Skip to content

SQL Injection vulnerability in ChurchCRM 4.4.5 via /churchcrm/WhyCameEditor.php #6005

Closed as not planned
@tuando243

Description

SQL Injection vulnerability in ChurchCRM 4.4.5 via /churchcrm/WhyCameEditor.php.

Step to exploit:

  1. Login as admin.

  2. Redirect to profile page and click on Edit "Why Came" Notes.
    1

  3. Submit "Why Came" notes and capture request in Burp Suite.
    2

  4. Save request to churchcrm.txt file and run sqlmap for injecting the PersonID parameter: sqlmap -r churchcrm.txt -p PersonID
    3
    4

Metadata

Assignees

No one assigned

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions