Bjarne Verschorre

What is CVE-2019-9053?

CVE-2019-9053 is an Unauthenticated Time-Based SQL Injection for CMS Made Simple. For more information, you can read this post^↗ from NIST. It exploits an SQL Injection vulnerability in the m1_idlist parameter in the moduleinterface.php file.

Rewriting the PoC

The PoCs I found were all the same and outdated and pretty slow. This is how I made my own improved version. This is the original PoC^↗ I found.

It reuses a lot of the same code which is not necessary. I rewrote it to be more efficient and faster. It was also written in Python 2, which is outdated and not supported anymore. I rewrote it in Python 3 with some better libraries.

I saw the original used the requests library^↗ I switched it for the HTTPX library^↗. Instead of getting the start and end time for the request, I used the timeout parameter of the HTTPX client. It also used 4 different functions for the same thing, I combined them into one function.

Conclusion

I managed to rewrite the PoC to be more efficient and faster with 114 less lines of code and updated libraries. You can find the new PoC here^↗