CVE-2017-9080
published 2017-05-19CVE-2017-9080: PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. sendfromfile.php has a combination of Unrestricted…
PriorityP278high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
62.31%
99.1th percentile
PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed. sendfromfile.php has a combination of Unrestricted File Upload and Code Injection.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| playsms | playsms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect multipart POST requests to index.php with query parameters app=main, inc=feature_sendfromfile, op=upload_confirm — this is the exploit's file upload trigger endpoint. ↗
- →The exploit encodes and delivers the PHP payload via the HTTP User-Agent header ('agent' => payload.encode). Inspect User-Agent headers on POST requests to PlaySMS for base64-encoded PHP or shell commands. ↗
- →The malicious PHP payload is placed in the filename field of the multipart upload (content_disposition filename parameter). Monitor for filenames containing PHP tags or function calls such as passthru/system/exec in file upload requests to PlaySMS. ↗
- →The default Metasploit payload for this exploit is php/meterpreter/reverse_tcp encoded with php/base64. Look for base64-encoded PHP payloads in HTTP headers or multipart form fields targeting PlaySMS. ↗
- →The exploit sends an Upgrade-Insecure-Requests: 1 header alongside the malicious upload POST. While not unique alone, combined with the sendfromfile upload endpoint and encoded User-Agent, it is a useful correlation point. ↗
- ·Exploitation requires valid credentials. The module defaults to admin:admin but any authenticated account can trigger the vulnerability. Detection should not assume default credentials are used. ↗
- ·The exploit targets PlaySMS 1.4 specifically and was validated on VulnHub's Dina 1.0 (Linux) and Windows 7. Detection rules should be scoped to PlaySMS 1.4 deployments. ↗
- ·The TARGETURI defaults to '/' but may be configured to a subdirectory. URL-based detection rules should account for arbitrary base paths prepended to index.php. ↗
CVSS provenance
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
PlaySMS 1.4 - 'sendfromfile.php?Filename' (Authenticated) 'Code Execution (Metasploit)
exploitdb·2018-05-08
CVE-2017-9080 PlaySMS 1.4 - 'sendfromfile.php?Filename' (Authenticated) 'Code Execution (Metasploit)
PlaySMS 1.4 - 'sendfromfile.php?Filename' (Authenticated) 'Code Execution (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution',
'Description' => %q{
This module exploits a code injection vulnerability within an authenticated file
upload feature in PlaySMS v1.4. This issue is caused by improper file name handling
in sendfromfile.php file.
Authenticated Users can upload a file and rename the file with a malicious payload.
This module was tested against PlaySMS 1.4 on VulnHub's Dina 1.0 machine and Windows 7.
},
'Author' =>
[
'Touhid M.Shaikh ', # Discoverys and Metasploit Module
'DarkS3curity'
Metasploit
PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution
metasploit
PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution
PlaySMS sendfromfile.php Authenticated "Filename" Field Code Execution
This module exploits a code injection vulnerability within an authenticated file upload feature in PlaySMS v1.4. This issue is caused by improper file name handling in sendfromfile.php file. Authenticated Users can upload a file and rename the file with a malicious payload. This module was tested against PlaySMS 1.4 on VulnHub's Dina 1.0 machine and Windows 7.
No writeups or analysis indexed.
2017-05-19
Published