cbcvebase.
CVE-2017-9080
published 2017-05-19

CVE-2017-9080: PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. sendfromfile.php has a combination of Unrestricted…

PriorityP278high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
62.31%
99.1th percentile
PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. sendfromfile.php has a combination of Unrestricted File Upload and Code Injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
playsmsplaysms

Detection & IOCsextracted from sources · hover to see the quote

urlindex.php?app=main&inc=feature_sendfromfile&op=upload_confirm
urlindex.php?app=main&inc=feature_sendfromfile&op=list
pathsendfromfile.php
commandevilname = "<?php passthru($_SERVER['HTTP_USER_AGENT']); ?>"
  • Detect multipart POST requests to index.php with query parameters app=main, inc=feature_sendfromfile, op=upload_confirm — this is the exploit's file upload trigger endpoint.
  • The exploit encodes and delivers the PHP payload via the HTTP User-Agent header ('agent' => payload.encode). Inspect User-Agent headers on POST requests to PlaySMS for base64-encoded PHP or shell commands.
  • The malicious PHP payload is placed in the filename field of the multipart upload (content_disposition filename parameter). Monitor for filenames containing PHP tags or function calls such as passthru/system/exec in file upload requests to PlaySMS.
  • The default Metasploit payload for this exploit is php/meterpreter/reverse_tcp encoded with php/base64. Look for base64-encoded PHP payloads in HTTP headers or multipart form fields targeting PlaySMS.
  • The exploit sends an Upgrade-Insecure-Requests: 1 header alongside the malicious upload POST. While not unique alone, combined with the sendfromfile upload endpoint and encoded User-Agent, it is a useful correlation point.
  • ·Exploitation requires valid credentials. The module defaults to admin:admin but any authenticated account can trigger the vulnerability. Detection should not assume default credentials are used.
  • ·The exploit targets PlaySMS 1.4 specifically and was validated on VulnHub's Dina 1.0 (Linux) and Windows 7. Detection rules should be scoped to PlaySMS 1.4 deployments.
  • ·The TARGETURI defaults to '/' but may be configured to a subdirectory. URL-based detection rules should account for arbitrary base paths prepended to index.php.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.