Table of contents
3. Vulnerability Exploitation:
Vulnerability introduction:
The Shiro721 vulnerability is a vulnerability in the Apache Shiro security framework. The vulnerability affects that in some cases, the Shiro security framework using default settings will continue to maintain the session state after the session has expired, even if the session has been deleted. An attacker could exploit this vulnerability to access unauthorized resources.
1. Environment setup:
Here is how to build a vulnerability environment based on docker
Pull the vulnerability environment: docker pull vulfocus/shiro-721
Wait for the environment download to complete
Start the container: docker run -d -p 8080:8080 vulfocus/shiro-721 (mapped to the local 8080 port)
After the environment startup is completed
Visit the shooting range address in your local browser: your-ip:8080
The shooting range is set up.
2. Vulnerability recurrence:
Attack process:
1. Use any account to log in to the target website to obtain a legal RememberMe Cookie
2. Use the obtained value as the prefix of POA
3. Encrypt the deserialized payload to construct a malicious RememberMe Cookie
4. Fill the constructed malicious data into the RememberMe Cookie field and send it
First log in using the correct username and password given, check Renmenber Me and click Login
Use the Burp tool to capture the data packet at this time and obtain the returned rememberMe value.
Seeing that its response packet has the rememberMe=deleteMe field, we judge that it is the shiro framework. We will use tools to implement the next tool steps.
3. Vulnerability Exploitation:
Determine the request method, enter the URL address, and directly select the blasting key. Once the blasting is successful, the specified key will be returned directly.
Select the blasting utilization chain and echo. Similarly, if the blasting is successful, it will be as shown in the figure.
Command execution, directly enter the command to be executed, or you can rebound the shell.
The vulnerability is reproduced.
4. Bug fixes:
Because the shiro721 vulnerability first requires blasting to obtain the key, access can be prohibited for IP addresses that have been accessed multiple times in a short period of time to achieve defense purposes. You can also turn off the rememberMe persistent login function.
(Friends who are interested in the tool can chat with me privately and I will share it in time.)