SeaCMS SQL Injection Vulnerability in Danmaku Module Leading to Remote Code Execution

A critical SQL injection vulnerability has been identified in SeaCMS versions prior to 13.3, specifically within the danmaku (bullet screen) system module. The issue arises in the 'js/player/dmplayer/dmku/class/mysqli.class.php' file, where the 'page' and 'limit' parameters are directly taken from user input and concatenated into an SQL query without proper sanitization or parameterization. Although the application attempts to use prepared statements, the SQL injection vulnerability exists because the query is constructed before the preparation, rendering the protection ineffective. This flaw allows for remote exploitation, with no authentication required.

Impact

Exploitation of this vulnerability allows for SQL injection, which can be leveraged to execute arbitrary code on the server. The SQL injection can be exploited using the INTO OUTFILE clause to write a web shell to a location accessible via the web, leading to a complete compromise of the server.

Reproduction

To reproduce this vulnerability, send a GET request to the 'js/player/dmplayer/dmku/index.php' endpoint with the 'ac' parameter set to 'list', and include a crafted 'limit' parameter that exploits the SQL injection vulnerability. The injected SQL payload can be crafted to write a file containing a web shell to a directory that is accessible via the web.

Remediation

Disable the danmaku feature until a patch is applied. Review the code to add input validation for the 'page' and 'limit' parameters, ensuring they are sanitized before being used in SQL queries. After applying these changes, monitor the application for any signs of exploitation.