metinfo's deep understanding of php variable coverage vulnerability

Posted by lipsius at 2020-03-02

Click blue words to get more dry goods



PHP variable coverage generally refers to a vulnerability that uses custom variables to replace the original variable values of a program. This vulnerability itself will not cause too much vulnerability. However, PHP variable coverage often leads to changes in the execution logic of the program, changes in the original security mechanism of the program, and other security problems. This paper first introduces some common scenarios of variable coverage, and then through a code audit example, introduces how to use it.


Variable coverage principle

The common scenario of code audit is that the following keywords appear in the code:

Ø register_globals=on

Ø extract() function

Ø parse Ø str() function

Import request variables() function

O $$



Register "globals" refers to registering the passed value as a global variable, so when on, the passed value will be directly registered as a global variable, and when off, we need to get it in a specific array.

When off

When it is on (PHP starts from version 4.2 and sets the default value of register ﹣ globals to off; it starts to be discarded from version 5.3 and is removed from version 5.4, so it can run successfully only when PHP < = 5.3)

In this way, you can register a previously undeclared variable with the program, but if the previous variable already exists, it cannot be overwritten, as shown below



The extract() function imports variables from an array into the current symbol table. This function uses array key name as variable name and array key value as variable value. For each element in the array, a corresponding variable is created in the current symbol table. The extract function takes three parameters and returns the number of variables successfully imported into the symbol table.

Sample code and running results

It can be seen that the values of variables a, B and C have been overwritten, even if they have been declared before. This is related to the second parameter. If you select extr? Skip, it will not be overwritten



The parse_str() function parses the query string into a variable. This function takes two parameters

Sample code and running results

If the array parameter is not set, the variable set by the function will overwrite the existing variable with the same name.



Import ﹣ request ﹣ variables imports get / post / cookie variables into the global scope. Even if register ﹣ globals is turned off, it still takes effect. It takes two parameters,

$types refers to variable type and get / post / cookie. Generally, the first character (GPC) is used to indicate case insensitive. When $type = GP, the post variable will overwrite the get variable with the same name. $prefix indicates variable prefix, sample code and running result



Use foreach to traverse the values in the array, and then take the acquired array key name as the variable, and the key value in the array as the value of the variable. This will cause declared or undeclared values to be overwritten, sample code, and run results.


Code audit instance


Essential information

Name: Metinfo CMS 5.3

Introduction: Metinfo is a visual operation, SEO is very friendly, full-featured, PHP + MySQL architecture, multi language, responsive display, suitable for enterprise and company website construction CMS station building system. In version 5. X of this CMS, there are fundamental defects in the system architecture, resulting in frequent vulnerabilities. One of them is the structure of using foreach assignment in the fifth part of the previous section, which leads to the risk of variable coverage in a large number of codes. The newly released version 6.0 has been refactored to fix most of the known security vulnerabilities.


Variable coverage

/Include / is the core public file. There is a section of code on lines 25 to 40 to assign variables to the incoming cookie, get and post parameters

This is actually a writing method that can easily cause variable coverage. Any variable declared or undeclared before this code will be covered if it is not reassigned after this code. The experiment is as follows

Variable coverage at this point can cause many other security problems.


Password Reset

Metinfo has the function of administrator password reset, which can get the password reset link due to variable override.

The file related to password retrieval is admin / admin / getpassword.php

The first ten lines are to query the configuration information from the database and assign it to variables. At the same time, you can see that the file is introduced. The switch statement on line 47 is the logic control statement for password retrieval

The first step is to select (NEXT1) to select the method of password retrieval. The default is to retrieve the email. The second step (next2) is to execute from line 92. The first large section is the statement of splicing the packets. The email is sent from line 143

If jmailsend function fails to send, enter the following if statement to send using curl ﹣ post function, and enter curl ﹣ post function in the file / include / export.func.php

Where $post is the email content that failed to be sent successfully, and then the email content will be sent to the address specified by $met host When the value of the program is specified as, it should be a mail forwarding server officially set by Metinfo. When the mail server set by the webmaster itself does not work, first send the mail content to this server through HTTP request, and then send the password reset mail from this server. However, the value of $met_host can be set arbitrarily due to variable override, and the content of password reset email can be sent to the server we specified. If jmailsend fails to send, let's take a look at the jmailsend function in the file / include / jmail.php.

Our purpose is to make this function return false. Here, we also use the method of variable coverage to make use of it. In line 19, you can see that the mail is sent according to the port specified by $met FD port. If this variable is overridden, the mail will fail to be sent. First, set the listening port on the server. The default port is 80

Then the structure is as follows: payload

Click send to receive the email content on your own server, including the password reset link

Open the link as follows


Getshell- CVE-2017-11347

The vulnerability file is located in admin / APP / physical / physical.php

The code determines the subsequent execution logic based on the value of $action,

When $action is equal to OP and the value of $op of the subsequent switch statement is 3, enter the following statement

Then the switch statement is controlled according to $Val to determine the value of $address.

Then follow up the copyfile function at / admin / include / global.func.php

It writes $oldcon to the new file $newfile, which contains

You can see that it uses require once '$address'; which contains the value of $address. Then we go back to the $newfile and $address values, where $newfile gets the value from the $Val array at 256 lines and $address gets the value from the case statement at 236 to 252 lines. The $Val array is generated in 186 lines, and is cut into an array by the $valphy variable. The $valphy can be overridden by the variable, which results in the whole statement can be controlled later. First, $action = OP and $OP = 3, and then according to the 186 line statement $valphy, we need to construct the following form $valphy = test|123 / shell.php, so $Val becomes an array of length 2, and $address can not get the value in the 236-252 line case statement, which can also be overwritten. So we can first upload a shell with a normal file suffix, then assign its address to $address, and the generated new file shell.php will call it.

Then the structure is as follows: payload|123/shell.php&address=../upload/201803/1521469553138949.jpg

Then it will generate shell.php in directory 123



This paper aims to popularize network security knowledge, improve the security awareness of small partners, and introduce the characteristics of common vulnerabilities, mining techniques, etc. It is hereby declared that the reader shall be responsible for the consequences of his / her acts endangering the network security, which have nothing to do with hetianzhihui and himself / herself.





The results of the first quarter of 2018 will be published in April!

At that time, three awards will be selected, with a total of 15 original authors!

Active participation Award

Best literary talent award

Best author Award

Rich gifts are waiting for you, come to actively participate in the contribution!

Great reward | Hetian's original contribution waiting for you! (click for details)

He tianzhihui


Tel: 4006-123-731

Long press the picture, it is said that only those with high appearance value can recognize it