Menu

Search for hundreds of thousands of exploits

"PlaySMS 1.4 - Remote Code Execution"

Author

Exploit author

"Touhid M.Shaikh"

Platform

Exploit platform

php

Release date

Exploit published date

2017-05-19

Download file

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
Exploit Title: PlaySMS 1.4 Remote Code Execution (to Poisoning admin log)
# Date: 19-05-2017
# Software Link: https://playsms.org/download/
# Version: 1.4
# Exploit Author: Touhid M.Shaikh
# Contact: http://twitter.com/touhidshaikh22
# Website: http://touhidshaikh.com/
# Category: webapps
 
1. Description
   

Remote Code Execution in Admin Log. 
In PlaySMS Admin have a panel where he/she monitor User status. Admin Can see Whose Online.
Using this functionality we can exploit RCE in Whose Online page.

When Any user Logged in the playSMS application. Some user details log on Whose Online panel like "Username", "User-Agent", "Current IP", etc. (You Can See Templeate Example Below)    

For More Details : www.touhidshaikh.com/blog/

   
2. Proof of Concept
 
1) Login as regular user (created using index.php?app=main&inc=core_auth&route=register):

2) Just Change you User-agent String to "<?php phpinfo();?>" or whatever your php payload.(Make sure to change User Agent after log in)

3) Just surf on playsms. And wait for admin activity, When admin Checks Whose Online status ...(bingooo Your payload successfully exploited )



setting parameter in online.php
*------------------online.php-----------------*

$users = report_whoseonline_subuser();
foreach ($users as $user) {
foreach ($user as $hash) {
$tpl['loops']['data'][] = array(
'tr_class' => $tr_class,
'c_username' => $hash['username'],
'c_isadmin' => $hash['icon_isadmin'],
'last_update' => $hash['last_update'],
'current_ip' => $hash['ip'],
'user_agent' => $hash['http_user_agent'],
'login_status' => $hash['login_status'],
'action' => $hash['action_link'],
);
}
}
*-------------ends here online.php-----------------*




Visible on this page: report_online.html
*------------report_online.html-----------*
<loop.data>
<tr class={{ data.tr_class }}>
<td>{{ data.c_username }} {{ data.c_isadmin }}</td>
<td>{{ data.login_status }} {{ data.last_update }}</td>
<td>{{ data.current_ip }}</td>
<td>{{ data.user_agent }}</td>
<td>{{ data.action }}</td>
</tr>
</loop.data>
*------------Ends here report_online.html-----------*


 
 


*------------------Greetz----------------- -----*
|Pratik K.Tejani, Rehman, Taushif  |
*---------------------------------------------------*

  _____           _     _     _ 
 |_   _|__  _   _| |__ (_) __| |
   | |/ _ \| | | | '_ \| |/ _` |
   | | (_) | |_| | | | | | (_| |
   |_|\___/ \__,_|_| |_|_|\__,_|
                                
Touhid SHaikh
An Independent Security Researcher.
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "Simple College Website 1.0 - 'page' Local File Inclusion" webapps php Mosaaed
2020-12-02 "WordPress Plugin Wp-FileManager 6.8 - RCE" webapps php "Mansoor R"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting" webapps php "Hemant Patidar"
2020-12-02 "Car Rental Management System 1.0 - SQL Injection / Local File include" webapps php Mosaaed
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution" webapps php zetc0de
2020-12-02 "WonderCMS 3.1.3 - Authenticated Remote Code Execution" webapps php zetc0de
2020-12-02 "Pharmacy Store Management System 1.0 - 'id' SQL Injection" webapps php "Aydın Baran Ertemir"
2020-12-01 "Multi Restaurant Table Reservation System 1.0 - Multiple Persistent XSS" webapps php yunaranyancat
Release Date Title Type Platform Author
2020-03-11 "PlaySMS 1.4.3 - Template Injection / Remote Code Execution" webapps php "Touhid M.Shaikh"
2018-03-30 "Vtiger CRM 6.3.0 - (Authenticated) Arbitrary File Upload (Metasploit)" webapps php "Touhid M.Shaikh"
2017-09-29 "Dup Scout Enterprise 10.0.18 - 'Import Command' Local Buffer Overflow" local windows "Touhid M.Shaikh"
2017-09-28 "DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow" local windows "Touhid M.Shaikh"
2017-09-28 "DiskBoss Enterprise 8.4.16 - Local Buffer Overflow (PoC)" dos windows "Touhid M.Shaikh"
2017-09-26 "Tiny HTTPd 0.1.0 - Directory Traversal" remote linux "Touhid M.Shaikh"
2017-09-04 "Dup Scout Enterprise 9.9.14 - 'Input Directory' Local Buffer Overflow" local windows "Touhid M.Shaikh"
2017-08-28 "Easy WMV/ASF/ASX to DVD Burner 2.3.11 - Local Buffer Overflow (SEH)" local windows "Touhid M.Shaikh"
2017-08-28 "Easy RM RMVB to DVD Burner 1.8.11 - Local Buffer Overflow (SEH)" local windows "Touhid M.Shaikh"
2017-08-12 "RealTime RWR-3G-100 Router - Cross-Site Request Forgery (Change Admin Password)" webapps hardware "Touhid M.Shaikh"
2017-08-10 "Piwigo Plugin User Tag 0.9.0 - Cross-Site Scripting" webapps php "Touhid M.Shaikh"
2017-08-01 "VehicleWorkshop - Authentication Bypass" webapps php "Touhid M.Shaikh"
2017-08-01 "VehicleWorkshop - Arbitrary File Upload" webapps php "Touhid M.Shaikh"
2017-06-12 "Easy File Sharing Web Server 7.2 - 'POST' Remote Buffer Overflow" remote windows "Touhid M.Shaikh"
2017-06-11 "Easy File Sharing Web Server 7.2 - Authentication Bypass" remote windows "Touhid M.Shaikh"
2017-05-31 "Piwigo Plugin Facetag 0.0.3 - Cross-Site Scripting" webapps php "Touhid M.Shaikh"
2017-05-30 "Piwigo Plugin Facetag 0.0.3 - SQL Injection" webapps php "Touhid M.Shaikh"
2017-05-26 "QWR-1104 Wireless-N Router - Cross-Site Scripting" webapps hardware "Touhid M.Shaikh"
2017-05-21 "PlaySMS 1.4 - 'import.php' Remote Code Execution" webapps php "Touhid M.Shaikh"
2017-05-19 "D-Link DIR-600M Wireless N 150 - Authentication Bypass" webapps hardware "Touhid M.Shaikh"
2017-05-19 "PlaySMS 1.4 - Remote Code Execution" webapps php "Touhid M.Shaikh"
2017-05-14 "PlaySMS 1.4 - '/sendfromfile.php' Remote Code Execution / Unrestricted File Upload" webapps php "Touhid M.Shaikh" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected