Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-36401 PoC — Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver

Source
https://github.com/bmth666/GeoServer-Tools-CVE-2024-36401
Associated Vulnerability
Title:Remote Code Execution (RCE) vulnerability in evaluating property name expressions in Geoserver (CVE-2024-36401)
Description:GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.
Description
CVE-2024-36401 图形化利用工具,支持各个JDK版本利用以及回显、内存马实现
Readme
# GeoServer-Tools-CVE-2024-36401

CVE-2024-36401 图形化利用工具,支持各个JDK版本利用以及回显、内存马实现

影响版本:

GeoServer < 2.23.6

2.24.0 <= GeoServer < 2.24.4

2.25.0 <= GeoServer < 2.25.2

近期HW发现该漏洞还是很常见的,但一直没有一个顺手的工具,这里参考:https://github.com/whitebear-ch/GeoServerExploit 的思路重新写了这份工具


## 0x01 安装

![image-20250411124904054](assets/image-20250411124904054.png)

构建工件即可

## 0x02 使用

JDK8启动:java -jar GeoServer-Tools.jar

![image-20250411125025482](assets/image-20250411125025482.png)

dnslog(无关JDK版本):

![image-20250411125210164](assets/image-20250411125210164.png)

![image-20250411125231103](assets/image-20250411125231103.png)

回显:

![image-20250411125857883](assets/image-20250411125857883.png)

![](assets/image-20250411125939666.png)

内存马:

![image-20250411130004637](assets/image-20250411130004637.png)

![image-20250411130131602](assets/image-20250411130131602.png)

我这里测试环境使用的是vulhub(JDK17)和windows版本(JDK8)下的:https://master.dl.sourceforge.net/project/geoserver/GeoServer/2.15.0/geoserver-2.15.0.exe?viasf=1

实际环境可能略有出入,请自行测试


## 0x03 声明
仅限用于技术研究和获得正式授权的攻防项目,请使用者遵守《中华人民共和国网络安全法》,切勿用于任何非法活动,若将工具做其他用途,由使用者承担全部法律及连带责任,作者及发布者不承担任何法律及连带责任!

## 0x04 参考/致谢
https://mp.weixin.qq.com/s/beRJ8-HOMJbA43jYMMS0Pg

https://mp.weixin.qq.com/s/1mW3rLvZc0RL4nr25BLT7A

https://mp.weixin.qq.com/s/jCOp9A-qO8ViqLx3ui0XHg

https://github.com/whitebear-ch/GeoServerExploit

https://github.com/pen4uin/java-memshell-generator

https://github.com/vulhub/vulhub
File Snapshot

 [4.0K]  /data/pocs/eb9e4902568fc5bcd0576c19b752f20aabf3cf2e
├── [4.0K]  assets
│   ├── [665K]  image-20250411124904054.png
│   ├── [ 86K]  image-20250411125025482.png
│   ├── [229K]  image-20250411125210164.png
│   ├── [367K]  image-20250411125231103.png
│   ├── [226K]  image-20250411125857883.png
│   ├── [129K]  image-20250411125939666.png
│   ├── [142K]  image-20250411130004637.png
│   └── [539K]  image-20250411130131602.png
├── [5.4M]  CVE-2024-36401-GeoServer-RCE实战利用.pdf
├── [4.0K]  GeoServer-Tools
│   ├── [4.0K]  lib
│   │   └── [ 11M]  jmg-sdk-1.0.9.jar
│   ├── [4.0K]  out
│   │   └── [4.0K]  artifacts
│   │       └── [4.0K]  GeoServer_Tools_jar
│   │           └── [ 17M]  GeoServer-Tools.jar
│   ├── [1.2K]  pom.xml
│   ├── [4.0K]  src
│   │   └── [4.0K]  main
│   │       ├── [4.0K]  java
│   │       │   └── [4.0K]  com
│   │       │       └── [4.0K]  bmth
│   │       │           ├── [ 970]  Main.java
│   │       │           ├── [ 14K]  SwingMain.form
│   │       │           ├── [ 13K]  SwingMain.java
│   │       │           └── [4.0K]  utils
│   │       │               ├── [ 16K]  AttackUtils.java
│   │       │               ├── [6.8K]  JavaCompilerUtils.java
│   │       │               └── [4.0K]  PayloadUtils.java
│   │       └── [4.0K]  resources
│   │           └── [4.0K]  META-INF
│   │               └── [  52]  MANIFEST.MF
│   └── [4.0K]  target
│       └── [4.0K]  classes
│           ├── [4.0K]  com
│           │   ├── [4.0K]  bmth
│           │   │   ├── [1.4K]  Main.class
│           │   │   ├── [1.2K]  SwingMain$1.class
│           │   │   ├── [1.3K]  SwingMain$2.class
│           │   │   ├── [1.5K]  SwingMain$3.class
│           │   │   ├── [ 12K]  SwingMain.class
│           │   │   └── [4.0K]  utils
│           │   │       ├── [2.0K]  AttackUtils$1.class
│           │   │       ├── [1.9K]  AttackUtils$2.class
│           │   │       ├── [2.0K]  AttackUtils$3.class
│           │   │       ├── [1.9K]  AttackUtils$4.class
│           │   │       ├── [1.9K]  AttackUtils$5.class
│           │   │       ├── [1.9K]  AttackUtils$6.class
│           │   │       ├── [ 13K]  AttackUtils.class
│           │   │       ├── [2.2K]  JavaCompilerUtils$1.class
│           │   │       ├── [6.4K]  JavaCompilerUtils.class
│           │   │       └── [3.5K]  PayloadUtils.class
│           │   └── [4.0K]  intellij
│           │       └── [4.0K]  uiDesigner
│           │           └── [4.0K]  core
│           │               ├── [5.0K]  AbstractLayout.class
│           │               ├── [6.5K]  DimensionInfo.class
│           │               ├── [8.3K]  GridConstraints.class
│           │               ├── [ 19K]  GridLayoutManager.class
│           │               ├── [2.1K]  HorizontalInfo.class
│           │               ├── [2.1K]  LayoutState.class
│           │               ├── [ 547]  Spacer.class
│           │               ├── [1.7K]  SupportCode$TextWithMnemonic.class
│           │               ├── [2.1K]  SupportCode.class
│           │               ├── [3.7K]  Util.class
│           │               └── [2.1K]  VerticalInfo.class
│           └── [4.0K]  META-INF
│               └── [  52]  MANIFEST.MF
└── [1.9K]  README.md

23 directories, 47 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →