cbcvebase.
CVE-2019-16997
published 2019-09-30

CVE-2019-16997: In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/language/admin/language_general.class.php via the…

PriorityP260high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
49.40%
98.7th percentile
In Metinfo 7.0.0beta, a SQL Injection was discovered in app/system/language/admin/language_general.class.php via the admin/?n=language&c=language_general&a=doExportPack appno parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
metinfometinfo

Detection & IOCsextracted from sources · hover to see the quote

url/admin/?n=language&c=language_general&a=doExportPack
pathapp/system/language/admin/language_general.class.php
commandappno= 1 union SELECT 98989*443131,1&editor=cn&site=web
snort
alert http any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET EXPLOIT MetInfo 7.0 SQL Injection (CVE-2019-16997)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/admin/?"; content:"a=doExportPack"; fast_pattern; distance:0; http.request_body; content:"appno="; startswith; pcre:"/^[^&=]*(?:union|select|update|insert|delete)/Ri"; reference:url,y4er.com/post/metinfo7-sql-tips/#sql-injection-2; reference:cve,2019-16997; classtype:attempted-admin; sid:2035019; rev:1; metadata:attack_target Server, created_at 2022_01_31, cve CVE_2019_16997, deployment Perimeter, deployment Internal, confidence Medium, signature_severity Major, tag Exploit, updated_at 2022_01_31, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
  • Exploit targets HTTP POST to /admin/?n=language&c=language_general&a=doExportPack with a UNION-based SQL injection payload in the 'appno' POST body parameter. The body starts with 'appno=' and contains SQL keywords (union, select, etc.).
  • The arithmetic canary value 98989*443131=43865094559 is used to confirm blind/UNION SQL injection execution. Presence of '43865094559' in the HTTP response body confirms successful exploitation.
  • The vulnerable endpoint is exclusively accessed via HTTP POST method. Detections should filter on POST requests to the doExportPack action.
  • The Emerging Threats rule SID 2035019 (rev:1) covers this CVE with Medium confidence and Major severity, classified as attempted-admin, mapped to MITRE T1190 (Exploit Public-Facing Application).
  • ·CVE-2019-16997 affects only MetInfo 7.0.0 beta. The vulnerable parameter is 'appno' in the doExportPack action, which is distinct from the similarly structured CVE-2019-17418 (doSearchParameter action, GET method). Ensure detections differentiate between the two actions to avoid false positives.
  • ·Exploitation requires high privileges (PR:H per CVSS), meaning the attacker must be authenticated as an admin. Detection rules should account for authenticated sessions when triaging alerts.

CVSS provenance

nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.