New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding exploit for ChurchInfo 1.2.13-1.3.0 RCE (CVE-2021-43258) #17257
Conversation
|
This should cover all of the comments, thanks for the feedback. My most recent commit has also added a check to make sure the exploit was uploaded properly to the sever. Previously it was attempting the upload then blindly trying to execute it. |
|
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools. We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit: You can automate most of these changes with the Please update your branch after these have been made, and reach out if you have any problems. |
documentation/modules/exploit/multi/http/churchinfo_upload_exec.md
Outdated
Show resolved
Hide resolved
documentation/modules/exploit/multi/http/churchinfo_upload_exec.md
Outdated
Show resolved
Hide resolved
| This will enable additional information and details about the exploit as it is launched. Verbose output will appear as similar to below: | ||
|
|
||
| ``` | ||
| msf6 exploit(multi/http/churchinfo_upload_exec) > run |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Output should show setting up the various options and the output of show options so that we can see what settings you are running the exploit with. Important for maintenance down the line.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added the show options as well
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@m4lwhere Don't know if this was in a commit you didn't upload but I'm not seeing this in the latest edition of this code?
b649bde
to
7667260
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks great, a couple more ideas for adjustment that may make this code a bit simpler.
|
Implemented all of the latest comments, thank you for all of the info! I've run |
|
Another idea for a check method is to grab |
|
So another thing I noticed. This bug doesn't just exist in 1.3.0. It also exists in 1.2.14 and 1.2.13 from what I can tell. Versions prior to this did not have the |
|
Added in a |
543b300
to
c6376fd
Compare
c6376fd
to
237eb90
Compare
Release NotesA new module has been added for CVE-2021-43258 which exploits a flaw whereby, when emailing users in the ChurchInfo database with attachments, the uploaded file is hosted in a web accessible location under the ChurchInfo web root before the email is sent. An authenticated attacker can abuse this to gain RCE as the |
ChurchInfo is a PHP application used to help Churches manage systems and users as an opensource project. There are various vulnerabilities in the ChurchInfo 1.3.0 software which can be exploited by an attacker, this module targets an authenticated remote code execution (RCE) vulnerability.
ChurchInfo 1.3.0 has functionality to email users from the database with attachments. When preparing the email, the attachment draft is saved in the
/churchinfo/tmp_attach/folder. Before the email is sent, the file put into the attachment can be loaded in the application. RCE exists when uploading malicious PHP as an attachment.This vulnerability was assigned CVE-2021-43258.
Verification
List the steps needed to make sure this thing works
msfconsolemsfconsole, use theexploits/multi/http/churchinfo_upload_execmodule.RHOST,APPBASE,username, andpasswordvalues.How it Works:
There is a draft email function within the application which allows users to upload attachments. Before the attachments are sent, they are stored in a directory named
/tmp_attachas a direct file. This allows malicious PHP files to be uploaded and executed by the PHP engine used by the application.Successful exploitation will appear with a similar output as below:
Manual Exploitation Steps:
SelectList.phppage and click the "Add to Cart" buttonCartView.phpand click "Compose Email"http://127.0.0.1/churchinfo/tmp_attach/exploit.php?cmd=pwdPlease let me know if any additional information is needed, I've read through the contribution documentation and believe that I've been able to meet all requirements.