Skip to content

metinfo 7.0 beta remote delete ini file #2

Open
@cby234

Description

@cby234

Vulnerability Name: Metinfo CMS ini file modify vulnerability
Product Homepage: https://www.metinfo.cn/
Software link: https://u.mituo.cn/api/metinfo/download/7.0.0beta
Version: V7.0.0 beta

(This vulnerability only occur in Window OS)

In /language/admin/language_general.class.php doExportPack Method

image

In this method We can find editor and site parameter makes filename value and use it for

delfile method's argument

image

Let's take a look at app/system/include/function/file.func.php source code

image

When we check delfile method we use filename argument for file_exists function and if

return value is true unlink filename argument file will be unlink

Before we analyze more about this point.

Let's take a look at about file_exists function's difference between in Linux and Windows

image

image

In Linux (first picture) if there is no real dirctory which name is asdf function do not return true

value unliness there is ../ value. But In Windows file_exists funciotn return true value if there is

fake directory which name is asdf (second picture).

Because of this point we can delete remote ini file in windows server

Attack scenario is below

  1. give site parameter value for 'admin' or 'web' and give editor parameter for

'../../../---/{ini-filename}

POC :

/admin/?n=language&c=language_general&a=doExportPack&site=web&editor=/../../../../../../Users/test/Desktop/test&appno=123

image

image

image

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions