Skip to content

metinfo 7.0 beta vulnerability #1

Open
@cby234

Description

@cby234

Vulnerability Name: Metinfo CMS ini file modify vulnerability
Product Homepage: https://www.metinfo.cn/
Software link: https://u.mituo.cn/api/metinfo/download/7.0.0beta
Version: V7.0.0 beta

(This vulnerability only occur in Window OS)

In /language/admin/language_general.class.php doExportPack Method

image

In this method We can find editor and site parameter makes filename value and use it for

delfile method's argument

image

Let's take a look at app/system/include/function/file.func.php source code

image

When we check delfile method we use filename argument for file_exists function and if

return value is true unlink filename argument file will be unlink

Before we analyze more about this point.

Let's take a look at about file_exists function's difference between in Linux and Windows

image

image

In Linux (first picture) if there is no real dirctory which name is asdf function do not return true

value unliness there is ../ value. But In Windows file_exists funciotn return true value if there is

fake directory which name is asd (second picture).

We will use this point for vulnerability.

Okay after unlink file doExportPack method call doget_admin_pack method

Let's take a look at doget_admin_pack method

image

In Source Code If site parameter value is 'admin' or 'web' we use appno parameter value for SQL

query. And there is any single quarter for appno parameter.

So we can execute Union Sql Injection

image

Furthermore We use return of Sql query for new ini file's content

Cause we have Union SQL injection vulnerabilty We can modify ini file's content

image

So attack scenario is below

  1. give site parameter value for 'admin' or 'web' and give editor parameter for

'../../../---/{ini-filename}

  1. give appno parameter for SQLI POC which include ini file content

In Linux if there is no language_admin_ directory this vulnerability will not occur

But Windows doesn't need language_admin_ directory this vulnerabilty will execute 100%

(Of course in Lniux has language_admin_ or any other directory name which can make by

site and editor parameter this vulnerability will execute)

POC :

/admin/?n=language&c=language_general&a=doExportPack&site=web&editor=/../../../../../../Windows/test&appno= 1=1 union select 0x49732069742076756c6e657261626c653f3f,ox5965732121

image

image

image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions