Fix ChurchCRM unauthenticated RCE module#21078
Conversation
- Upgrade rank to ExcellentRanking, prepend AutoCheck - Add vulnerability discoverer Arthur Valverde (uartu0) to authors - Fix GHSA reference format with repo parameter - Replace InitialAutoRunScript with inline unlink(__FILE__) for PHP targets and post-staging rm for CmdStager target - Randomize DB_SERVER_PORT and GET parameter name - Simplify check method, extract setup_uri, DRY build_config_payload - Remove redundant register_options for TARGETURI
Use a randomized variable name to store the file path instead of repeating the full path inline. Remove unnecessary spaces between PHP statements.
There was a problem hiding this comment.
Is this part of update?
There was a problem hiding this comment.
Yes, I can do a different PR if this is an issue, but I updated the example because apparently the GHSA format wasn't clear; there are two formats.
There was a problem hiding this comment.
Pull request overview
This PR refactors the churchcrm_install_unauth_rce Metasploit module, improving reliability, code quality, and cleanup strategies for exploiting ChurchCRM <= 6.8.0 unauthenticated RCE via PHP code injection in the setup page's DB_PASSWORD field.
Changes:
- Replaces unreliable
InitialAutoRunScript-based cleanup with inlineunlink(__FILE__)for PHP targets and a directrm -fcommand for the CmdStager target, upgrades rank toExcellentRanking, and addsAutoCheck. - Refactors the module code: extracts
setup_urihelper, DRYs up payload building viabuild_config_payload, simplifies thecheckmethod with early returns, and randomizes the GET parameter name and DB_SERVER_PORT. - Updates
Module-Reference-Identifiers.mddocumentation to add GHSA examples (global and repository-scoped) and reformats the reference table.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
modules/exploits/multi/http/churchcrm_install_unauth_rce.rb |
Refactored exploit module with improved cleanup, code quality, metadata, and reduced fingerprinting |
docs/metasploit-framework.wiki/Module-Reference-Identifiers.md |
Reformatted reference table, added GHSA (with repo scope), OSV, and ATT&CK reference examples |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
You can also share your feedback on Copilot code review. Take the survey.
|
## Release Notes Adds multiple improvements to the |
Summary
Refactors the
churchcrm_install_unauth_rcemodule with reliability and code quality fixes. All three targets (CmdStager, PHP In-Memory, PHP Fetch) tested and producing sessions against ChurchCRM 6.8.0.Changes
Metadata
NormalRankingtoExcellentRanking(reliable, no crash risk)AutoCheckto auto-runcheckbeforeexploitArthur Valverde (uartu0)to authors['GHSA', 'm8jq-j3p9-2xf3', 'ChurchCRM/CRM']Cleanup strategy
InitialAutoRunScriptfrom all targets - it was unreliable because it ran a shell command via meterpreter to delete Config.php, which could fail silentlyunlink(__FILE__)directly into the PHP payload prefix, so Config.php deletes itself during execution (file already loaded in memory)rm -f Include/Config.phpas a final command after staging completesCode quality
setup_urihelper (trailing slash required for 200 response with CRM-VERSION header)DB_SERVER_PORTand GET parameter name (@cmd_param) to reduce fingerprintingcheckmethod with early returns instead of nested if/elsebuild_config_payloadto DRY up common prefix/suffix across targetsregister_options(TARGETURI already provided by HttpClient)on_request_uriresponseDocumentation
Module-Reference-Identifiers.mdTest plan
linux/x64/meterpreter/reverse_tcp- session obtainedphp/meterpreter/reverse_tcp- session obtainedphp/meterpreter/reverse_tcp- session obtainedcheckreturnsAppearswith version on vulnerable target