metinfo uses sql to inject fast getshell

Posted by tetley at 2020-04-03

Metinfo is a comparative enterprise website building software with many users. Last year, there were several vulnerabilities, such as xxE, SQL injection, arbitrary file reading, etc. see the following link for details. One is message.calss.php and the other is feedback.class.php. The vulnerabilities are all in the foreground. However, the second hole is relatively harsh, each injection requires input of a verification code, which seems to be very weak. Recently, I saw Metinfo once and found a simple way to write shell with SQL injection, without taking off pants.

First, look at the app/system/include/class/web.class.php file. In the web class destructor, read the data of the buffer first (the ob_start (), the open buffer when loading the base configuration file), and assign it to the $output variable after a series of replacement operations (almost no impact). The buffer data can be interpreted as opening the buffer and calling ECH later. O method output data.

Then the label processing is carried out by calling the replace ﹐ attr method, which has no significant impact here.

Finally, the key point is to call the file put contents function to write the contents read from the buffer in the above procedure to the $'m ['form '] ['html'filename'] file if the submitted parameter Metinfo and $'m ['config '] ['met'member'force'] have the same values. Here, the contents of the $_m ['form '] array are a collection of $_get, $_post, $_cookieparameters. The specific code will not be pasted. That is to say, the file name is controllable here, no matter changing to PHP, phtm or PHP5.

But the premise is that you must know $'m ['config '] ['met'member'force']. Through analysis, this variable is located in the location of id = 45 in the met'config table. In install / index.php, met'member'force is a 7-bit random number that gets A-Z. It's a pity that there is no pseudo-random number vulnerability.

Therefore, SQL injection can be used to directly inject the value corresponding to id = 45 in the met config table to obtain met member force. If only one piece of data is injected, the efficiency will be much faster.

Now that the file name is controllable, let's see if the file content is controllable and analyze the subclasses of the web class. Here I find a doupfile method in the app / system / include / module / uploadify.class.php file.

Look at the last line of code, echo jsonencode ($back). Here, the $back variable enters the buffer through JSON format. Go up to see if $back can be controlled. In this line: $back = $this upload ($_m ['form '] ['formname']); here call the upload method, pass in the parameter name of the uploaded file, and follow up the upload method.

In the upload method, the attributes of the uploaded file are assigned to the $filear array. Then look down.

As you can see, when checking the file suffix, the getext method is called. Here, the file name is divided by "." and the last bit of the array is taken. If there is no "." in the upload file name, there is only one element in the split array. That is to say, the file name of the upload does not contain "." and the extension obtained by getext is the file name of the upload.

Next, look at the file suffix detection. If the suffix of the file name is not in the white list (where the white list is fixed), the file extension will be spliced {$_m ['word '] ['upfiletip3']} into the error method.

Follow up the error method, assign the passed in parameter to $back ['errorcode '], indicating that the content of echo jsonencode ($back) is controllable.

It's almost over here. The file name and content are controllable. Next, construct the payload.

View root

View the contents of the 1.php file and visit

Code written successfully

Baimaohui is engaged in information security, focusing on security big data and enterprise Threat Intelligence.

Company products: fofa - Cyberspace Security search engine, foeye - cyberspace retrieval system, nosec - security information platform.

To provide you with: cyberspace mapping, enterprise asset collection, enterprise Threat Intelligence, emergency response services.