Pentesting

5984 - Pentesting CouchDB

Basic Information

CouchDB is a document-oriented database and within each document fields are stored as key-value maps. Fields can be either a simple key/value pair, list, or map.

Each document that is stored in the database is given a document-level unique identifier (_id) as well as a revision (_rev) number for each change that is made and saved to the database.

Default port: 5984

PORT STATE SERVICE REASON
5984/tcp open unknown syn-ack

Enumeration

Automatic

nmap -sV --script couchdb-databases,couchdb-stats -p <PORT> <IP>
msf> use auxiliary/scanner/couchdb/couchdb_enum

Manual

curl http://IP:5984/

This issues a GET request to installed CouchDB instance.

The reply should look something like:

{"couchdb":"Welcome","version":"0.10.1"}

Database List

curl -X GET http://IP:5984/_all_dbs

If that request responds with a 401 unauthorised, then probably you would need some valid credentials to access the database:

curl -X GET http://user:password@IP:5984/_all_dbs

Once you have some valid credentials (or if valid unauthenticated access) the response to /_all_dbs should be a list of db names like:

["baseball", "plankton"]

Document List

curl -X GET http://IP:5984/{dbname}/_all_docs

Response

{
"offset": 0,
"rows": [
{
"id": "16e458537602f5ef2a710089dffd9453",
"key": "16e458537602f5ef2a710089dffd9453",
"value": {
"rev": "1-967a00dff5e02add41819138abb3284d"
}
},
{
"id": "a4c51cdfa2069f3e905c431114001aff",
"key": "a4c51cdfa2069f3e905c431114001aff",
"value": {
"rev": "1-967a00dff5e02add41819138abb3284d"
}
},
],
"total_rows": 2
}

Read Value Document

curl -X GET http://IP:5984/{dbname}/{id}

References