Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

metinfo 7.0 beta vulnerability #1

Open
cby234 opened this issue Oct 24, 2019 · 0 comments
Open

metinfo 7.0 beta vulnerability #1

cby234 opened this issue Oct 24, 2019 · 0 comments

Comments

@cby234
Copy link
Owner

cby234 commented Oct 24, 2019

Vulnerability Name: Metinfo CMS ini file modify vulnerability
Product Homepage: https://www.metinfo.cn/
Software link: https://u.mituo.cn/api/metinfo/download/7.0.0beta
Version: V7.0.0 beta

(This vulnerability only occur in Window OS)

In /language/admin/language_general.class.php doExportPack Method

image

In this method We can find editor and site parameter makes filename value and use it for

delfile method's argument

image

Let's take a look at app/system/include/function/file.func.php source code

image

When we check delfile method we use filename argument for file_exists function and if

return value is true unlink filename argument file will be unlink

Before we analyze more about this point.

Let's take a look at about file_exists function's difference between in Linux and Windows

image

image

In Linux (first picture) if there is no real dirctory which name is asdf function do not return true

value unliness there is ../ value. But In Windows file_exists funciotn return true value if there is

fake directory which name is asd (second picture).

We will use this point for vulnerability.

Okay after unlink file doExportPack method call doget_admin_pack method

Let's take a look at doget_admin_pack method

image

In Source Code If site parameter value is 'admin' or 'web' we use appno parameter value for SQL

query. And there is any single quarter for appno parameter.

So we can execute Union Sql Injection

image

Furthermore We use return of Sql query for new ini file's content

Cause we have Union SQL injection vulnerabilty We can modify ini file's content

image

So attack scenario is below

  1. give site parameter value for 'admin' or 'web' and give editor parameter for

'../../../---/{ini-filename}

  1. give appno parameter for SQLI POC which include ini file content

In Linux if there is no language_admin_ directory this vulnerability will not occur

But Windows doesn't need language_admin_ directory this vulnerabilty will execute 100%

(Of course in Lniux has language_admin_ or any other directory name which can make by

site and editor parameter this vulnerability will execute)

POC :

/admin/?n=language&c=language_general&a=doExportPack&site=web&editor=/../../../../../../Windows/test&appno= 1=1 union select 0x49732069742076756c6e657261626c653f3f,ox5965732121

image

image

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant