Metinfo code Audit

Source: Internet
Author: User

0x01Cutting-edge

MetInfo enterprise website management system: adopts the PHP + Mysql architecture and built-in SEO search engine optimization mechanism. It supports user-defined interface languages (various languages around the world ), has common modules of Enterprise websites (Enterprise Profile module, News Module, product module, download module, image module, recruitment module, online message, feedback system, online communication, links, websites) maps, members, and permission management ). Powerful and flexible background management functions, static page generation functions, personalized module addition functions, custom FLASH styles for different columns, and other functions can create a beautiful and marketing-oriented high-quality website for enterprises.

After this program had a remote code execution vulnerability, no one had to mine it. The whole program is still used by many people. It is the result of detection.

It took me a few days to audit this cms set. Here is one by one.

 

 

 

 

 

0x02Inject 1

 This code audit is the latest official website version.

Line 13 in message/access. php

As you can see, this $ id is not filtered. How does the $ id come from here? See include/common. inc. php.

 

This daddslashes () function is in global. func. php.

In fact, escape the passed Value

 

So we can ignore this...

 

Injection is shown in

 

 

Vulnerabilities affect all versions above 2.0. An anti-injection function is added to 3.0, but the injection can be bypassed.

 

 

 

 

0x03Injection 2

8 rows in about/show. php

 

The same is obvious here, but here it is blind note. What will happen afterwards? If $ show does not exist or isshow does not exist in the $ show array, the error page is returned, so this is a blind note.

Injection result

 

We can also get our information... It would be very tiring to manually judge...

 

 

 

 

0x04Injection 3

Lines 16 in member/feedback. php

 

$ Met_fd_class in $ serch_ SQL is controllable.

Let's track the variable $ serch_ SQL.

In lines 26, we found that

 

Executed. So the above problem also exists.

 

However, the premise here is that you need to log on because he has verified the permission.

Permission verification is included at the beginning of feedback. php.

 

 

Therefore, the injection here must be a user you have registered, and then you have logged on to inject the results.

Let's give the injection statement. First, we must close the previous) and comment out the following statement.

Exp:

A http://www.bkjia.com/member/feedback. php? & Met_fd_classname = 1 & met_fd_class = 99999) union select 1, 2, 4, 5, user (), 7, 8, 9, 10 --

 

 

 

 

 

0x05Injection 4

Here is a chicken rib injection ..

If it's dangerous, let's continue.

Insert injection exists in row 73 of job/save. php.

 

$ Jobid here is controllable. I will not talk about it if it is controllable or uncontrollable. Test it by yourself.

Why is it chicken ribs? 1. This is an insert statement. If we add the parameters following jobid and comment out the group, for example, if we insert $ id = (select password from admin where id = 1) # statements like this? The fact is that it can be successful, but the Administrator's md5 is successfully inserted, but you have to read it. The group then finds that the only read time of the met_cv table is time, however, the time field cannot be inserted. so there is no way to directly plug in, so here is the chicken ribs.

 

 

 

 

 

0x06Inject 5

An update injection exists in row 53 of member/cv_editor.php.

I will not talk about the same problem.

Chicken ribs

 

 

 

 

0x07Injection 6

 Row 109 in member/fdeditor. php

 

 

If the permission is verified, the user must be registered and then injected, and the tool cannot be used.

 

Injection

 

 

 

I will not write about the details and how to test them. It is too tired. During the entire code audit process, we need to test some passed parameters step by step, it's not that easy to determine where the problem is. Therefore, we cherish the fruits of others' work. V

 

0x08File Inclusion

8 rows in member/index. php

 

$ Metid here is externally passed and controllable

If the metid variable does not exist, assign the index to it.

If the $ metid and '. php' files are included when they exist and are not equal to the index, we can construct a file to include

The inclusion method is as follows. If gpc is off again and again, it is truncated.

 

The second type is truncated long characters.

This situation is not affected by gpc.

 

 

 

 

 

 

0x09Password Reset Vulnerability

 

 In member/getpassword. php

 

The password reset code is displayed here.

First, the user name + password md5 is assigned to the variable x

Then, the user. x is encrypted with base64, and then assigned to the string. Then, the string is used

Retrieve the password url. Do you find any problems?

Suppose we inject the cms md5 and cannot decrypt it? What should I do? No,

What if we reset the administrator password through this url? Is it feasible? Because the required username and password are both md5, We can reset the password?

Think about the programmer who develops this reset function. You should consider this issue more .....

Next I will give this exp

 

Run

 

0x10Getshell in the background

There are actually three methods for getshell in the background.

Method 1:

 

Add php directly here

 

Then upload the file management. Upload the php shell here.

 

 Method 2:

 

 Add the asa file at the location and upload the asa file at the front-end. Here, it is used under iis,

Cause of vulnerability

In job/uploadfile_save.php

 

Some common suffix names are processed here.

Therefore, the front-end can directly upload the asa in the application link.

 

 

Method 3:

 

Add a new template in the background

 

Pack our php horse into zip format and then upload it

At last, our Trojan will be decompressed to the templates template folder.

 

Access

 

 

 

 

0x11Summary

I spent a few days researching the entire cms. I only mined the front-end, and there was little value in the background. I have gained a lot in the whole, and I am releasing it on 0day. If you want to study together, join the group!

62512676

Next, I will release the exp for resetting the password. This exp is only used for research and learning. illegal intrusion through this exp is irrelevant to me.

 

This exp only applies to the injected administrator and password (the password cannot be obtained), and the password is changed to x0h4ck3r.

Running result

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.