# CVE-2022-22909 Hotel Druid 3.0.3 - Remote Code Execution (RCE) 
## Exploit by kaal

### Exploits


This Exploit will create new room with our PHP payload as a room name .

Usage :
`$ ./ -h`


`$ ./ -u`




This Exploit will work if you already know the Room name .

Usage :
`$ ./ -u "" -r "abc"`



## Exploit Walkthrough :

1). Navigate to Hotel Druid page.

2). Click on Tables -> Rooms 


3). In Create New Room field add below php code , and click on Add. 



4). You will see new room with our payload in the "Room" name field .


5). Go to below link and you will get command Execution , Later you can get Full shell

Note : Change the Ip with your hoteldruid target IP.

## Vulnerability Description :

This vulnerability occurs because room names are getting stored inside `/var/www/html/hoteldruid/dati/selectappartamenti.php`


And `selectappartamenti.php` is a PHP file so any PHP code inside that file will get executed by the server.