Uploading a malicious PHP script disguised as a document.
The attacker determines the path of the uploaded document—often calculated via predictable folder structures or exposed by database IDs—and sends an HTTP request to execute commands on the underlying server. Anatomy of the Exploit (Proof of Concept)
Historically, the primary high-severity threat to platforms like SeedDMS involves the mishandling of file extensions during document ingest.
SeedDMS version 6.0.15 contains a SQL injection vulnerability. Although 5.1.22 is a different branch, SQL injection flaws have been found in other versions of SeedDMS, and 5.1.22 may be affected depending on configuration. SQL injection arises when user‑supplied input is concatenated directly into SQL queries without proper parameterization. An attacker can craft input that alters the query structure, allowing them to extract, modify, or delete database content. seeddms 5.1.22 exploit
: op.AddEvent (AddEvent.php) and Log Management (out.LogManagement.php) . The Vulnerable Parameters : name and comment fields.
Steps to Reproduce. 1. Open a netcat listener: nc -lnvp 4444. 2. Open a seeddms module zip file. In the module's config. php file, www.simonjuguna.com CVE-2018-12940 - NVD
(Note: SeedDMS never stores legitimate PHP files there.) Uploading a malicious PHP script disguised as a document
curl -s http://192.168.1.100/seeddms51/out/out.Version.php | grep "Version"
: Implement comprehensive input validation and output encoding to prevent XSS and SQL injection attacks. Use parameterized queries for all database interactions.
Technical Analysis of the SeedDMS Exploitation (CVE-2019-12744) SeedDMS version 6
: Using Python to spawn an interactive PTY ( python3 -c 'import pty; pty.spawn("/bin/bash")' ) for better control.
After gaining authenticated access to the SeedDMS instance, attackers can leverage several exploitation vectors:
5.1.22 and below (specifically within the 5.1.x branch)
Attackers can exploit SQL injection vulnerabilities in parameter handling to bypass authentication or dump database content, including hashed user passwords. Attack Scenario: Step-by-Step