What is CVE-2019-9053?
CVE-2019-9053 is an Unauthenticated Time-Based SQL Injection for CMS Made Simple. For more information, you can read this post↗ from NIST. It exploits an SQL Injection vulnerability in the m1_idlist
parameter in the moduleinterface.php
file.
Rewriting the PoC
The PoCs I found were all the same and outdated and pretty slow. This is how I made my own improved version. This is the original PoC↗ I found.
It reuses a lot of the same code which is not necessary. I rewrote it to be more efficient and faster. It was also written in Python 2, which is outdated and not supported anymore. I rewrote it in Python 3 with some better libraries.
I saw the original used the requests library↗ I switched it for the HTTPX library↗. Instead of getting the start and end time for the request, I used the timeout
parameter of the HTTPX client. It also used 4 different functions for the same thing, I combined them into one function.
Conclusion
I managed to rewrite the PoC to be more efficient and faster with 114 less lines of code and updated libraries. You can find the new PoC here↗