0x01Cutting-edge
MetInfo enterprise website management system: adopts the PHP + Mysql architecture and built-in SEO search engine optimization mechanism. It supports user-defined interface languages (various languages around the world ), has common modules of Enterprise websites (Enterprise Profile module, News Module, product module, download module, image module, recruitment module, online message, feedback system, online communication, links, websites) maps, members, and permission management ). Powerful and flexible background management functions, static page generation functions, personalized module addition functions, custom FLASH styles for different columns, and other functions can create a beautiful and marketing-oriented high-quality website for enterprises.
After this program had a remote code execution vulnerability, no one had to mine it. The whole program is still used by many people. It is the result of detection.
It took me a few days to audit this cms set. Here is one by one.
0x02Inject 1
This code audit is the latest official website version.
Line 13 in message/access. php
As you can see, this $ id is not filtered. How does the $ id come from here? See include/common. inc. php.
This daddslashes () function is in global. func. php.
In fact, escape the passed Value
So we can ignore this...
Injection is shown in
Vulnerabilities affect all versions above 2.0. An anti-injection function is added to 3.0, but the injection can be bypassed.
0x03Injection 2
8 rows in about/show. php
The same is obvious here, but here it is blind note. What will happen afterwards? If $ show does not exist or isshow does not exist in the $ show array, the error page is returned, so this is a blind note.
Injection result
We can also get our information... It would be very tiring to manually judge...
0x04Injection 3
Lines 16 in member/feedback. php
$ Met_fd_class in $ serch_ SQL is controllable.
Let's track the variable $ serch_ SQL.
In lines 26, we found that
Executed. So the above problem also exists.
However, the premise here is that you need to log on because he has verified the permission.
Permission verification is included at the beginning of feedback. php.
Therefore, the injection here must be a user you have registered, and then you have logged on to inject the results.
Let's give the injection statement. First, we must close the previous) and comment out the following statement.
Exp:
A http://www.bkjia.com/member/feedback. php? & Met_fd_classname = 1 & met_fd_class = 99999) union select 1, 2, 4, 5, user (), 7, 8, 9, 10 --
0x05Injection 4
Here is a chicken rib injection ..
If it's dangerous, let's continue.
Insert injection exists in row 73 of job/save. php.
$ Jobid here is controllable. I will not talk about it if it is controllable or uncontrollable. Test it by yourself.
Why is it chicken ribs? 1. This is an insert statement. If we add the parameters following jobid and comment out the group, for example, if we insert $ id = (select password from admin where id = 1) # statements like this? The fact is that it can be successful, but the Administrator's md5 is successfully inserted, but you have to read it. The group then finds that the only read time of the met_cv table is time, however, the time field cannot be inserted. so there is no way to directly plug in, so here is the chicken ribs.
0x06Inject 5
An update injection exists in row 53 of member/cv_editor.php.
I will not talk about the same problem.
Chicken ribs
0x07Injection 6
Row 109 in member/fdeditor. php
If the permission is verified, the user must be registered and then injected, and the tool cannot be used.
Injection
I will not write about the details and how to test them. It is too tired. During the entire code audit process, we need to test some passed parameters step by step, it's not that easy to determine where the problem is. Therefore, we cherish the fruits of others' work. V
0x08File Inclusion
8 rows in member/index. php
$ Metid here is externally passed and controllable
If the metid variable does not exist, assign the index to it.
If the $ metid and '. php' files are included when they exist and are not equal to the index, we can construct a file to include
The inclusion method is as follows. If gpc is off again and again, it is truncated.
The second type is truncated long characters.
This situation is not affected by gpc.
0x09Password Reset Vulnerability
In member/getpassword. php
The password reset code is displayed here.
First, the user name + password md5 is assigned to the variable x
Then, the user. x is encrypted with base64, and then assigned to the string. Then, the string is used
Retrieve the password url. Do you find any problems?
Suppose we inject the cms md5 and cannot decrypt it? What should I do? No,
What if we reset the administrator password through this url? Is it feasible? Because the required username and password are both md5, We can reset the password?
Think about the programmer who develops this reset function. You should consider this issue more .....
Next I will give this exp
Run
0x10Getshell in the background
There are actually three methods for getshell in the background.
Method 1:
Add php directly here
Then upload the file management. Upload the php shell here.
Method 2:
Add the asa file at the location and upload the asa file at the front-end. Here, it is used under iis,
Cause of vulnerability
In job/uploadfile_save.php
Some common suffix names are processed here.
Therefore, the front-end can directly upload the asa in the application link.
Method 3:
Add a new template in the background
Pack our php horse into zip format and then upload it
At last, our Trojan will be decompressed to the templates template folder.
Access
0x11Summary
I spent a few days researching the entire cms. I only mined the front-end, and there was little value in the background. I have gained a lot in the whole, and I am releasing it on 0day. If you want to study together, join the group!
62512676
Next, I will release the exp for resetting the password. This exp is only used for research and learning. illegal intrusion through this exp is irrelevant to me.
This exp only applies to the injected administrator and password (the password cannot be obtained), and the password is changed to x0h4ck3r.
Running result