Potential CVE-2023-25157 Exploitation Attempt
Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer
Sigma rule (View on GitHub)
1title: Potential CVE-2023-25157 Exploitation Attempt
2id: c0341543-5ed0-4475-aabc-7eea8c52aa66
3status: test
4description: Detects a potential exploitation attempt of CVE-2023-25157 a SQL injection in GeoServer
5references:
6 - https://github.com/win3zz/CVE-2023-25157
7 - https://twitter.com/parzel2/status/1665726454489915395
8 - https://github.com/advisories/GHSA-7g5f-wrx8-5ccf
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2023/06/14
11tags:
12 - attack.initial_access
13 - cve.2023.25157
14 - detection.emerging_threats
15logsource:
16 category: webserver
17detection:
18 selection_url:
19 cs-method: 'GET'
20 cs-uri-query|contains|all:
21 - '/geoserver/ows'
22 - 'CQL_FILTER='
23 cs-uri-query|contains:
24 # Abusable Filters/Function as reported in the Advisory
25 - 'PropertyIsLike'
26 - 'strEndsWith'
27 - 'strStartsWith'
28 - 'FeatureId'
29 - 'jsonArrayContains'
30 - 'DWithin'
31 selection_payload:
32 cs-uri-query|contains:
33 - '+--'
34 - '+AS+'
35 - '+OR+'
36 - 'FROM'
37 - 'ORDER+BY'
38 - 'SELECT'
39 - 'sleep%28'
40 - 'substring%28'
41 - 'UNION'
42 - 'WHERE'
43 condition: all of selection_*
44falsepositives:
45 - Vulnerability scanners
46level: high
References
-
CVE-2023-25157 - GeoServer SQL Injection - PoC. Contribute to win3zz/CVE-2023-25157 development by creating an account on GitHub.
Read More -
-
Related rules
- Potential CVE-2023-2283 Exploitation
- Droppers Exploiting CVE-2017-11882
- Potential CVE-2023-25717 Exploitation Attempt
- Potential MOVEit Transfer CVE-2023-34362 Exploitation
- OWASSRF Exploitation Attempt Using Public POC - Webserver