File upload authenticated Vulnerability in metinfo<= 5.3.17(get shell)

job/uploadfile_save.php in MetInfo through 5.3.17 blocks the .php extension but not related extensions, which might allow remote authenticated admins to execute arbitrary PHP code by uploading a .phtml file after certain actions involving admin/system/safe.php and job/cv.php.

Technical Description:

File /job/uploadfile_save.php the filter of the $ext in line 23 has some problem , that can cause getshell.

but you should have authority of the admin stage.

Proof of Concept(PoC)

Firstly,login to the admin stage , and open the url http://127.0.0.1/metinfo/admin/system/safe.php?anyid=12&lang=cn or you can find it via admin stage at: Safety – Safety and efficiency.

change the file format that allow to upload , add php5 or php6 or phtml …

Secondly, open the url: http://127.0.0.1/metinfo/job/cv.php?lang=cn&selectedjob= than fill in the blank,while upload Recent photos we upload a webshell file with php5 extension .

the content of it can be:

Thirdly , we go back to the admin stage again and open url: http://127.0.0.1/metinfo/admin/content/job/cv.php or ypu can find it at :manage-job-Resume information management .

find the information you upload just now, and you can find the url of the webshell:

Fourthly , add this webshell url and password to webshell exploit tools(suggest antsword)and you can find that ,get shell success!

 

> [Discoverer]
> Lncken

Use CVE-2017-11715.

One Comment

  1. CVE-2017-11715 – 安百科技 /

Reply