job/uploadfile_save.php in MetInfo through 5.3.17 blocks the .php extension but not related extensions, which might allow remote authenticated admins to execute arbitrary PHP code by uploading a .phtml file after certain actions involving admin/system/safe.php and job/cv.php.
/job/uploadfile_save.php the filter of the
$ext in line 23 has some problem , that can cause getshell.
but you should have authority of the admin stage.
Proof of Concept(PoC)
Firstly,login to the admin stage , and open the url http://127.0.0.1/metinfo/admin/system/safe.php?anyid=12&lang=cn or you can find it via admin stage at: Safety – Safety and efficiency.
change the file format that allow to upload , add php5 or php6 or phtml …
Secondly, open the url:
http://127.0.0.1/metinfo/job/cv.php?lang=cn&selectedjob= than fill in the blank，while upload Recent photos we upload a webshell file with php5 extension .
the content of it can be:
Thirdly , we go back to the admin stage again and open url:
http://127.0.0.1/metinfo/admin/content/job/cv.php or ypu can find it at :manage-job-Resume information management .
find the information you upload just now, and you can find the url of the webshell:
Fourthly , add this webshell url and password to webshell exploit tools(suggest antsword)and you can find that ,get shell success!