HybridAuth install.php PHP Code Execution
This module exploits a PHP code execution vulnerability in HybridAuth versions 2.0.9 to 2.2.2. The install file 'install.php' is not removed after installation allowing unauthenticated users to write PHP code to the application configuration file 'config.php'. Note: This exploit will overwrite the application configuration file rendering the application unusable.
Module Name
exploit/unix/webapp/hybridauth_install_php_exec
Authors
- Pichaya Morimoto
- bcoles <bcoles [at] gmail.com>
References
Targets
- HybridAuth version 2.0.9 to 2.2.2 (PHP Payload)
Platforms
- php
Architectures
- php
Reliability
Development
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
msf > use exploit/unix/webapp/hybridauth_install_php_exec
msf exploit(hybridauth_install_php_exec) > show targets
...targets...
msf exploit(hybridauth_install_php_exec) > set TARGET <target-id>
msf exploit(hybridauth_install_php_exec) > show options
...show and set options...
msf exploit(hybridauth_install_php_exec) > exploit