CVE-2019-9053 PoC — CMS Made Simple SQL注入漏洞

Source

https://github.com/noob-hacker572/CMS-Made-Simple-2.2.9-CVE-2019-9053

Associated Vulnerability

Title:CMS Made Simple SQL注入漏洞 (CVE-2019-9053)
Description:An issue was discovered in CMS Made Simple 2.2.8. It is possible with the News module, through a crafted URL, to achieve unauthenticated blind time-based SQL injection via the m1_idlist parameter.

Readme

# Disclaimer

This repository provides a Python 3 compatible exploit targeting an unauthenticated SQL injection vulnerability in CMS Made Simple versions 2.2.9 and earlier. The flaw, tracked as CVE-2019-9053, allows attackers to extract sensitive administrator data, including username, hashed password, email, and salt.

The original exploit was authored by Daniele Scanu.

Original Exploit : https://www.exploit-db.com/exploits/46635

By using this script, you agree to:

Use it only on systems you own or have explicit permission to test. Not hold the author or contributors liable for any direct, indirect, or consequential damages resulting from its use.

# This script works in two modes

## Mode 1 : Exploiting without password cracking

   To run the exploit and retrieve information about the CMS administrator **without attempting to crack the password**:

   ```bash
   python3 CVE-2019-9053.py -u http://<TARGET-IP>/writeup
   ```

## Mode 2 : Exploiting with password cracking

   ```bash
   python3 CVE-2019-9053.py -u http://<TARGET-IP>/writeup --crack -w /usr/share/wordlists/rockyou.txt
   ```

File Snapshot


 [4.0K]  /data/pocs/ff530cd85dea711a3943e6ad8d8d33974c902e91
├── [5.9K]  CMS-Made-Simple-2.2.9-CVE-2019-9053.py
└── [1.1K]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!