MetInfo CMS SQL Injection Scanner

MetInfo CMS is a free and open-source enterprise content management system used by organizations to create and manage corporate websites. It is developed using PHP and MySQL, making it versatile and suitable for businesses that require dynamic web technologies. The CMS is designed to support a range of website functionalities, catering to small to large enterprises seeking custom website solutions. Web developers and IT teams typically employ MetInfo CMS for its flexibility and ease of use, allowing them to deploy and manage corporate online presence efficiently. The platform's open-source nature promotes collaboration and customization, enabling users to modify it to meet specific business needs.

The SQL Injection vulnerability resides in the MetInfo CMS, particularly in the img.php file. This security flaw allows attackers to inject malicious SQL statements into the application through the serch_sql parameter. By exploiting this vulnerability, unauthorized users can gain access to sensitive data stored in the backend database, bypassing normal authentication and access controls. SQL Injection is a common attack vector that manipulates input data used in SQL queries, potentially leading to data disclosure, data modification, and further exploitation of applications. Such vulnerabilities are critical as they can compromise entire systems and expose sensitive information.

This particular vulnerability in MetInfo CMS can be exploited through the vulnerable endpoint located at img.php. The parameter serch_sql is susceptible to SQL injection, allowing attackers to craft SQL queries that the application will execute against its database. The lack of input validation and parameterization in SQL queries makes the application vulnerable. Attack patterns include altering the logic of SQL queries to extract or corrupt data, performing administrative operations, and possibly taking control of the database server. The use of unsanitized input directly in SQL queries is the primary security flaw exploited in this case.

Exploiting the SQL Injection vulnerability in MetInfo CMS can have severe consequences. Attackers may gain unauthorized access to the database, leading to the theft of sensitive information such as user credentials, financial records, and other confidential data. This can result in data breaches, legal implications, and financial damage to organizations. Additionally, attackers could manipulate or delete critical data, disrupt website functionalities, and use the compromised system as a launching pad for further attacks on internal or external networks. The integrity, availability, and confidentiality of organizational data are at risk when such a vulnerability is present.

REFERENCES

• https://www.mituo.cn/