| 제목 | GitHub eyoucms v1.7.1 SQL Injection |
|---|
| 설명 | 1. Vulnerability Introduction
github:https://github.com/weng-xianhu/eyoucms
-System Name: EyouCMS
-System version: v1.7.1
-Vulnerability triggers routing:/index. php? s=/home/Ask/ajax_show_comment
-Control parameter: click_ike
-Harm: SQL injection, attackers can extract sensitive information such as administrator account passwords from the database by passing in malicious SQL statements
2. Vulnerability Analysis
Vulnerable File (Model layer): application/home/model/Ask.php
The GetAskReplyData method accepts the $param['click_like'] parameter, only checks whether the parameter is empty, and if not empty, directly concatenates it into the ORDER BY clause, then calls ->order() to execute the raw SQL:
$OrderBy = !empty($param['click_like'])
? 'a.click_like ' . $param['click_like'] . ', a.add_time asc'
: 'a.add_time asc';
->order($OrderBy)
Vulnerable Trigger File (Controller layer): application/home/controller/Ask.php
In the ajax_show_comment method, the route /home/Ask/ajax_show_comment accepts all parameters via input('param.') and directly passes them into the GetAskReplyData method without any filtering or validation, resulting in SQL injection:
public function ajax_show_comment()
{
if (IS_AJAX_POST) {
$param = input('param.'); // No filtering
$Comment = $this->AskModel->GetAskReplyData($param, $this->parent_id);
}
}
3. Vulnerability reproduction
https://github.com/dijia4712/picx-images-hosting/raw/master/2.pfzdxyl20.webp |
|---|
| 원천 | ⚠️ https://github.com/weng-xianhu/eyoucms/issues/68 |
|---|
| 사용자 | dijia1234 (UID 98657) |
|---|
| 제출 | 2026. 05. 31. PM 05:56 (1 월 ago) |
|---|
| 모더레이션 | 2026. 06. 28. PM 08:27 (28 days later) |
|---|
| 상태 | 중복 |
|---|
| VulDB 항목 | 374577 [weng-xianhu EyouCMS 까지 1.7.1 API /index.php click_like SQL 주입] |
|---|
| 포인트들 | 0 |
|---|