MuuCMF T6 SQL Injection Vulnerability in Search Controller Allowing Database Compromise and Potential Remote Code Execution

A SQL injection vulnerability has been identified in MuuCMF T6 version 1.9.4.20260115. This vulnerability allows an unauthenticated attacker to inject malicious SQL commands through the keyword parameter in the /index/controller/Search.php endpoint. Exploitation of this vulnerability could lead to unauthorized access to the entire database, administrative privileges, and potentially remote code execution by writing malicious files to the server via the compromised database.

Impact

Exploitation of this vulnerability could result in a complete database compromise, unauthorized administrative access, and potentially allow for remote code execution by writing malicious files to the server's file system.

Reproduction

The vulnerability can be reproduced by sending a crafted SQL injection payload through the keyword parameter of the /index/Search/index.html endpoint. The injection takes advantage of the 'whereRaw' function, which allows for raw SQL clauses to be inserted, bypassing normal query sanitization. After injecting the SQL payload, the server's response can be observed for signs of successful exploitation, such as delayed response times indicating the injection was processed.