├── 03-Shiro框架识别
    └── isshiro.7z
├── 05-Shiro漏洞利用
    └── Shiro-EXP-main.zip
└── README.md


/03-Shiro框架识别/isshiro.7z:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HackJava/Shiro/c786b75298542f8cd71445f06645058e45c744ed/03-Shiro框架识别/isshiro.7z


--------------------------------------------------------------------------------
/05-Shiro漏洞利用/Shiro-EXP-main.zip:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/HackJava/Shiro/c786b75298542f8cd71445f06645058e45c744ed/05-Shiro漏洞利用/Shiro-EXP-main.zip


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # HackShiro
  2 | 
  3 | 本项目创建于2020年8月11日。记录自己在学习Shiro漏洞过程中遇到的一些知识。本项目会持续更新，最近的一次更新时间为2022年5月15日。作者：[0e0w](https://github.com/0e0w)
  4 | 
  5 | - [01-Shiro基础知识]()
  6 | - [02-Shiro框架识别]()
  7 | - [03-Shiro漏洞汇总]()
  8 | - [04-Shiro漏洞检测]()
  9 | - [05-Shiro漏洞利用]()
 10 | - [06-Shiro靶场环境]()
 11 | 
 12 | ## 01-Shiro基础知识
 13 | - https://github.com/apache/shiro
 14 | - http://greycode.github.io/shiro/doc/reference.html
 15 | 
 16 | ## 02-Shiro框架识别
 17 | 
 18 | - 请求包的cookie中存在rememberMe字段。
 19 | - 响应包中存在rememberMe=deleteMe字段。
 20 | - 请求包中存在rememberMe=x时，响应包中存在rememberMe=deleteMe。
 21 | - 检测工具：Banli.exe is shiro
 22 | 
 23 | ## 03-Shiro漏洞汇总
 24 | 
 25 | - CVE-2020-17523
 26 | - CVE-2020-17510
 27 | - CVE-2020-13933
 28 | - CVE-2020-11989#Apache Shiro身份验证绕过漏洞
 29 | - CVE-2016-6802#Shiro Padding Oracle Attack
 30 | - CVE-2016-4437#Shiro rememberMe反序列化漏洞
 31 | 
 32 | ## 04-Shiro漏洞检测
 33 | 
 34 | - KEYS
 35 | - GCM
 36 | - Gadget
 37 |   - CommonsBeanutils1
 38 |   - CommonsBeanutils1_192
 39 |   - CommonsBeanutilsAttrCompare
 40 |   - CommonsBeanutilsAttrCompare_192
 41 |   - CommonsBeanutilsObjectToStringComparator
 42 |   - CommonsBeanutilsObjectToStringComparator_192
 43 |   - CommonsBeanutilsPropertySource
 44 |   - CommonsBeanutilsPropertySource_192
 45 |   - CommonsBeanutilsString
 46 |   - CommonsBeanutilsString_192
 47 |   - CommonsCollections2
 48 |   - CommonsCollections3
 49 |   - CommonsCollectionsK1
 50 |   - CommonsCollectionsK2
 51 |   - CommonsBeanutils1
 52 |   - CommonsBeanutils1_192
 53 |   - CommonsBeanutilsAttrCompare
 54 |   - CommonsBeanutilsAttrCompare_192
 55 |   - CommonsBeanutilsObjectToStringComparator
 56 |   - CommonsBeanutilsObjectToStringComparator_192
 57 |   - CommonsBeanutilsPropertySource
 58 |   - CommonsBeanutilsPropertySource_192
 59 |   - CommonsBeanutilsString
 60 |   - CommonsBeanutilsString_192
 61 |   - CommonsCollections2
 62 |   - CommonsCollections3
 63 |   - CommonsCollectionsK1
 64 |   - CommonsCollectionsK2
 65 |   - [ ] 测试:CommonsBeanutils1_192  回显方式: TomcatEcho
 66 |     [x] 测试:CommonsBeanutils1_192  回显方式: SpringEcho
 67 |     [x] 测试:CommonsCollections2  回显方式: TomcatEcho
 68 |     [x] 测试:CommonsCollections2  回显方式: SpringEcho
 69 |     [x] 测试:CommonsCollections3  回显方式: TomcatEcho
 70 |     [x] 测试:CommonsCollections3  回显方式: SpringEcho
 71 |     [x] 测试:CommonsCollectionsK1  回显方式: TomcatEcho
 72 |     [x] 测试:CommonsCollectionsK1  回显方式: SpringEcho
 73 |     [x] 测试:CommonsCollectionsK2  回显方式: TomcatEcho
 74 |     [x] 测试:CommonsCollectionsK2  回显方式: SpringEcho
 75 |     [x] 测试:CommonsBeanutilsString  回显方式: TomcatEcho
 76 |     [x] 测试:CommonsBeanutilsString  回显方式: SpringEcho
 77 |     [x] 测试:CommonsBeanutilsString_192  回显方式: TomcatEcho
 78 |     [x] 测试:CommonsBeanutilsString_192  回显方式: SpringEcho
 79 |     [x] 测试:CommonsBeanutilsAttrCompare  回显方式: TomcatEcho
 80 |     [x] 测试:CommonsBeanutilsAttrCompare  回显方式: SpringEcho
 81 |     [x] 测试:CommonsBeanutilsAttrCompare_192  回显方式: TomcatEcho
 82 |     [x] 测试:CommonsBeanutilsAttrCompare_192  回显方式: SpringEcho
 83 |     [x] 测试:CommonsBeanutilsPropertySource  回显方式: TomcatEcho
 84 |     [x] 测试:CommonsBeanutilsPropertySource  回显方式: SpringEcho
 85 |     [x] 测试:CommonsBeanutilsPropertySource_192  回显方式: TomcatEcho
 86 |     [x] 测试:CommonsBeanutilsPropertySource_192  回显方式: SpringEcho
 87 |     [x] 测试:CommonsBeanutilsObjectToStringComparator  回显方式: TomcatEcho
 88 |     [x] 测试:CommonsBeanutilsObjectToStringComparator  回显方式: SpringEcho
 89 |     [x] 测试:CommonsBeanutilsObjectToStringComparator_192  回显方式: TomcatEcho
 90 |     [x] 测试:CommonsBeanutilsObjectToStringComparator_192  回显方式: SpringEcho
 91 | - 回显
 92 |   - LinuxEcho
 93 |   - SpringEcho1
 94 |   - SpringEcho2
 95 |   - TomcatEcho
 96 |   - TomcatEcho2
 97 |   - JBossEcho
 98 |   - WeblogicEcho
 99 |   - ResinEcho
100 |   - JettyEcho
101 |   - AutoFindRequestEcho
102 |   - WriteFileEcho
103 | - 可以出网
104 | - 不可出网
105 | 
106 | ## 05-Shiro漏洞利用
107 | 
108 | 本项目注重漏洞利用效果。详细的漏洞分析请参考本站的关于Shiro分析的文章。Shiro命令回显最早是Xray高级版的利用方式。此后安全研究人员根据Xray的相关思路编写出了可直接回显的漏洞利用程序。
109 | 
110 | - https://github.com/sv3nbeast/ShiroScan
111 | - https://github.com/insightglacier/Shiro_exploit
112 | - https://github.com/3ndz/Shiro-721
113 | - https://github.com/jas502n/SHIRO-550
114 | - https://github.com/jas502n/SHIRO-721
115 | - https://github.com/insightglacier/Shiro_exploit
116 | - https://github.com/acgbfull/Apache_Shiro_1.2.4_RCE
117 | - https://github.com/sunird/shiro_exp
118 | - https://github.com/teamssix/shiro-check-rce
119 | - https://github.com/wyzxxz/shiro_rce
120 | - https://github.com/bkfish/Awesome_shiro
121 | - https://github.com/zhzyker/shiro-1.2.4-rce
122 | - https://github.com/pmiaowu/BurpShiroPassiveScan
123 | - https://github.com/feihong-cs/ShiroExploit
124 | - https://github.com/potats0/shiroPoc
125 | - https://github.com/tangxiaofeng7/Shiroexploit
126 | - https://github.com/fupinglee/ShiroScan
127 | - https://github.com/Ares-X/shiro-exploit
128 | - https://github.com/j1anFen/shiro_attack
129 | - https://github.com/Veraxy01/Shiro-EXP
130 | - https://github.com/admintony/shiro_rememberMe_Rce
131 | - https://github.com/j1anFen/ysoserial_echo
132 | - https://github.com/Veraxy00/Shiro-EXP
133 | - https://github.com/mmioimm/shiro_echo
134 | - https://github.com/dr0op/shiro-550-with-NoCC
135 | - https://github.com/M4da0/ShiroExploit
136 | - https://github.com/inspiringz/Shiro-721
137 | - https://github.com/KpLi0rn/ShiroTool
138 | - https://github.com/KpLi0rn/ShiroExploit
139 | - https://github.com/safe6Sec/ShiroExp
140 | - https://github.com/longofo/PaddingOracleAttack-Shiro-721
141 | - https://github.com/myzxcg/ShiroKeyCheck
142 | - https://github.com/emo-cat/shiro_exploit
143 | 
144 | ## 06-Shiro靶场环境
145 | 
146 | - https://vulhub.org
147 | - https://fofapro.github.io/vulfocus
148 | 
149 | ## 07-Shiro参考资源
150 | 
151 | - https://paper.seebug.org/1290
152 | - https://koalr.me/post/shiro-lou-dong-jian-ce


--------------------------------------------------------------------------------