Skip to content

Security Bug: SQL injections on Fundraiser Reports #6856

Closed
@0xIapetus

Description

@0xIapetus

If you have the ChurchCRM software running, please file an issue using the Report an issue in the help menu.

On what page in the application did you find this issue?

/Reports/FRCertificates.php
/Reports/FRBidSheets.php
/Reports/FRCatalog.php

On what type of server is this running? Dedicated / Shared hosting? Linux / Windows?
Linux

What browser (and version) are you running?
Firefox

What version of PHP is the server running?
8.3.2

What version of SQL Server are you running?
11.2.2

What version of ChurchCRM are you running?
5.5.0

Severity: high

Credits :
Georgios Bitounis

Description:

SQL injection vulnerability in ChurchCRM v.5.5.0 allows a remote attacker to obtain sensitive information via the CurrentFundraiser GET parameter within the /FRCertificates.php

SQL injection vulnerability in ChurchCRM v.5.5.0 allows a remote attacker to obtain sensitive information via the CurrentFundraiser GET parameter within the /FRBidSheets.php

SQL injection vulnerability in ChurchCRM v.5.5.0 allows a remote attacker to obtain sensitive information via the CurrentFundraiser GET parameter within the /FRCatalog.php

There are considered as 3 different bugs as they come from different pages, but I will put report all of them in this issue. Pictures will be provided only for the first one, as there is no reason to repeat the same thing, the exploitation is similar.

Step 1 : Go to the Create New Fund Raiser and create one with whatever attributes you want and save.
Step 2 : You will automatically be redirected to the next page while Capturing with burpsuite, click the, generate certificates button or the Bid sheets button or the generate catalog button.
Step 3 : On burpsuite, Right click on the request, Save item.
Step 4: sqlmap -r Event_Attendance_sql_url.txt
Step 5: sqlmap -r Event_Attendance_sql_url --dump

create_new_fund_raiser generate_certificate save_burp dump sqlmap_vulnerable

Impact:
SQL injection attacks allow attackers to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, allow the complete disclosure of all data on the system, destroy the data or make it otherwise unavailable, and become administrators of the database server.

Affected Component:
/Reports/FRCertificates.php?CurrentFundraiser=1
/Reports/FRBidSheets.php?CurrentFundraiser=1
/Reports/FRCatalog.php?CurrentFundraiser=1

Technical Details:
The vulnerability is caused by the failure of the backend to effectively validate user input. An attacker can insert malicious sql code and dump the database, allowing the attacker to steal sensitive information and all the other neferious things.

Proof of Concept (PoC):

Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: CurrentFundraiser=1 AND 3708=3708

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: CurrentFundraiser=1 AND (SELECT 8500 FROM (SELECT(SLEEP(5)))rBNe)

Credits :
Georgios Bitounis

Remediation:

1.Input validation: The simplest approach is Prepared Statements, all user input should be validated,filtered on the server-side to ensure that it conforms to the expected format and does not contain any malicious code.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions