hacktricks/pentesting/5984-pentesting-couchdb.md

# 5984 - Pentesting CouchDB

## **Basic Information**

CouchDB is a document-oriented database and within each document fields are stored as key-value maps. Fields can be either a simple key/value pair, list, or map.

Each document that is stored in the database is given a document-level unique identifier \(`_id`\) as well as a revision \(`_rev`\) number for each change that is made and saved to the database.

**Default port:** 5984

```text
PORT      STATE SERVICE REASON
5984/tcp  open  unknown syn-ack
```

## **Enumeration**

### **Automatic**

```bash
nmap -sV --script couchdb-databases,couchdb-stats -p <PORT> <IP>
msf> use auxiliary/scanner/couchdb/couchdb_enum
```

### Manual

```text
curl http://IP:5984/
```

This issues a GET request to installed CouchDB instance.

The reply should look something like:

```bash
{"couchdb":"Welcome","version":"0.10.1"}
```

#### **Database List**

```text
curl -X GET http://IP:5984/_all_dbs
```

If that request responds with a 401 unauthorised, then probably you would need some valid credentials to access the database:

```text
curl -X GET http://user:password@IP:5984/_all_dbs
```

### \*\*\*\*[**Brute force**](../brute-force.md#couchdb)

Once you have some **valid credentials** \(or if valid unauthenticated access\) the response to _/\_all\_dbs_ should be a list of db names like:

```bash
["baseball", "plankton"]
```

#### **Document List**

```text
curl -X GET http://IP:5984/{dbname}/_all_docs
```

Response

```bash
{
   "offset": 0,
   "rows": [
       {
           "id": "16e458537602f5ef2a710089dffd9453",
           "key": "16e458537602f5ef2a710089dffd9453",
           "value": {
               "rev": "1-967a00dff5e02add41819138abb3284d"
           }
       },
       {
           "id": "a4c51cdfa2069f3e905c431114001aff",
           "key": "a4c51cdfa2069f3e905c431114001aff",
           "value": {
               "rev": "1-967a00dff5e02add41819138abb3284d"
           }
       },
   ],
   "total_rows": 2
}
```

#### **Read Value Document**

```bash
curl -X GET http://IP:5984/{dbname}/{id}
```

## References

* [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html)
GitBook: [master] 351 pages and 442 assets modified 2020-07-15 15:43:14 +00:00			`# 5984 - Pentesting CouchDB`

			`## Basic Information`

			`CouchDB is a document-oriented database and within each document fields are stored as key-value maps. Fields can be either a simple key/value pair, list, or map.`

			Each document that is stored in the database is given a document-level unique identifier \(`_id`\) as well as a revision \(`_rev`\) number for each change that is made and saved to the database.

			`Default port: 5984`

			```text
			`PORT STATE SERVICE REASON`
			`5984/tcp open unknown syn-ack`
			```

			`## Enumeration`

			`### Automatic`

			```bash
			`nmap -sV --script couchdb-databases,couchdb-stats -p <PORT> <IP>`
			`msf> use auxiliary/scanner/couchdb/couchdb_enum`
			```

			`### Manual`

			```text
			`curl http://IP:5984/`
			```

			`This issues a GET request to installed CouchDB instance.`

			`The reply should look something like:`

			```bash
			`{"couchdb":"Welcome","version":"0.10.1"}`
			```

			`#### Database List`

			```text
			`curl -X GET http://IP:5984/_all_dbs`
			```

			`If that request responds with a 401 unauthorised, then probably you would need some valid credentials to access the database:`

			```text
			`curl -X GET http://user:password@IP:5984/_all_dbs`
			```

			`### \\\\[Brute force](../brute-force.md#couchdb)`

			`Once you have some valid credentials \(or if valid unauthenticated access\) the response to _/\_all\_dbs_ should be a list of db names like:`

			```bash
			`["baseball", "plankton"]`
			```

			`#### Document List`

			```text
			`curl -X GET http://IP:5984/{dbname}/_all_docs`
			```

			`Response`

			```bash
			`{`
			`"offset": 0,`
			`"rows": [`
			`{`
			`"id": "16e458537602f5ef2a710089dffd9453",`
			`"key": "16e458537602f5ef2a710089dffd9453",`
			`"value": {`
			`"rev": "1-967a00dff5e02add41819138abb3284d"`
			`}`
			`},`
			`{`
			`"id": "a4c51cdfa2069f3e905c431114001aff",`
			`"key": "a4c51cdfa2069f3e905c431114001aff",`
			`"value": {`
			`"rev": "1-967a00dff5e02add41819138abb3284d"`
			`}`
			`},`
			`],`
			`"total_rows": 2`
			`}`
			```

			`#### Read Value Document`

			```bash
			`curl -X GET http://IP:5984/{dbname}/{id}`
			```

			`## References`

			`* [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html)`