0ffa4d35c4
32 changes to exploits/shellcodes aSc TimeTables 2021.6.2 - Denial of Service (PoC) IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path Microsoft Windows - Win32k Elevation of Privilege Ksix Zigbee Devices - Playback Protection Bypass (PoC) Mitel mitel-cs018 - Call Data Information Disclosure Expense Management System - 'description' Stored Cross Site Scripting ILIAS Learning Management System 4.3 - SSRF Pharmacy Store Management System 1.0 - 'id' SQL Injection Under Construction Page with CPanel 1.0 - SQL injection EgavilanMedia User Registration & Login System with Admin Panel 1.0 - CSRF Student Result Management System 1.0 - Authentication Bypass SQL Injection EgavilanMedia User Registration & Login System with Admin Panel 1.0 - Stored Cross Site Scripting WonderCMS 3.1.3 - Authenticated SSRF to Remote Remote Code Execution WonderCMS 3.1.3 - Authenticated Remote Code Execution PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS Online Voting System Project in PHP - 'username' Persistent Cross-Site Scripting NewsLister - Authenticated Persistent Cross-Site Scripting Bakeshop Online Ordering System 1.0 - 'Owner' Persistent Cross-site scripting Online News Portal System 1.0 - 'Title' Stored Cross Site Scripting Local Service Search Engine Management System 1.0 - SQLi Authentication Bypass WonderCMS 3.1.3 - 'Menu' Persistent Cross-Site Scripting Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Add Artwork Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile DotCMS 20.11 - Stored Cross-Site Scripting WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass ChurchCRM 4.2.0 - CSV/Formula Injection ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS) Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality Anuko Time Tracker 1.19.23.5311 - Password Reset leading to Account Takeover Simple College Website 1.0 - 'page' Local File Inclusion Car Rental Management System 1.0 - SQL Injection / Local File include WordPress Plugin Wp-FileManager 6.8 - RCE
22 lines
No EOL
893 B
Text
22 lines
No EOL
893 B
Text
#Exploit Title: ChurchCRM 4.2.1- CSV/Formula Injection
|
|
#Date: 2020- 10- 24
|
|
#Exploit Author: Mufaddal Masalawala
|
|
#Vendor Homepage: https://churchcrm.io/
|
|
#Software Link: https://github.com/ChurchCRM/CRM
|
|
#Version: 4.2.0
|
|
#Payload: =10+20+cmd|' /C calc'!A0
|
|
#Tested on: Kali Linux 2020.3
|
|
#Proof Of Concept:
|
|
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in
|
|
List Event Types feature in ChurchCRM v4.2.0 via Name field that is
|
|
mistreated while exporting to a CSV file.
|
|
To exploit this vulnerability:
|
|
|
|
1. Login to the application, goto 'Events' module and then "List Event
|
|
Types"
|
|
2. Edit any event and inject the payload =10+20+cmd|' /C calc'!A0 in the
|
|
'Name' field
|
|
3. Now goto 'List Event types' module and click CSV to download the CSV
|
|
file
|
|
4. Open the CSV file, allow all popups and our payload is executed
|
|
(calculator is opened). |