关联漏洞
标题:
CMS Made Simple SQL注入漏洞
(CVE-2019-9053)
描述:CMS Made Simple(CMSMS)是CMSMS团队的一套开源的内容管理系统(CMS)。该系统支持基于角色的权限管理系统、基于向导的安装与更新机制、智能缓存机制等。 CMSMS 2.2.8版本中存在SQL注入漏洞,该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。
介绍
# CTF, CVE-2019-9053, GTFOBins
I utilized the machines on https://tryhackme.com/ and my own ***Kali on WSL*** to do this exercise and it is part of the CTF challenge. The following information helped me solved the challenge:
- ***vim*** on https://gtfobins.github.io/gtfobins/vim/ and https://gtfobins.github.io/
- ***sudoers*** on https://help.ubuntu.com/community/Sudoers
- ***sudo*** on https://www.geeksforgeeks.org/sudo-command-in-linux-with-examples/
- ***CVE-2019-9053*** on https://nvd.nist.gov/vuln/detail/CVE-2019-9053 and https://www.exploit-db.com/exploits/46635 and https://github.com/Mahamedm/CVE-2019-9053-Exploit-Python-3/blob/main/csm_made_simple_injection.py
1. [Nmap](https://github.com/jtoalu/Nmap-Wreath) was utilized to find information about the target machine. nmap -sC -sV -O -p- -oN CTF 10.10.46.2 can be utilized.
2. The result shows there is a website running on the target machine. Tools such as https://www.kali.org/tools/dirbuster/ and https://www.kali.org/tools/gobuster/ can be utilized to find out any other information about the website. The result contains several information and the ***/simple*** is the most useful information on this challenge. After navigating to the ***simple*** folder/path/directory of the website, we found a website running on https://www.cmsmadesimple.org/
3. Scroll down the webpage and we shall find the version of the CMS which is 2.2.8 and it has ***CVE-2019-9053*** vulnerabilities. The information about ***CVE-2019-9053*** is available on the top section of this documentation.
4. The Python code on https://github.com/Mahamedm/CVE-2019-9053-Exploit-Python-3/blob/main/csm_made_simple_injection.py can be utilized to execute a ***SQL Injection*** on the website.
5. The wordlists utilized to crack the password are available in the TryHackMe AttackBox.
6. We found the username and password in through the ***SQL Injection*** and we utilized the information to ***ssh*** into the target machine.
7. We execute ***sudo -l*** to check whether there is a possible of ***GTFOBins*** and we found https://gtfobins.github.io/gtfobins/vim/
8. After executing ***vim -c ':!/bin/sh'*** through a regular user account, we obtain an access to the ***root*** account.
Note to Self: https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax and https://stackoverflow.com/questions/11509830/how-to-add-color-to-githubs-readme-md-file
文件快照
[4.0K] /data/pocs/40ddd5431650c01fce5d14867efc443b5c07973d
├── [3.3K] README.md
├── [468K] Screenshot 2024-08-07 211539.png
├── [984K] Screenshot 2024-08-07 211727.png
├── [522K] Screenshot 2024-08-07 212328.png
├── [545K] Screenshot 2024-08-07 213714.png
├── [508K] Screenshot 2024-08-07 213741.png
├── [236K] Screenshot 2024-08-09 105323.png
├── [219K] Screenshot 2024-08-09 105619.png
└── [203K] Screenshot 2024-08-09 130239.png
0 directories, 9 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。