CVE-2021-41661

9.8 CRITICAL

Remote Code Execution SQL Injection

📋 TL;DR

Church Management System version 1.0 has a critical SQL injection vulnerability that allows attackers to upload PHP files disguised as avatar images. This leads to remote code execution by executing uploaded webshells. Any organization using this specific software version is affected.

💻 Affected Systems

Products:

• Church Management System

Versions: 1.0

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: Requires web server with PHP support and write permissions to uploads directory

📦 What is this software?

Church Management System by Church Management System Project

View all CVEs affecting Church Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise leading to data theft, ransomware deployment, or use as attack infrastructure

🟠

Likely Case

Webshell installation allowing persistent backdoor access and data exfiltration

🟢

If Mitigated

Limited impact with proper file upload restrictions and web server hardening

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit script available, combines SQLi with file upload to achieve RCE

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Consider replacing with alternative software or implementing workarounds.

🔧 Temporary Workarounds

Restrict file uploads

all

Block PHP file uploads and restrict upload directory execution

Copy

# Add to .htaccess in uploads directory:
<Files *.php>
    Order Deny,Allow
    Deny from all
</Files>
# Add to nginx config:
location ~* \.php$ {
    deny all;
}

Implement file type validation

all

Validate file extensions and MIME types on upload

🧯 If You Can't Patch

• Remove write permissions from uploads directory
• Implement WAF rules to block SQL injection patterns

🔍 How to Verify

Check if Vulnerable:

Copy

Check if Church Management System version 1.0 is installed and accessible

Check Version:

Copy

Check application files for version information or consult documentation

Verify Fix Applied:

Copy

Attempt to upload PHP file as avatar and verify it cannot be executed

📡 Detection & Monitoring

Log Indicators:

• SQL error messages in logs
• PHP file uploads to uploads directory
• Unusual file execution patterns

Network Indicators:

• POST requests with SQL injection patterns to user creation endpoints
• Requests to uploaded PHP files in uploads directory

SIEM Query:

Copy

source="web_logs" AND (uri="/uploads/*.php" OR message="SQL syntax")

📊 Metadata

CVE ID: CVE-2021-41661

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: June 13, 2022

Last Updated: November 21, 2024

🔗 References

• https://github.com/janikwehrli1/0dayHunt/blob/main/Church_Managementv1.0_RCE.py Exploit,Third Party Advisory
• https://github.com/janikwehrli1/0dayHunt/blob/main/Church_Managementv1.0_RCE.py Exploit,Third Party Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41661, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)

CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)

CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)