geoserver vulnerability utilization summary and case reference

Posted by santillano at 2020-03-14

Sheng Ming

This article was launched by vlong, a member of the tide security team, in freebuf tidesec column:

The technologies, ideas and tools involved in this article are only for learning and exchange for safety purposes, and no one is allowed to use them for illegal purposes and profit purposes, or the consequences will be borne by themselves!

I. Introduction

GeoServer is a J2EE implementation of OpenGIS web server specification. GeoServer can easily publish map data, support PostgreSQL, ShapeFile, ArcSDE, Oracle, VPF, mysql, MapInfo, and output network map to JPEG, GIF, PNG, SVG, KML and other formats. GeoServer is a community open source project, which can be downloaded directly from the community website at

2、 Weak password + PostgreSQL

Testing a school's website, we found the following website through subdomain scanning. Unfortunately, we were unable to open the website.      

The IP address is obtained through the domain name address reverse check, and the following ports are found by scanning the IP address.

Access port 8080 is the website server.

Background login address found by directory scanning.

By checking the source code, you need to log in with a student number to give up the explosion.

At the same time, the geo server directory is found in the source code. Visit the GeoServer server and find that you need to log in. Baidu searches the default account password.

Login succeeded with the default account password.

Looking through the menu, I found that the file was uploaded, but I didn't return to the upload path.

Search the menu to find the database connection information.

Use the database connection tool to link successfully.

Utilization discovery using MSF module did not succeed.

Set up PostgreSQL environment locally.

C language creates a rebound shell to execute command functions.

By checking that the directory target machine has NC installed, the attempt to rebound the shell succeeds, and the IP address of the server is checked.

Use the so file in sqlmap for command execution, download the so file, and compile as above.

3、 GeoServer xxE vulnerability

A search for GeoServer revealed a xxE vulnerability in version less than

Check the payload information for utilization and read the win.ini file.

/wfs?request=GetFeature&SERVICE=WFS&VERSION=1.0.0&[email protected]@&FILTER=<?xml version="1.0" encoding="ISO-8859-1"?> <!DOCTYPE foo [ <!ENTITY xxe SYSTEM "file://@[email protected]" >]><Filter ><PropertyIsEqualTo><PropertyName>&xxe;</PropertyName><Literal>Brussels</Literal></PropertyIsEqualTo></Filter>

View files in the windows directory.

Four, summary

We can search GeoServer from search engine, and see more than 10000 pieces of data, in which a large number of default passwords exist. (do not illegally test)




Gu n








Tide security team was formally established in January 2019. It is a security team under the banner of new information, aiming at the research of Internet attack and defense technology. At present, it has gathered more than ten professional security attack and defense technology researchers, focusing on network attack and defense, web security, mobile terminals, security development, IOT / Internet of things / industrial control security and other directions.

For more Tide security teams, please pay attention to team official website: or long by two-dimensional code, pay attention to official account number:

Trendy information

Professional focus excellence safety