Headline
CVE-2022-43256: SeaCms <= v12.6 /js/player/dmplayer/dmku/index.php has Unauthorized Sql Injection · Issue #23 · seacms-com/seacms
SeaCms before v12.6 was discovered to contain a SQL injection vulnerability via the component /js/player/dmplayer/dmku/index.php.
There is no verification permission for this file
http://xxx.com/js/player/dmplayer/dmku/index.php
In line 50, “ac” is passed in through the GET method, the value of ac is "so", and the logic judgment is entered. The parameter key is passed into the function without any filtering: 搜索弹幕
In the function "搜索弹幕", the parameter key is also brought into the “搜索_弹幕池” without any filtering.
In the function "搜索_弹幕池", the key is directly spliced into the SQL query statement and causes sql injection.
poc:
http://xxx.com/js/player/dmplayer/dmku/index.php?ac=so&key=1%27%20union%20select%20null,null,null,null,null,name,null,null,null,password%20from%20sea_admin%20where%20id=1–%20-
Sqlmap: