# Disclaimer
This repository provides a Python 3 compatible exploit targeting an unauthenticated SQL injection vulnerability in CMS Made Simple versions 2.2.9 and earlier. The flaw, tracked as CVE-2019-9053, allows attackers to extract sensitive administrator data, including username, hashed password, email, and salt.
The original exploit was authored by Daniele Scanu.
Original Exploit : https://www.exploit-db.com/exploits/46635
By using this script, you agree to:
Use it only on systems you own or have explicit permission to test. Not hold the author or contributors liable for any direct, indirect, or consequential damages resulting from its use.
# This script works in two modes
## Mode 1 : Exploiting without password cracking
To run the exploit and retrieve information about the CMS administrator **without attempting to crack the password**:
```bash
python3 CVE-2019-9053.py -u http://<TARGET-IP>/writeup
```
## Mode 2 : Exploiting with password cracking
```bash
python3 CVE-2019-9053.py -u http://<TARGET-IP>/writeup --crack -w /usr/share/wordlists/rockyou.txt
```
[4.0K] /data/pocs/ff530cd85dea711a3943e6ad8d8d33974c902e91
├── [5.9K] CMS-Made-Simple-2.2.9-CVE-2019-9053.py
└── [1.1K] README.md
0 directories, 2 files