In /language/admin/language_general.class.php doExportPack Method
In this method We can find editor and site parameter makes filename value and use it for
delfile method's argument
Let's take a look at app/system/include/function/file.func.php source code
When we check delfile method we use filename argument for file_exists function and if
return value is true unlink filename argument file will be unlink
Before we analyze more about this point.
Let's take a look at about file_exists function's difference between in Linux and Windows
In Linux (first picture) if there is no real dirctory which name is asdf function do not return true
value unliness there is ../ value. But In Windows file_exists funciotn return true value if there is
fake directory which name is asd (second picture).
We will use this point for vulnerability.
Okay after unlink file doExportPack method call doget_admin_pack method
Let's take a look at doget_admin_pack method
In Source Code If site parameter value is 'admin' or 'web' we use appno parameter value for SQL
query. And there is any single quarter for appno parameter.
So we can execute Union Sql Injection
Furthermore We use return of Sql query for new ini file's content
Cause we have Union SQL injection vulnerabilty We can modify ini file's content
So attack scenario is below
give site parameter value for 'admin' or 'web' and give editor parameter for
'../../../---/{ini-filename}
give appno parameter for SQLI POC which include ini file content
In Linux if there is no language_admin_ directory this vulnerability will not occur
But Windows doesn't need language_admin_ directory this vulnerabilty will execute 100%
(Of course in Lniux has language_admin_ or any other directory name which can make by
site and editor parameter this vulnerability will execute)
POC :
/admin/?n=language&c=language_general&a=doExportPack&site=web&editor=/../../../../../../Windows/test&appno= 1=1 union select 0x49732069742076756c6e657261626c653f3f,ox5965732121
The text was updated successfully, but these errors were encountered:
Vulnerability Name: Metinfo CMS ini file modify vulnerability
Product Homepage: https://www.metinfo.cn/
Software link: https://u.mituo.cn/api/metinfo/download/7.0.0beta
Version: V7.0.0 beta
(This vulnerability only occur in Window OS)
In /language/admin/language_general.class.php doExportPack Method
In this method We can find
editorandsiteparameter makesfilenamevalue and use it fordelfilemethod's argumentLet's take a look at app/system/include/function/file.func.php source code
When we check
delfilemethod we usefilenameargument forfile_existsfunction and ifreturn value is true unlink
filenameargument file will be unlinkBefore we analyze more about this point.
Let's take a look at about
file_existsfunction's difference between inLinuxandWindowsIn
Linux(first picture) if there is no real dirctory which name isasdffunction do not return truevalue unliness there is
../value. But In Windowsfile_existsfunciotn return true value if there isfake directory which name is
asd(second picture).We will use this point for vulnerability.
Okay after
unlinkfile doExportPack method calldoget_admin_packmethodLet's take a look at
doget_admin_packmethodIn Source Code If
siteparameter value is 'admin' or 'web' we useappnoparameter value for SQLquery. And there is any single quarter for
appnoparameter.So we can execute
Union Sql InjectionFurthermore We use return of Sql query for new ini file's content
Cause we have Union SQL injection vulnerabilty We can modify ini file's content
So attack scenario is below
siteparameter value for 'admin' or 'web' and giveeditorparameter for'../../../---/{ini-filename}
appnoparameter for SQLI POC which include ini file contentIn
Linuxif there is nolanguage_admin_directory this vulnerability will not occurBut
Windowsdoesn't needlanguage_admin_directory this vulnerabilty will execute 100%(Of course in
Lniuxhaslanguage_admin_or any other directory name which can make bysiteandeditorparameter this vulnerability will execute)POC :
/admin/?n=language&c=language_general&a=doExportPack&site=web&editor=/../../../../../../Windows/test&appno= 1=1 union select 0x49732069742076756c6e657261626c653f3f,ox5965732121
The text was updated successfully, but these errors were encountered: