GeoServer < 2.18.7 and 2.18.7-2.21.4 - SQL Injection via OGC Filter and CQL Expressions
Title source: llmExploitation Summary
CVE-2023-25157 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 9 public exploits from researchers including win3zz, murataydemir, 0x2458bughunt. A Nuclei detection template is also available.
AI-analyzed exploit summary This repository contains a functional Python script that exploits CVE-2023-25157, an SQL injection vulnerability in GeoServer's OGC Filter functionality. The script automates the discovery of feature types and properties, then injects a malicious payload via the CQL_FILTER parameter to extract database version information.
Description
GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.
Exploits (9)
This repository contains a functional Python script that exploits CVE-2023-25157, an SQL injection vulnerability in GeoServer's OGC Filter functionality. The script automates the discovery of feature types and properties, then injects a malicious payload via the CQL_FILTER parameter to extract database version information.
This repository provides a detailed technical analysis of SQL injection vulnerabilities (CVE-2023-25157 and CVE-2023-25158) in GeoServer and GeoTools, including affected versions, root causes, and mitigation strategies. It does not contain exploit code but offers in-depth explanations of the vulnerabilities.
The repository contains Python scripts to scan for GeoServer instances vulnerable to CVE-2023-25157 by checking for specific paths and keywords, but does not include functional exploit code for SQL injection.
This repository contains a functional exploit for CVE-2023-25157, a SQL injection vulnerability in GeoServer due to improper input filtering. The exploit automates the discovery of vulnerable endpoints and properties, then constructs malicious CQL_FILTER queries to extract database version information.
This repository contains a functional Go script that checks for CVE-2023-25157, a SQL injection vulnerability in GeoServer. The script enumerates available feature names and properties, then tests for vulnerability by injecting a crafted CQL_FILTER payload to extract the current user.
The repository contains functional exploit code for CVE-2023-25157, specifically targeting GeoServer. The exploit leverages a path traversal vulnerability to access sensitive files on the server.
This repository contains a functional exploit for CVE-2023-25157, a SQL injection vulnerability in GeoServer. The exploit automates the detection and exploitation of the vulnerability across different database backends (PostgreSQL, Oracle, MSSQL/MySQL) by crafting malicious CQL_FILTER queries.
This repository contains a functional exploit PoC for CVE-2023-25157, a SQL injection vulnerability in GeoServer 2.22.0. The exploit leverages a maliciously crafted CQL_FILTER parameter in a WFS request to execute arbitrary SQL queries, demonstrating the vulnerability by extracting the PostgreSQL version.
The repository contains a Python script that scans for GeoServer OGC Filter SQL Injection vulnerabilities (CVE-2023-25157) by retrieving feature types and properties but does not include exploit code for actual SQL injection.
Nuclei Templates (1)
title:"geoserver" || http.title:"geoserver"
title="geoserver" || app="geoserver"
References (2)
Scores
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H