diff --git a/db/modules_metadata_base.json b/db/modules_metadata_base.json index 75e55c5c3c..3a9572fea4 100644 --- a/db/modules_metadata_base.json +++ b/db/modules_metadata_base.json @@ -107281,16 +107281,17 @@ "needs_cleanup": null }, "exploit_multi/http/churchcrm_install_unauth_rce": { - "name": "ChurchCRM Unauthenticated RCE 6.8.0", + "name": "ChurchCRM Unauthenticated RCE via Setup Page", "fullname": "exploit/multi/http/churchcrm_install_unauth_rce", "aliases": [], - "rank": 300, + "rank": 600, "disclosure_date": "2025-12-17", "type": "exploit", "author": [ + "Arthur Valverde (uartu0)", "LucasCsmt" ], - "description": "This module exploits an unauthenticated remote code execution\n vulnerability in the installation process of ChurchCRM versions\n 6.8.0 and earlier. By sending a specially crafted POST request to\n the 'setup' page, an attacker can execute arbitrary commands on the\n target server. This module uploads a meterpreter payload to the\n target server and executes it, allowing for remote code execution.", + "description": "ChurchCRM <= 6.8.0 allows unauthenticated remote code execution via\n the setup page. The DB_PASSWORD field in the installation form is written\n directly into Include/Config.php without sanitization, allowing PHP code\n injection. The injected config file is then included on every request,\n triggering the payload. Note that the fix claimed in 5.21.0 only added\n a strlen check on the password field, leaving the injection intact.", "references": [ "GHSA-m8jq-j3p9-2xf3", "CVE-2025-62521" @@ -107316,9 +107317,9 @@ "targets": [ "Linux/unix Command (CmdStager)", "PHP (In-Memory)", - "PHP (fetch)" + "PHP (Fetch)" ], - "mod_time": "2026-02-13 14:42:07 +0000", + "mod_time": "2026-03-07 03:59:42 +0000", "path": "/modules/exploits/multi/http/churchcrm_install_unauth_rce.rb", "is_install_path": true, "ref_name": "multi/http/churchcrm_install_unauth_rce",