Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

metinfo 7.0 beta remote delete ini file #2

Open
cby234 opened this issue May 17, 2021 · 0 comments
Open

metinfo 7.0 beta remote delete ini file #2

cby234 opened this issue May 17, 2021 · 0 comments

Comments

@cby234
Copy link
Owner

cby234 commented May 17, 2021

Vulnerability Name: Metinfo CMS ini file modify vulnerability
Product Homepage: https://www.metinfo.cn/
Software link: https://u.mituo.cn/api/metinfo/download/7.0.0beta
Version: V7.0.0 beta

(This vulnerability only occur in Window OS)

In /language/admin/language_general.class.php doExportPack Method

image

In this method We can find editor and site parameter makes filename value and use it for

delfile method's argument

image

Let's take a look at app/system/include/function/file.func.php source code

image

When we check delfile method we use filename argument for file_exists function and if

return value is true unlink filename argument file will be unlink

Before we analyze more about this point.

Let's take a look at about file_exists function's difference between in Linux and Windows

image

image

In Linux (first picture) if there is no real dirctory which name is asdf function do not return true

value unliness there is ../ value. But In Windows file_exists funciotn return true value if there is

fake directory which name is asdf (second picture).

Because of this point we can delete remote ini file in windows server

Attack scenario is below

  1. give site parameter value for 'admin' or 'web' and give editor parameter for

'../../../---/{ini-filename}

POC :

/admin/?n=language&c=language_general&a=doExportPack&site=web&editor=/../../../../../../Users/test/Desktop/test&appno=123

image

image

image

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant