CVE-2019-9053 PoC — CMS Made Simple SQL注入漏洞

Source

https://github.com/Perseus99999/CVE-2019-9053-working-

Associated Vulnerability

Title:CMS Made Simple SQL注入漏洞 (CVE-2019-9053)
Description:An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.

Description

CMS Made Simple < 2.2.10 - SQL Injection . Actual working version

Readme

# CVE-2019-9053-working script-
CMS Made Simple &lt; 2.2.10 - SQL Injection . Actual working version

Updated the script to work with latest python versions
Added Exception Handling for each function
You can also calibrate time.sleep inside the exception handling blocks depending on response and connection timeout errors

The command syntax is

python3 exploit.py -u http://target-url/CMS-directory --crack -w /path-wordlist  


Wordlist Examples
rockyou.txt
seclists/Passwords/Common-Credentials/best110.txt


You will need to run the script multiple times to get the correct output. Since this is a Time-based SQL injection, it is highly reliant on your network latency. Feel free to change the TIME, time.sleep(), and timeout variables if outputs seem wrong or it goes into an indefinite loop. Be Patient.


This can also be used for the TryHackMe(THM) Room - Simple CTF

https://tryhackme.com/room/easyctf

File Snapshot


 [4.0K]  /data/pocs/c6419ab00332d9e942a83ef7c28058d5b5264d77
├── [7.7K]  exploit.py
├── [1.0K]  LICENSE
└── [ 912]  README.md

1 directory, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!