Catalog
Vulnerability description 2. Vulnerability trigger conditions 3. Vulnerability Impact 4. Vulnerable code analysis 5. Defense methods 6. Offense and defense thinking
1. Vulnerability description
Metinfo system is based on the Php+mysql information Publishing system, the system has a logical defect caused by conditional injection, can modify any administrator information
Relevant Link:
2. Vulnerability Trigger Condition
As you can see from Save_met_cookie (), any SQL statement is executable here. Just here is the update of the met_admin_table table, so you can directly modify any user password, such as arbitrary operation.
such as change password, only need to use met_cookie_filter[]= ', admin_pass= password where admin_id=1# can
3. Vulnerability Impact Range
Metinfo <=5.3
4. Vulnerability Code Analysis
/admin/include/common.inc.php
..
// $ met_cookie is first assigned to the $ met_cookie_filter variable, which is equivalent to initialization
$ met_cookie_filter = $ met_cookie;
foreach (array (‘_ COOKIE’, ‘_POST’, ‘_GET’) as $ _request)
{
// Register GPC variables through foreach, which can cause the $ met_cookie_filter variable to be overwritten again
foreach ($$ _ request as $ _key => $ _value)
{
$ _key {0}! = ‘_‘ && $$ _ key = daddslashes ($ _ value, 0,0,1);
$ _M [‘form‘] [$ _ key] = daddslashes ($ _ value, 0,0,1);
}
}
$ met_cookie = array ();
// Assign value through $ met_cookie = $ met_cookie_filter variable, resulting in controllable $ met_cookie variable
$ met_cookie = $ met_cookie_filter;
..
Continue to follow the global filtering of the Daddslashes function,/admin/include/global.func.php
/ * POST variable conversion * /
function daddslashes ($ string, $ force = 0, $ sql_injection = 0, $ url = 0)
{
! defined (‘MAGIC_QUOTES_GPC’) && define (‘MAGIC_QUOTES_GPC’, get_magic_quotes_gpc ());
if (! MAGIC_QUOTES_GPC || $ force)
{
if (is_array ($ string))
{
foreach ($ string as $ key => $ val)
{
$ string [$ key] = daddslashes ($ val, $ force);
}
}
else
{
$ string = addslashes ($ string);
}
}
if (is_array ($ string))
{
if ($ url)
{
// $ string = ‘‘ ;;
foreach ($ string as $ key => $ val)
{
$ string [$ key] = daddslashes ($ val, $ force);
}
}
else
{
foreach ($ string as $ key => $ val)
{
$ string [$ key] = daddslashes ($ val, $ force);
}
}
}
else
{
// When SQL_DETECT is not 1 or sql_injection is 1, the filtering of characters is entered, and single quotes are escaped at this time \ ’
if (SQL_DETECT! = 1 || $ sql_injection == 1)
{
$ string = str_ireplace ("\" "," / ", $ string);
$ string = str_ireplace ("‘ "," / ", $ string);
$ string = str_ireplace ("*", "/", $ string);
$ string = str_ireplace ("~", "/", $ string);
$ url = str_ireplace ("\" "," / ", $ url);
$ url = str_ireplace ("‘ "," / ", $ url);
$ url = str_ireplace ("*", "/", $ url);
$ url = str_ireplace ("~", "/", $ url);
$ string = str_ireplace ("select", "\ sel \ ect", $ string);
$ string = str_ireplace ("insert", "\ ins \ ert", $ string);
$ string = str_ireplace ("update", "\ up \ date", $ string);
$ string = str_ireplace ("delete", "\ de \ lete", $ string);
$ string = str_ireplace ("union", "\ un \ ion", $ string);
$ string = str_ireplace ("into", "\ in \ to", $ string);
$ string = str_ireplace ("load_file", "\ load \ _ \ file", $ string);
$ string = str_ireplace ("outfile", "\ out \ file", $ string);
$ string = str_ireplace ("sleep", "\ sle \ ep", $ string);
$ string = str_ireplace ("where", "\ where", $ string);
$ string_html = $ string;
$ string = strip_tags ($ string);
if ($ string_html! = $ string)
{
$ string = ‘‘;
}
$ string = str_replace ("%", "\%", $ string); //
}
}
return $ string;
}
The source of the vulnerability here is that Metinfo has a custom so-called escape processing, but does not have the integrity of escaping, the absence of anti-quote escape caused, if the attacker entered both "single quote" and "anti-quote", Metinfo only the "single quotation mark" escaped, resulting in "\ \" "This result, the backslash used to escape single quotes is" swallowed ", causing pay to regain attack power
We continue to backtrack, looking for the point of use related to the invocation of $met_cookie variables
/admin/include/global.func.php
function save_met_cookie ()
{
global $ met_cookie, $ db, $ met_admin_table;
$ met_cookie [‘time’] = time ();
// $ met_cookie is processed into $ json by the json_encode function and directly spliced into the $ query string
$ json = json_encode ($ met_cookie);
$ username = $ met_cookie [metinfo_admin_id]? $ met_cookie [metinfo_admin_id]: $ met_cookie [metinfo_member_id];
$ username = daddslashes ($ username, 0,1);
// Incoming query
$ query = "update $ met_admin_table set cookie =‘ $ json ’where id =‘ $ username ’”;
$ user = $ db-> query ($ query);
}
The Json_encode function will escape the special characters, such as \,, and so on, so that the \ ' becomes \ \ ' After the previous transfer, which just escapes the character, leading to the successful introduction of quotation marks. This is the key to the injection.
As you can see, you only need to refer to these functions after common.inc.php, $met _cookie variables will be affected
5. Defense Methods
/admin/include/common.inc.php
..
$met_cookie_filter=$met_cookie; foreach(array(‘_COOKIE‘, ‘_POST‘, ‘_GET‘) as $_request)
{ foreach($$_request as $_key => $_value)
{
$_key{0} != ‘_‘ && $$_key = daddslashes($_value,0,0,1);
$_M[‘form‘][$_key]=daddslashes($_value,0,0,1);
}
}
$met_cookie=array(); /**/ $met_cookie=addslashes(stripslashes($met_cookie_filter)); /**/ ..
6. Defensive Thinking
Copyright (c) Littlehann All rights reserved
metinfo/admin/include/common.inc.php SQL Injection Vul
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
