关联漏洞
标题:
CMS Made Simple SQL注入漏洞
(CVE-2019-9053)
描述:CMS Made Simple(CMSMS)是CMSMS团队的一套开源的内容管理系统(CMS)。该系统支持基于角色的权限管理系统、基于向导的安装与更新机制、智能缓存机制等。 CMSMS 2.2.8版本中存在SQL注入漏洞,该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。
描述
Unauthenticated SQL injection exploit for CVE-2019-9053 in CMS Made Simple <= 2.2.9. Extracts admin creds with time-based SQLi.
介绍
# CVE-2019-9053 Exploit - CMS Made Simple Unauthenticated SQL Injection (SQLi)
An exploit script for **CVE-2019-9053**, a critical **unauthenticated SQL injection (SQLi)** vulnerability in **CMS Made Simple** versions **2.2.9 and below**. This tool leverages **time-based SQL injection** to extract **admin credentials** (username, email, password hash, and salt) from vulnerable **CMS Made Simple** sites. It also offers optional **password cracking** using a wordlist, targeting this **security flaw** that allows attackers to retrieve sensitive data without authentication. Exploitation of **CVE-2019-9053** can lead to **full site takeover**, **data breaches**, or **malicious code injection**, making it a significant risk for unpatched systems.
## Author
- **so1icitx**
## Features
- Tests **CMS Made Simple** for **CVE-2019-9053** vulnerability with a **time-based SQLi** check.
- Extracts **admin credentials**: salt, username, email, and password hash.
- Optional **password cracking** with a wordlist to recover plaintext passwords.
- Colorized output for easy monitoring of **SQL injection** progress.
- Debug mode displaying request URLs and response times for **vulnerability exploitation**.
## Prerequisites
- **Python 3.6+**
- Required packages:
```bash
pip install requests termcolor
```
## Usage
```bash
python3 exploit.py -u <target_url> [options]
```
### Options
- `-u, --url`: Base URL of the **CMS Made Simple** instance (e.g., `http://example.com`) - required.
- `-w, --wordlist`: Path to a wordlist file or directory for **password cracking** (optional).
- `-c, --crack`: Enable **password cracking** mode (optional).
- `-t, --time`: Sleep time in seconds for **time-based SQL injection** (default: 5).
### Examples
- Basic **SQLi exploit**:
```bash
python3 exploit.py -u http://10.10.171.64/simple
```
- With **password cracking**:
```bash
python3 exploit.py -u http://10.10.171.64/simple -c -w /path/to/rockyou.txt
```
- Custom sleep time for **time-based SQLi**:
```bash
python3 exploit.py -u http://10.10.171.64/simple -t 10
```
## Notes
- Targets must run **CMS Made Simple 2.2.9 or below** with the News module enabled.
- Exploits a flaw in `/moduleinterface.php`, allowing **unauthenticated attackers** to perform **SQL injection**.
- Adjust `--time` based on network latency (e.g., 10 seconds for slower responses).
- Wordlist directories are scanned for common files like `rockyou.txt` for **credential cracking**.
- Use responsibly on authorized systems only to avoid **data breaches** or **site compromise**.
- Contact me at `so1citix.zone242@passinbox.com` for support or issues!
## Disclaimer
This tool is for **educational** and **authorized security testing** purposes only. Unauthorized exploitation of **CVE-2019-9053** is illegal and unethical.
---
文件快照
[4.0K] /data/pocs/4260df7963166d8d06d56a34edaa061e476894f2
├── [8.1K] exploit.py
├── [1.0K] LICENSE
└── [2.8K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。