Shulou(Shulou.com)06/01 Report--

The Metinfo CMS system has been exposed that there is a vulnerability in the website, which can upload arbitrary files to the root directory of the website, so that an attacker can easily obtain the webshell permission of the website and tamper with and attack the website. At present, the scope of the vulnerability of the website is the latest version of Metinfo 6.2.0, and all previous Metinfo versions can be exploited. We will analyze the details of the Metinfo vulnerability in detail:

First of all, the prerequisite for exploiting the vulnerability of the website is the windows system. The version of the PHP language is less than 5.3.This means that the old server will configure the website according to this environment. Let's take a look at the code with vulnerabilities. Metinfo has written a special upload feature in upload, which is very powerful. Let's take a look at the code using doupfile for upload, as shown in the following figure:

We can see from the above code that there are some modes for uploading files, as well as the information of variables. The variable info can be controlled. We look at the function of the method called by upfile and upload. Tracking and analyzing the code found that this is used to store the path information of uploaded files. The values of these two variables will directly change the uploaded path, which is also the cause of the loophole. We continue to analyze the loopholes in the code. When uploading using doupfile, Metinfo securely filters the uploaded file names. Some basic script files have been filtered out, and only some files in image format can be uploaded. Strict security restrictions are imposed on uploading using whitelist security mechanism.

It seems that there is no way to bypass the upload by changing the format of the uploaded file. We continue to analyze the code. The path of the uploaded file can be changed here, and it is found that the code has the function of coding conversion. / if the path contains. / then it will use the iconv function to convert its path. The loophole of the website also comes out here. This is where we can bypass the conversion and truncate its characters. This vulnerability exists in all versions lower than php5.3. The construction code is as follows: grab packets, intercept uploaded packets, send savepath=a.php%80\..\ 1.jpg and then directly post data to http://Metinfo/admin/index.php. Why post directly to the address of the backend of the website? Because the background index.php is officially added to the whitelist by Metinfo, you can directly bypass the filtering of the sqlinsert function and upload webshell directly to the website. In the actual vulnerability testing process, you do not need to log in to the background and directly post the address. If you do not know how the data package is written, you can build a Metinfo environment locally, then log in to the background, intercept the data packet, and then modify the website address of the database. To test for vulnerabilities.

Methods and details of website vulnerability repair

At present, there is no official fix for this vulnerability. Programmers are advised to upgrade the version of php to more than 5.3, or switch the server to the linux system, do not have the right to run PHP scripts on the uploaded directory uoload, or carry out security reinforcement on the website directory to prevent the creation and generation of PHP files. If you are not too familiar with the code, you can pay to find a professional website security company to deal with, the domestic SINE security, Green Alliance, Qiming Star is more professional, about Metinfo loophole repair and reinforcement methods, write here, hope that the majority of website operators face up to the security of the website.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.