EyouCMS SQL Injection Vulnerability in Backend Template Management Leading to Remote Code Execution

A SQL injection vulnerability has been identified in EyouCMS versions through 1.7.6, specifically within the backend template management component. The issue arises in the file FilemanagerLogic.php, where the input validation for the 'content' argument is inadequate. This flaw allows the execution of arbitrary SQL queries via the {eyou:sql} template tag, which is not properly sanitized before being processed. The vulnerability can be exploited remotely by authenticated administrators, potentially leading to unauthorized access and manipulation of the database.

Impact

Exploitation of this vulnerability allows for SQL injection, which can be used to execute arbitrary SQL commands, potentially leading to unauthorized data access or modification. In this case, the vulnerability is chained to allow remote code execution by writing a web shell to the server via the MySQL INTO OUTFILE command.

Reproduction

To reproduce this vulnerability, an authenticated administrator must log into the EyouCMS backend and navigate to the template management section. Once there, a new template file can be created that includes a SQL injection payload using the {eyou:sql} tag. After the template is saved, it can be included in a standard template file, which will trigger the SQL injection when the page is accessed. This injection can be used to write a PHP web shell to the server, which can then be accessed and used to execute commands on the server.