Description
Vulnerability Name: Metinfo CMS ini file modify vulnerability
Product Homepage: https://www.metinfo.cn/
Software link: https://u.mituo.cn/api/metinfo/download/7.0.0beta
Version: V7.0.0 beta
(This vulnerability only occur in Window OS)
In /language/admin/language_general.class.php doExportPack Method
In this method We can find editor and site parameter makes filename value and use it for
delfile method's argument
Let's take a look at app/system/include/function/file.func.php source code
When we check delfile method we use filename argument for file_exists function and if
return value is true unlink filename argument file will be unlink
Before we analyze more about this point.
Let's take a look at about file_exists function's difference between in Linux and Windows
In Linux (first picture) if there is no real dirctory which name is asdf function do not return true
value unliness there is ../ value. But In Windows file_exists funciotn return true value if there is
fake directory which name is asdf (second picture).
Because of this point we can delete remote ini file in windows server
Attack scenario is below
- give
siteparameter value for 'admin' or 'web' and giveeditorparameter for
'../../../---/{ini-filename}
POC :
/admin/?n=language&c=language_general&a=doExportPack&site=web&editor=/../../../../../../Users/test/Desktop/test&appno=123







