metinfo latest code audit vulnerability collection

Posted by santillano at 2020-03-20

Author: 0x584a (member of the author team of Xin'an Road)

Recently, I want to contribute plug-ins to X days. I often pay attention to the latest vulnerability list of seebug. I found that the vulnerability of Metinfo has a high occupancy rate recently, so I chose it for code audit.

The seebug is version 6.0.0 of Metinfo. Has the above problem been fixed after the official update to 6.1.0?

MetInfo 6.0.0 6.1.0

Entrance file

There are many entry files for this framework, all of which are index.php, such as the online / index.php file:

index.php online/index.php

Four constants are defined for the framework to load the time zone entry source, module, calling class and method. Finally, load the static method load:: module() in the call to enter.php to load the required module.

entrance.php load::module();

By looking up the index.php entry file, find the file that can reach most of the methods in the foreground: / Member / index.php.

index.php /member/index.php

As you can see, most of the methods can be reached by controlling $douget. Why the majority? Because you cannot directly control the loading of system classes.

$_GET _load_class

The $action in it must start with do, that is, the method name to be called must start with do.

$action do do

Low version information disclosure

Before installation, I first compared the modification file records of the two versions, and found that there was a phpinfo.php file in the install folder of the previous version, which was a section of code <? PHP phpinfo();? > deleted in version 6.1.0.

install phpinfo.php <?php phpinfo(); ?>

This is convenient for us to get the absolute path of the target website. In the later stage, no matter whether it is a shell or a file reading situation, it can be quickly located and utilized.

Examples found online:

Write getshell on installation


To take advantage of this, you first need to delete the config / install.lock installation lock file.


During the installation process, when the DB ﹣ setup (3. Database setting) step is executed, it is found that there is any change of the configuration file.

Recently, I was reading "PHP configuration file writing problem"

I have been looking for the opportunity to write an article about it, and this CMS just gave me the opportunity.

The key function fputs() is an alias of the fwrite() function for file writing. And the logic here also has problems. The operation of files should be put behind the judgment of database connection.

fputs() fwrite()

When we submit payload:

Although the page prompts that the database fails to connect to the database, the content of the config / config_db.php file should be changed.


Parameters are affected by 64 lines of code, and the addslashes() function will be added to the 'cookie', 'post', and 'get' passes, so single / double quotation marks will be preceded by a backslash.

'_COOKIE', '_POST', '_GET'

Let's visit:

In fact, to close the outermost / *, multiline comments have a high priority.

*/ /*

XXE vulnerability

The vulnerability occurs in this file: APP / system / pay / Web / pay.class.php. External entity loading is not prohibited:


Test for external references:

Use the xxeinjector tool to verify the vulnerability and read the local file:

The content of iymkiybozxr3b3jrcybeyxrhmfzqojwpsb29wymfjawkxmjcwxvb3biywnrlw5ldao = is exactly the content of the / etc / networks file.

IyMKIyBOZXR3b3JrcyBEYXRhYmFzZQojIwpsb29wYmFjawkxMjcJCWxvb3BiYWNrLW5ldAo= /etc/networks

Compared with version 6.1.0, it is not fixed here, and xxE exists.


There is also a chicken assisted SQL injection here


When passing XML content:

Enter getoeder() method:


In the method, the $out trade no variable is directly spliced into the SQL statement:


However, the premise of utilization must satisfy the existence of $_m ['table '] ['pay_order'] table, otherwise the attack cannot be caused:


Then, warm greetings: you are busy, I eat lemon, you happy! ~

Arbitrary file read

We searched \ $| \ $| \ $post under global regular search and found a suspicious place to receive $| ['dir '].

\$_GET|\$_POST $_GET['dir']

As you can see from the code in the figure, after receiving the external parameters, read the file into the cache and use the flush() function to refresh the output buffer to the browser.


But the directory address cannot be used directly. It needs to enter the if function, and the first four bits of the string in the $dir variable must have http.

if $dir

I bet a dollar that the programmer who wrote this code wanted to add an image of the chain.

Of course, when we pass in /... / and replace it with STR ﹣ replace function, we will get a.. And the single / will not be filtered. In this way, we can repeatedly construct a path that breaks through the limit.

./.../ str_replace . /

The final payload: