To demonstrate this vuln, follow three steps below.
First, Get the key
Metinfo disclosure the key by /config/config_safe.php
Then, encrypt the payload
Metinfo7.0 Use encrypt cookie to auth login.
We can see it use user input as auth and key to pass it to login_by_auth function
In login_by_auth function, It use getauth function decode the auth data by the key we input.
And then in login_by_password pass the username(sql inject payload) and then cause sqli
We have the key, and we know the way to encrypt data. As below
Vulnerability Name: Metinfo7.0.0beta CMS SQL Injection
Product Homepage: https://www.metinfo.cn/
Software link: https://u.mituo.cn/api/metinfo/download/7.0.0beta
Version: V7.0.0
To demonstrate this vuln, follow three steps below.
First, Get the key
Metinfo disclosure the key by /config/config_safe.php

Then, encrypt the payload
Metinfo7.0 Use encrypt cookie to auth login.


We can see it use user input as auth and key to pass it to login_by_auth function
In login_by_auth function, It use getauth function decode the auth data by the key we input.
And then in login_by_password pass the username(sql inject payload) and then cause sqli
We have the key, and we know the way to encrypt data. As below
Finally, send the payload
(You should encrypt the data first)
(execute the sql twice)

The text was updated successfully, but these errors were encountered: