5, 2026
Created
Apr 10, 2026
Description
AVideo catName parameter in objects/videos.json.php (CVE-2026-28501).
The security filter in security.php sanitizes GET/POST parameters but
does not cover JSON request bodies. Since videos.json.php parses JSON
input and merges it into $_REQUEST after the filter runs, a catName
value sent as JSON bypasses sanitization entirely and reaches
getCatSQL() unsanitized.
This module uses time-based blind injection with BENCHMARK() to dump
usernames and password hashes. SLEEP() is blocked by the sqlDAL
prepared statement layer, but BENCHMARK(N*(condition), SHA1(x)) works
because the condition is evaluated as a multiplier on the iteration
count, avoiding the subquery restrictions imposed by prepare().
Fixed in 24.0 (no 23.0 release exists).
The security filter in security.php sanitizes GET/POST parameters but
does not cover JSON request bodies. Since videos.json.php parses JSON
input and merges it into $_REQUEST after the filter runs, a catName
value sent as JSON bypasses sanitization entirely and reaches
getCatSQL() unsanitized.
This module uses time-based blind injection with BENCHMARK() to dump
usernames and password hashes. SLEEP() is blocked by the sqlDAL
prepared statement layer, but BENCHMARK(N*(condition), SHA1(x)) works
because the condition is evaluated as a multiplier on the iteration
count, avoiding the subquery restrictions imposed by prepare().
Fixed in 24.0 (no 23.0 release exists).
Authors
arkmarta
Valentin Lobstein [email protected]
Valentin Lobstein [email protected]
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.