GeoServer WMS GetMap XXE

Repository purpose: a small Python proof-of-exploitation tool (class + CLI) for GeoServer XXE leading to arbitrary file read, referenced as CVE-2025-58360. Structure: - README.md: describes the vulnerability (XXE via WMS GetMap), provides example usage of the GeoDumper class, and links to advisories. - exploit/exploiter.py: main exploit implementation and CLI entry point. - requirements.txt: Python dependencies (requests stack). Exploit flow (exploit/exploiter.py): 1) GeoDumper initializes a requests.Session with header Content-Type: application/xml and fixed query params REQUEST=GetMap and SERVICE=WMS. 2) generate_poisoned_xml(target_file) writes a local XML file containing a DOCTYPE with an external entity: SYSTEM "file://<target_file>" and references it as &xxe; inside <Name>. 3) dump_file() reads that XML from disk and POSTs it to http(s)://<target>/<geoserver_path>/wms. 4) On success, it parses the response body using a regex that expects the file contents to appear in a ServiceException message containing "Unknown layer:". 5) Extracted bytes are written to a local dump_<timestamp> file and also returned to the caller. Notable characteristics/limitations: - Focused on file disclosure only (no RCE logic). - Assumes the vulnerable server reflects expanded entity content in a specific error format; otherwise __extract_data raises "no file data found". - Randomizes User-Agent per request for light obfuscation. - Target is specified as "ip or domain"; no explicit port handling beyond default 80/443.

This repository demonstrates a proof-of-concept (POC) exploit for an unauthenticated XML External Entity (XXE) vulnerability in GeoServer (CVE-2025-58360). The exploit targets the WMS GetMap operation via the /geoserver/{workspace}/ows endpoint, which can be used to bypass WAF protections that only monitor the direct /geoserver/wms endpoint. The repository contains two files: a README.md explaining the attack and providing a curl command for exploitation, and a payload.xml file containing the malicious XML payload. The payload attempts to read /etc/passwd from the server using an external entity. The exploit is network-based and requires the target GeoServer instance to be accessible and vulnerable to XXE. No detection scripts or framework code are present; this is a standalone POC exploit.

This repository provides a proof-of-concept exploit for CVE-2025-58360, a critical unauthenticated XML External Entity (XXE) vulnerability in GeoServer's WMS service. The main exploit script (CVE-2025-58360.py) is a Python tool that automates exploitation by sending crafted XML payloads via the SLD_BODY parameter to the /geoserver/ows?service=WMS&request=GetMap endpoint. The exploit allows attackers to read arbitrary files, list directories, and perform SSRF attacks without authentication. The README.md offers detailed technical background, exploitation steps, and remediation advice. The docker-compose.yml sets up both vulnerable and patched GeoServer instances for testing. The exploit is a POC, not weaponized, and is intended for educational and authorized testing purposes.

This repository provides a proof-of-concept exploit for CVE-2025-58360, an XML External Entity (XXE) vulnerability in GeoServer (versions 2.26.0 to before 2.26.2 and before 2.25.6). The exploit consists of a Python script (CVE-2025-58360.py) that sends a crafted XML payload to the /geoserver/wms endpoint using a POST request. The payload attempts to read the /etc/passwd file from the server by defining an external entity in the XML. If the server is vulnerable, the script detects the presence of the 'root:' string in the response and prints the file contents. The repository also includes a sample payload.xml for use with curl, which demonstrates an out-of-band XXE attack referencing an external server (http://10.63.150.228:8000). The README provides usage instructions and context. The exploit targets a network-accessible HTTP endpoint and leverages XML parsing vulnerabilities to exfiltrate sensitive files.