Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2019-9053 PoC — CMS Made Simple SQL注入漏洞

Source
https://github.com/hf3cyber/CMS-Made-Simple-2.2.9-Unauthenticated-SQL-Injection-Exploit-CVE-2019-9053-
Associated Vulnerability
Title:CMS Made Simple SQL注入漏洞 (CVE-2019-9053)
Description:An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.
Description
This exploit targets an unauthenticated SQL injection vulnerability in CMS Made Simple <= 2.2.9 (CVE-2019-9053). It uses a time-based blind SQL injection to extract the username, email, and password hash from the database. Additionally, it supports password cracking using a wordlist.
Readme
# CMS Made Simple <= 2.2.9 SQL Injection Exploit (CVE-2019-9053)

📌 Description

This exploit targets an unauthenticated SQL injection vulnerability in CMS Made Simple <= 2.2.9 (CVE-2019-9053). The vulnerability allows attackers to extract sensitive information such as username, email, password hash, and salt via a time-based blind SQL injection.

Additionally, the exploit supports password cracking using a provided wordlist.



# 🚀 Features

Unauthenticated SQL Injection

Extracts Username, Email, and Password Hash

Retrieves Password Salt

Supports Password Cracking via Wordlist (Optional)

Uses Time-Based Blind SQL Injection

# 🔧 Installation

Clone the repository:

```bash
git clone https://github.com/hf3cyber/CMS-Made-Simple-2.2.9-Unauthenticated-SQL-Injection-Exploit-CVE-2019-9053-.git
cd CMS-Made-Simple-2.2.9-Unauthenticated-SQL-Injection-Exploit-CVE-2019-9053-
```

# ⚡ Usage

Basic Exploitation

```bash
python3 exploit.py -u http://target.com/cms
```

Exploitation with Password Cracking

```bash
python3 exploit.py -u http://target.com/cms -c -w /usr/share/wordlist/rockyou.txt
```

# 📦 Requirements

Python 3

requests module (pip install requests)

termcolor module (pip install termcolor)

# 🔒 Mitigation

To protect against this vulnerability, upgrade CMS Made Simple to the latest secure version and ensure proper input sanitization with prepared statements.

# ⚠️ Disclaimer

This exploit is for educational and authorized penetration testing purposes only. Misuse of this script for unauthorized access is illegal. The author is not responsible for any misuse or damage caused.

# 📜 License

This project is licensed under the MIT License. See the [![License: MIT](https://img.shields.io/github/license/hf3cyber/CMS-Made-Simple-2.2.9-Unauthenticated-SQL-Injection-Exploit-CVE-2019-9053-)](https://github.com/hf3cyber/CMS-Made-Simple-2.2.9-Unauthenticated-SQL-Injection-Exploit-CVE-2019-9053-/blob/main/LICENSE)
 file for details.

🤝 Contributing

Contributions are welcome! Feel free to open an issue or submit a pull request to improve the script.
File Snapshot

 [4.0K]  /data/pocs/e34c72f9bf51eb74972eb0c998aa31552cfc4cb7
├── [3.9K]  exploit.py
├── [1.0K]  LICENSE
└── [2.1K]  README.md

0 directories, 3 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →