| 제목 | EyouCMS 1.7.6 Command Injection |
|---|
| 설명 | EyouCMS version 1.7.6 contains a SQL Injection vulnerability in the backend template management functionality that leads to Remote Code Execution. The file manager implements incomplete input validation that only blocks {eyou:php} template tags while allowing {eyou:sql} tags. The {eyou:sql} tag handler executes arbitrary SQL queries with minimal restrictions (only blocking DELETE and TRUNCATE). By using MySQL INTO OUTFILE, an authenticated administrator can write malicious PHP files to the webroot, achieving remote code execution. |
|---|
| 원천 | ⚠️ https://note-hxlab.wetolink.com/share/XfINjg5i25Ud |
|---|
| 사용자 | yu22x (UID 34832) |
|---|
| 제출 | 2025. 12. 16. AM 02:20 (4 개월 ago) |
|---|
| 모더레이션 | 2025. 12. 27. PM 12:24 (11 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 338521 [EyouCMS 까지 1.7.6 Backend Template Management FilemanagerLogic.php content SQL 주입] |
|---|
| 포인트들 | 20 |
|---|