关联漏洞
标题:
CMS Made Simple SQL注入漏洞
(CVE-2019-9053)
描述:CMS Made Simple(CMSMS)是CMSMS团队的一套开源的内容管理系统(CMS)。该系统支持基于角色的权限管理系统、基于向导的安装与更新机制、智能缓存机制等。 CMSMS 2.2.8版本中存在SQL注入漏洞,该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。
介绍
# **CMS-Made-Simple-2.2.9 - SQL-Injection-Exploit - CVE-2019-9053**
## **Description**
This repository contains an exploit for an unauthenticated SQL injection vulnerability in **CMS Made Simple** versions **2.2.9** and earlier. This vulnerability, identified under **CVE-2019-9053**, allows an attacker to retrieve sensitive information such as the **username**, **hashed password**, **email**, and **salt** of the CMS administrator.
The original script was written by **Daniele Scanu** from **Certimeter Group** and has been updated by **Azrenom** to be compatible with **Python 3** and to include several optimizations for error handling and overall stability.
## **Features**
- Extraction of **salt**, **username**, **email**, and **hashed password** of the CMS administrator.
- Ability to **crack** the administrator's password using a wordlist through brute force.
- Compatible with **Python 3**.
- Handles encoding errors when reading wordlists.
## **Requirements**
- **Python 3.x**
- **Python libraries**:
- `requests`
- `termcolor`
### **Installing Dependencies**
Before running the script, install the required dependencies using pip:
**`pip install requests termcolor`**
## **Usage**
### 1. **Exploiting without password cracking**
To run the exploit and retrieve information about the CMS administrator without attempting to crack the password:
**`python3 exploit.py -u http://[TARGET-IP]/cms`**
Replace \`[TARGET-IP]\` with the actual IP address or URL where **CMS Made Simple** is hosted.
### 2. **Exploiting with password cracking**
If you have a wordlist and want to attempt cracking the administrator's password after retrieving the salt and hashed password:
**`python3 exploit.py -u http://[TARGET-IP]/cms --crack -w /usr/share/wordlist/dirb/big.txt`**
### **Available Options**
| **Option** | **Description** |
|----------------------|--------------------------------------------------------------------------------|
| \`-u\` or \`--url\` | **Required**. Target CMS URL (e.g. \`http://10.10.10.100/cms\`) |
| \`-w\` or \`--wordlist\` | **Optional**. Path to the wordlist to crack the password |
| \`-c\` or \`--crack\` | **Optional**. Enables password cracking after completing the exploit |
## **How the script works**
The script operates in several stages:
1. **Salt extraction**: Using an SQL injection, the script retrieves the salt used to hash the administrator's password.
2. **Retrieving credentials**: The script retrieves the administrator's **username**, **email**, and **hashed password**.
3. **Password cracking**: If the \`--crack\` option is enabled, the script attempts to crack the password using a wordlist.
4. **Results display**: The extracted information is printed in the terminal.
## **Limitations**
- This attack is based on a **time-based SQL injection**; thus, depending on the server configuration, it may take more time.
- The password **cracking** functionality relies on a wordlist. Without an adequate wordlist, cracking the password may not be successful.
## **Disclaimer**
> **This script is provided for educational and research purposes only. Any use against systems without explicit permission from the owner is illegal. Use it only in controlled environments or with proper authorization.**
---
## **Contributing**
If you'd like to contribute to this project, you can:
1. Fork the repository.
2. Create a branch for your changes.
3. Submit a pull request with a clear description of the changes.
文件快照
[4.0K] /data/pocs/fbd9abca6ec8a06bd363435a410dcbf43c2899ab
├── [6.5K] exploit.py
└── [3.5K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。