PlaySMS 1.4 Remote Code Execution (to Poisoning admin log)

vendor:

PlaySMS

by:

Touhid M.Shaikh

7,5

CVSS

HIGH

Remote Code Execution

CWE

Product Name: PlaySMS

Affected Version From: 1.4

Affected Version To: 1.4

Patch Exists: NO

Related CWE: N/A

CPE: a:playsms:playsms:1.4

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2017

PlaySMS 1.4 Remote Code Execution (to Poisoning admin log)

Remote Code Execution in Admin Log. In PlaySMS Admin have a panel where he/she monitor User status. Admin Can see Whose Online. Using this functionality we can exploit RCE in Whose Online page. When Any user Logged in the playSMS application. Some user details log on Whose Online panel like 'Username', 'User-Agent', 'Current IP', etc.

Mitigation:

Ensure that user input is properly sanitized and validated before being used in the application.

Source

Exploit-DB raw data:

 Exploit Title: PlaySMS 1.4 Remote Code Execution (to Poisoning admin log)
# Date: 19-05-2017
# Software Link: https://playsms.org/download/
# Version: 1.4
# Exploit Author: Touhid M.Shaikh
# Contact: http://twitter.com/touhidshaikh22
# Website: http://touhidshaikh.com/
# Category: webapps
 
1. Description
   

Remote Code Execution in Admin Log. 
In PlaySMS Admin have a panel where he/she monitor User status. Admin Can see Whose Online.
Using this functionality we can exploit RCE in Whose Online page.

When Any user Logged in the playSMS application. Some user details log on Whose Online panel like "Username", "User-Agent", "Current IP", etc. (You Can See Templeate Example Below)    

For More Details : www.touhidshaikh.com/blog/

   
2. Proof of Concept
 
1) Login as regular user (created using index.php?app=main&inc=core_auth&route=register):

2) Just Change you User-agent String to "<?php phpinfo();?>" or whatever your php payload.(Make sure to change User Agent after log in)

3) Just surf on playsms. And wait for admin activity, When admin Checks Whose Online status ...(bingooo Your payload successfully exploited )



setting parameter in online.php
*------------------online.php-----------------*

$users = report_whoseonline_subuser();
foreach ($users as $user) {
foreach ($user as $hash) {
$tpl['loops']['data'][] = array(
'tr_class' => $tr_class,
'c_username' => $hash['username'],
'c_isadmin' => $hash['icon_isadmin'],
'last_update' => $hash['last_update'],
'current_ip' => $hash['ip'],
'user_agent' => $hash['http_user_agent'],
'login_status' => $hash['login_status'],
'action' => $hash['action_link'],
);
}
}
*-------------ends here online.php-----------------*




Visible on this page: report_online.html
*------------report_online.html-----------*
<loop.data>
<tr class={{ data.tr_class }}>
<td>{{ data.c_username }} {{ data.c_isadmin }}</td>
<td>{{ data.login_status }} {{ data.last_update }}</td>
<td>{{ data.current_ip }}</td>
<td>{{ data.user_agent }}</td>
<td>{{ data.action }}</td>
</tr>
</loop.data>
*------------Ends here report_online.html-----------*


 
 


*------------------Greetz----------------- -----*
|Pratik K.Tejani, Rehman, Taushif  |
*---------------------------------------------------*

  _____           _     _     _ 
 |_   _|__  _   _| |__ (_) __| |
   | |/ _ \| | | | '_ \| |/ _` |
   | | (_) | |_| | | | | | (_| |
   |_|\___/ \__,_|_| |_|_|\__,_|
                                
Touhid SHaikh
An Independent Security Researcher.