Metinfo 8月1日升级了版本,修复了一个影响小于等于5.3.17版本(几乎可以追溯到所有5.x版本)的SQL注入漏洞。这个SQL注入漏洞不受软WAF影响,可以直接获取数据,影响较广。
### 0x01. 漏洞原理分析
漏洞出现在 `/include/global.func.php` 文件的 `jump_pseudo` 函数:
```
/*静态页面跳转*/
function jump_pseudo(){
global $db,$met_skin_user,$pseudo_jump;
global $met_column,$met_news,$met_product,$met_download,$met_img,$met_job;
global $class1,$class2,$class3,$id,$lang,$page,$selectedjob;
global $met_index_type,$index,$met_pseudo;
if($met_pseudo){
$metadmin[pagename]=1;
$pseudo_url=$_SERVER[HTTP_X_REWRITE_URL]?$_SERVER[HTTP_X_REWRITE_URL]:$_SERVER[REQUEST_URI];
$pseudo_jump=@strstr($_SERVER['SERVER_SOFTWARE'],'IIS')&&$_SERVER[HTTP_X_REWRITE_URL]==''?1:$pseudo_jump;
$dirs=explode('/',$pseudo_url);
$dir_dirname=$dirs[count($dirs)-2];
$dir_filename=$dirs[count($dirs)-1];
if($pseudo_jump!=1){
$dir_filenames=explode('?',$dir_filename);
switch($dir_filenames[0]){
case 'index.php':
if(!$class1&&!$class2&&!$class3){
if($index=='index'){
if($lang==$met_index_type){
$jump['url']='./';
}else{
$jump['url']='index-'.$lang.'.html';
}
}else{
if($lang==$met_index_type){
$jump['url']='./';
}else{
$id=$class3?$class3:($class2?$class2:$class1);
if($id){
$query="select * from $met_column where id='$id'";
}else{
$query="select * from $met_column where foldername='$dir_dirname' and lang='$lang' and (classtype='1' or releclass!='0') order by id asc";