关联漏洞
标题:
GeoServer SQL注入漏洞
(CVE-2023-25157)
描述:GeoServer是一个用 Java 编写的开源软件服务器。允许用户共享和编辑地理空间数据。 GeoServer 2.21.4之前、2.22.2之前版本存在安全漏洞,该漏洞源于 ``strEndsWith``、``strStartsWith`` 和 ``PropertyIsLike `` 存在滥用 问题。
描述
Geoserver SQL Injection Exploit
介绍
# Geoserver SQL Injection Exploit
In this year, a cve got published for Geoserver with the ID CVE-2023-25157.
I saw this vulnerability in one of my projects and tried to exploit it.
And here it is, the complete exploit.
In this repo([https://github.com/0x2458bughunt/CVE-2023-25157](https://github.com/0x2458bughunt/CVE-2023-25157)) you can use the detector to find out what tergets have the technology and vulnerability.
After using detector, you can use my code for exploiting those.
## How to Run:
You Should install "requests" with this command first:
```
pip install requests
```
At the second, create an input text file and insert the targets in it(Like www.example.com or 1.1.1.1:8080).Be aware, you should insert one target per line.
Then, Run the program like this:
```
python3 main.py Input.txt
```
or
```
python3 main.py
Urls File: Input.txt
```
Use & Enjoy 😇😇😇😇
# Refrences
https://github.com/geoserver/geoserver/blob/main/README.md
https://www.acunetix.com/vulnerabilities/web/geoserver-sqli-cve-2023-25157/
https://github.com/murataydemir/CVE-2023-25157-and-CVE-2023-25158
https://github.com/murataydemir/CVE-2023-25157-and-CVE-2023-25158
https://medium.com/@knownsec404team/geoserver-sql-injection-vulnerability-analysis-cve-2023-25157-413c1f9818c3
https://github.com/0x2458bughunt/CVE-2023-25157
# Contact Me
If you had any question or order cantact me through my e-mail: dctfp@protonmail.com
文件快照
[4.0K] /data/pocs/50f4d5494ee9b46e647f1e50fe85da944c4e41f1
├── [9.0K] dbFinder.py
├── [ 494] main.py
└── [1.5K] README.md
0 directories, 3 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。