SeaCMS SQL Injection Vulnerability in Admin Data Relate Component

A SQL injection vulnerability has been identified in SeaCMS version 12.9. This vulnerability allows remote attackers to access sensitive information by exploiting the admin_datarelate.php component. The issue arises because user-supplied data is used in SQL queries without proper sanitization, creating an opportunity for injection attacks.

Impact

Exploitation of this vulnerability allows for authenticated SQL injection, where attackers can manipulate SQL queries to access or modify database information.

Reproduction

To reproduce this vulnerability, send a POST request to the admin_datarelate.php file with an 'sql' parameter containing the crafted SQL payload. The injection can be verified by using a payload that, for example, includes a time-based SQL injection technique, such as 'sleep(5)', which would delay the response by five seconds, indicating successful exploitation.