Share
## https://sploitus.com/exploit?id=3456F60C-6215-5871-9D69-996E584D782F
# ๐ Xtream UI Security Audit & Exploitation Framework
[](https://www.python.org/)
[](https://opensource.org/licenses/MIT)
[](https://github.com)
**Complete security audit and penetration testing toolkit for Xtream UI/Xtream Codes IPTV panel installations.**
> โ ๏ธ **DISCLAIMER**: This tool is for educational and authorized security testing purposes ONLY. Unauthorized access to computer systems is illegal. Use responsibly.
---
## ๐ Overview
This repository contains a comprehensive security audit of the Xtream UI installer, including:
- **15+ Critical Vulnerabilities** identified and documented
- **Proof-of-Concept (PoC) exploits** for each vulnerability
- **Automated vulnerability scanners**
- **Detailed remediation guides**
- **Executive summary reports**
### ๐ฏ Key Features
- โ
**Multi-Port Scanner** - Automatically scans all known Xtream UI ports
- โ
**Credential Decryptor** - Recovers MySQL credentials from weak XOR encryption
- โ
**Command Injection PoC** - Demonstrates RCE vulnerabilities
- โ
**SQL Injection PoC** - Shows database exploitation techniques
- โ
**Full Exploit Chain** - Complete attack path from recon to root access
- โ
**Comprehensive Documentation** - Technical reports and remediation guides
---
## ๐ Vulnerability Summary
| Severity | Count | CVE/CWE |
|----------|-------|---------|
| ๐ด **CRITICAL** | 4 | CWE-78, CWE-89, CWE-327, CWE-798 |
| ๐ **HIGH** | 3 | CWE-494, CWE-250, CWE-732 |
| ๐ก **MEDIUM** | 8+ | Various |
**Overall CVSS Score**: 9.8/10 (Critical)
### Top Vulnerabilities
1. **Command Injection (CVSS 9.8)** - Remote Code Execution as root
2. **SQL Injection (CVSS 9.1)** - Full database compromise
3. **Weak Encryption (CVSS 8.9)** - MySQL credentials in plaintext
4. **Hardcoded Credentials (CVSS 9.8)** - Default admin/admin access
---
## ๐ Quick Start
### Prerequisites
- Python 3.6 or higher
- Linux/macOS environment (or WSL on Windows)
- Authorized access to target systems
### Installation
```bash
# Clone the repository
git clone https://github.com/YOUR_USERNAME/xtream-ui-security-audit.git
cd xtream-ui-security-audit
# Make scripts executable
chmod +x exploits/*.py demo.sh
# Verify installation
python3 exploits/security_scanner.py --help
```
### Basic Usage
#### 1. Automated Multi-Port Scan
```bash
# Scan all known Xtream UI ports automatically
python3 exploits/multi_port_scanner.py TARGET_IP
# Add custom ports
python3 exploits/multi_port_scanner.py TARGET_IP 8080,9000
```
#### 2. Single Port Scan
```bash
# Scan specific port
python3 exploits/security_scanner.py TARGET_IP 25500
```
#### 3. Decrypt Configuration
```bash
# Recover MySQL credentials
python3 exploits/decrypt_config.py /path/to/config
```
#### 4. View All Demos
```bash
# Interactive demonstration
./demo.sh
```
---
## ๐ Repository Structure
```
xtream-ui-security-audit/
โโโ README.md # This file
โโโ SECURITY_AUDIT_README.md # Detailed audit documentation
โโโ EXECUTIVE_SUMMARY.md # Executive summary (Spanish)
โโโ VULNERABILITIES_REPORT.md # Technical vulnerability report
โโโ PORTS_GUIDE.md # Complete ports & services guide
โโโ PYTHON3_READY.md # Python 3 compatibility info
โ
โโโ exploits/ # Exploitation scripts
โ โโโ README.md # Exploits usage guide
โ โโโ multi_port_scanner.py # โญ Multi-port vulnerability scanner
โ โโโ security_scanner.py # Single-port scanner
โ โโโ decrypt_config.py # Config decryption tool
โ โโโ command_injection_poc.py # Command injection PoC
โ โโโ sql_injection_poc.py # SQL injection PoC
โ โโโ full_exploit_chain.py # Complete exploitation chain
โ โโโ security_scanner.py # Automated scanner
โ
โโโ files/ # Original installer files
โ โโโ GeoLite2.mmdb
โ โโโ panel_api.php
โ โโโ pid_monitor.php
โ โโโ player_api.php
โ โโโ release_22f.zip
โ
โโโ install.py # Original vulnerable installer
โโโ balancer.py # Load balancer installer
โโโ demo.sh # Interactive demo script
โโโ LICENSE # MIT License
```
---
## ๐ Detailed Documentation
### For Security Researchers
- ๐ **[VULNERABILITIES_REPORT.md](VULNERABILITIES_REPORT.md)** - Technical analysis of all vulnerabilities
- ๐ง **[exploits/README.md](exploits/README.md)** - How to use exploitation scripts
- ๐ **[PORTS_GUIDE.md](PORTS_GUIDE.md)** - Complete guide to Xtream UI ports and services
### For Management/Executives
- ๐ **[EXECUTIVE_SUMMARY.md](EXECUTIVE_SUMMARY.md)** - Business impact and recommendations (Spanish)
### For Developers/Defenders
- ๐ก๏ธ **[SECURITY_AUDIT_README.md](SECURITY_AUDIT_README.md)** - Complete security audit index
- ๐ **[PYTHON3_READY.md](PYTHON3_READY.md)** - Python 3 compatibility notes
---
## ๐ฏ Use Cases
### โ
Authorized Use
- Security audits with written authorization
- Penetration testing as part of security assessments
- Educational research in controlled environments
- Bug bounty programs (if applicable)
- Internal security testing of your own systems
### โ Unauthorized Use
- Attacking systems without explicit permission
- Unauthorized access to data or systems
- Malicious use of exploits
- Any illegal activities
**Violating these guidelines may result in criminal prosecution.**
---
## ๐ ๏ธ Tools Overview
### Multi-Port Scanner โญ
Automatically scans all known Xtream UI ports and detects vulnerabilities.
**Ports Scanned**:
- 25500 (Admin Panel)
- 25461 (HTTP Streaming API)
- 25462 (RTMP Streaming)
- 25463 (HTTPS Streaming)
- 7999 (MySQL Database)
- 22 (SSH)
- Custom ports (optional)
### Config Decryptor
Reverses the weak XOR encryption used to protect MySQL credentials in the config file.
### Exploit PoCs
Demonstrates exploitation techniques for:
- Command Injection โ RCE as root
- SQL Injection โ Database compromise
- Default Credentials โ Admin access
- Complete attack chains
---
## ๐ Security Recommendations
### For System Administrators
1. **Immediate Actions**:
- Change default credentials (admin/admin)
- Restrict MySQL port (7999) to localhost only
- Update to latest patched version
- Implement firewall rules
2. **Long-term Improvements**:
- Migrate to Python 3
- Use prepared statements for SQL queries
- Implement proper encryption (AES-256, not XOR)
- Add two-factor authentication
- Regular security audits
### Firewall Configuration Example
```bash
# Block MySQL from external access
iptables -A INPUT -p tcp --dport 7999 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 7999 -j DROP
# Restrict admin panel to specific IPs
iptables -A INPUT -p tcp --dport 25500 -s YOUR_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 25500 -j DROP
# Save rules
iptables-save > /etc/iptables/rules.v4
```
---
## ๐ Example Workflow
### Complete Security Assessment
```bash
# 1. Reconnaissance
python3 exploits/multi_port_scanner.py target.example.com
# 2. If admin panel found, test default credentials
# Browser: http://target.example.com:25500
# Try: admin/admin
# 3. If SSH access available, decrypt config
ssh user@target.example.com
python3 decrypt_config.py /home/xtreamcodes/iptv_xtream_codes/config
# 4. Generate comprehensive report
cat VULNERABILITIES_REPORT.md
cat EXECUTIVE_SUMMARY.md
```
---
## ๐ค Contributing
Contributions are welcome! Please:
1. Fork the repository
2. Create a feature branch (`git checkout -b feature/NewExploit`)
3. Commit your changes (`git commit -am 'Add new exploit'`)
4. Push to the branch (`git push origin feature/NewExploit`)
5. Open a Pull Request
---
## ๐ License
This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
```
MIT License
Copyright (c) 2026 Security Research Team
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software...
```
---
## โ ๏ธ Legal Disclaimer
**IMPORTANT**: This software is provided for educational and authorized security testing purposes only.
- โ
Use ONLY on systems you own or have explicit written permission to test
- โ Unauthorized access to computer systems is ILLEGAL
- โ๏ธ Violations may result in criminal prosecution under:
- Computer Fraud and Abuse Act (CFAA) - USA
- Computer Misuse Act - UK
- Similar laws in other jurisdictions
**The authors assume NO liability for misuse of this software.**
---
## ๐ Contact & Support
- **Issues**: [GitHub Issues](https://github.com/YOUR_USERNAME/xtream-ui-security-audit/issues)
- **Security Vulnerabilities**: Please report responsibly via private disclosure
---
## ๐ Acknowledgments
- Original Xtream UI installer analysis
- Security research community
- OWASP Top 10 project
- CWE/CVE databases
---
## ๐ Statistics
- **Vulnerabilities Found**: 15+
- **Exploits Developed**: 6
- **Documentation Pages**: 10+
- **Lines of Code**: ~2000+
- **CVSS Score**: 9.8/10
---
## ๐ Related Resources
- [OWASP Top 10](https://owasp.org/www-project-top-ten/)
- [CWE Top 25](https://cwe.mitre.org/top25/)
- [CVSS Calculator](https://www.first.org/cvss/calculator/3.1)
---
**Made with ๐ for the security community**
*Last Updated: January 29, 2026*