> [Suggested description]
An issue in SeaCMS v.12.9 allows an attacker to execute arbitrary
commands via the admin_safe.php component.
> [VulnerabilityType Other]
Any file download
> [Vendor of Product]
https://www.seacms.com/download/
> [Affected Product Code Base]
seacms - <=12.9
> [Affected Component]
poc:https:http://127.0.0.1/seacms/upload/t9ljh/admin_safe.php?action=download&file=file relative path+file name
> [Attack Type]
Remote
> [Impact Escalation of Privileges]
true
> [Impact Information Disclosure]
true
> [Attack Vectors]
This is the address of the article where the vulnerability recurs:https://blog.csdn.net/DGS666/article/details/133795200?spm=1001.2014.3001.5501
> [Reference]
http://seacms.com
https://blog.csdn.net/DGS666/article/details/133795200?spm=1001.2014.3001.5501
https://www.seacms.com/download/
Vulnerability description
By auditing the source code, in the admin_ In the safe.php file, a controllable variable was found and a vulnerability was found on line 94 of the code
Problem type
Any file download
Product
Seacms
Version
Seacms <= V12.9
Download address
The latest version download address:https://www.seacms.com/download/
Vulnerability verification (漏洞验证)
Action=download, parameters obtained through get, controllable, and can be output as long as the file exists.
Enter the backend page:
poc = 127.0.0.1/seacms/upload/t9ljh/admin_safe.php?action=download&file=…/install/seacms.sql
Successfully downloaded seacms.sql file from the install folder.