lem0n817
commented
3 months ago Note that the backend path is randomly generated when the website is set up, so it varies for each user. Use your specific path during testing. 请注意,后端路径是在设置网站时随机生成的,因此每个用户都有所不同。在测试期间使用您的特定路径。
Summary
SeaCMS v12.9 has an arbitrary file read vulnerability in the admin/adminsafe.php file, allowing attackers to read system files after accessing the Website back end.
Detail
file_get_contents in line 94 is the vulnerability trigger, and its argument are obtained by the GET method.
Poc
This vulnerability requires logging in to the website backend http://192.168.171.1/[random-path]/admin_safe.php?action=download&file=C:/windows/win.ini