Aaron
63285f61aa
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Vulhub Docker Image CI / images-test (push) Has been cancelled
37 lines
1.3 KiB
Markdown
37 lines
1.3 KiB
Markdown
# CMS Made Simple (CMSMS) < 2.2.10 前台SQL注入漏洞(CVE-2019-9053)
|
||
|
||
CMS Made Simple(CMSMS)是一个免费的开放源码内容管理系统,为开发人员、程序员和网站所有者提供基于网络的开发和管理功能。
|
||
|
||
在 2.2.9.1 之前的版本中,CMS Made Simple 存在一个未验证的 SQL 注入漏洞,攻击者可利用该漏洞获取管理员密码或密码重置令牌。结合后台的 SSTI 漏洞([CVE-2021-26120](https://github.com/vulhub/vulhub/tree/master/cmsms/CVE-2021-26120)),攻击者可在目标服务器上执行任意代码。
|
||
|
||
参考链接:
|
||
|
||
- <https://www.exploit-db.com/exploits/46635>
|
||
- <https://srcincite.io/pocs/cve-2021-26120.py.txt>
|
||
|
||
## 漏洞环境
|
||
|
||
执行如下命令启动一个CMS Made Simple 2.2.9.1服务器:
|
||
|
||
```
|
||
docker compose up -d
|
||
```
|
||
|
||
环境启动后,你需要访问`http://your-ip/install.php`并安装CMS服务。
|
||
|
||
安装过程请根据页面中的安装向导来进行,其中MySQL数据库的地址是`db`,数据库名是`cmsms`,账号和密码均为`root`。
|
||
|
||
|
||
|
||
## 漏洞复现
|
||
|
||
使用<https://www.exploit-db.com/exploits/46635>中的脚本来利用SQL注入漏洞:
|
||
|
||
```
|
||
python2 poc.py -u http://127.0.0.1
|
||
```
|
||
|
||
|
||
|
||
可见,管理员密码已经被该脚本获取。
|