module
ChurchInfo 1.2.13-1.3.0 Authenticated RCE
| Disclosed | Created |
|---|---|
| Oct 30, 2021 | Nov 19, 2022 |
Disclosed
Oct 30, 2021
Created
Nov 19, 2022
Description
This module exploits the logic in the CartView.php page when crafting a draft email with an attachment.
By uploading an attachment for a draft email, the attachment will be placed in the /tmp_attach/ folder of the
ChurchInfo web server, which is accessible over the web by any user. By uploading a PHP attachment and
then browsing to the location of the uploaded PHP file on the web server, arbitrary code
execution as the web daemon user (e.g. www-data) can be achieved.
By uploading an attachment for a draft email, the attachment will be placed in the /tmp_attach/ folder of the
ChurchInfo web server, which is accessible over the web by any user. By uploading a PHP attachment and
then browsing to the location of the uploaded PHP file on the web server, arbitrary code
execution as the web daemon user (e.g. www-data) can be achieved.
Author
m4lwhere [email protected]
Platform
PHP
Architectures
php
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.