SeaCMS is a free, open-source website content management system written in PHP. The system is mainly designed to manage video-on-demand resources.
SeaCMS 12.9 version has a remote code execution vulnerability. The vulnerability is caused by admin_ping.php directly splicing and writing the user input data into ping.php without processing it, which allows authenticated attackers to exploit the vulnerability to execute arbitrary commands and obtain system permissions.
The weburl and token passed in to admin_ping.php are not filtered, but directly concatenated and written into the admin_ping.php file, resulting in arbitrary code execution.
Introduction
SeaCMS is a free, open-source website content management system written in PHP. The system is mainly designed to manage video-on-demand resources.
SeaCMS 12.9 version has a remote code execution vulnerability. The vulnerability is caused by admin_ping.php directly splicing and writing the user input data into ping.php without processing it, which allows authenticated attackers to exploit the vulnerability to execute arbitrary commands and obtain system permissions.
Environment
https://github.com/seacms-net/CMS/blob/master/SeaCMS12.9%E6%B5%B7%E6%B4%8BCMS%E5%AE%89%E8%A3%85%E5%8C%85.zip
Analysis
The weburl and token passed in to admin_ping.php are not filtered, but directly concatenated and written into the admin_ping.php file, resulting in arbitrary code execution.
Verify
Access /data/admin/ping.php and execute the command successfully