关联漏洞
标题:
GeoServer SQL注入漏洞
(CVE-2023-25157)
描述:GeoServer是一个用 Java 编写的开源软件服务器。允许用户共享和编辑地理空间数据。 GeoServer 2.21.4之前、2.22.2之前版本存在安全漏洞,该漏洞源于 ``strEndsWith``、``strStartsWith`` 和 ``PropertyIsLike `` 存在滥用 问题。
描述
A script, written in golang. POC for CVE-2023-25157
介绍
# CVE-2023-25157-checker
A script, written in golang. POC for CVE-2023-25157
## Steps to use
1. `git clone https://github.com/7imbitz/CVE-2023-25157-checker.git`
2. `cd CVE-2023-25157-checker`
3. `go run CVE-2023-25157.go <URL>`
*Replace `<URL>` with the URL of the target server.
<img width="1077" alt="Screenshot 2023-06-12 at 23 12 43" src="https://github.com/7imbitz/CVE-2023-25157-checker/assets/26263598/645e7ebc-b50d-4e9a-bea0-6f1c68e695c2">
## Google Dork
```inurl:"/geoserver/ows?service=wfs"```
## Research
For research purpose, you can setup and deploy your own instance of geoserver. This [docker](https://github.com/geoserver/docker) can be easily setup in a blink of an eye *multiple blink
## References
- [Github Advisory](https://github.com/geoserver/geoserver/security/advisories/GHSA-7g5f-wrx8-5ccf)
- [Commit](https://github.com/geoserver/geoserver/commit/145a8af798590288d270b240235e89c8f0b62e1d)
- [Tweet](https://twitter.com/parzel2/status/1665726454489915395)
- [NVD](https://nvd.nist.gov/vuln/detail/CVE-2023-25157)
## Legal Disclaimer
This POC Script was intended for educational and research purposes only. The main purpose was for me to code in golang. **Usage of this script for any unauthorized activities, and unethical testing is STRICTLY prohibited.**
## Stargazers over time
[](https://starchart.cc/7imbitz/CVE-2023-25157-checker)
文件快照
[4.0K] /data/pocs/272d418daf9cc86ae750799d54a792296664121a
├── [5.3K] CVE-2023-25157.go
├── [ 75] go.mod
├── [ 505] go.sum
├── [ 34K] LICENSE
└── [1.6K] README.md
0 directories, 5 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。