table of Contents
Explain the principles of
Apache Shiro is a Java security framework for authentication, authorization, password and session management.
shiro default of CookieRememberMeManager, which processes the cookie process is: to give the cookie value rememberMe -> the Base64 decoding -> the AES decryption -> deserialization. However, AES keys are hard-coded, has led to an attacker could construct a malicious data resulting deserialized RCE vulnerabilities. The vulnerability of shiro <= influential version 1.2.4.
Hard-coded software development practice is embedded directly into the data program or other executable objects in the source code.
It refers to a hard-coded password hard-coded in the program code process. This approach on the one hand is not easy to maintain the program, after the code is put into use, unless the software patch, or can not change the password. On the other hand weakens the security of the system, the hard-coded password means that the code has permission can view the password, you can use a password to access some systems do not have permission, even more serious is that if an attacker is able to access the application byte code, use some decompiler tools to be able to read the code, you can easily get the password.
Environment to build
1. Download Mirror
docker pull medicean/vulapps:s_shiro_12. Run the port in 8091
docker run -d -p 8091:8080 medicean/vulapps:s_shiro_13. Install Modules
pip3 install pycrypto4. Upload the script generated payload
command line, type rz and press Enter to open the upload page, select shiro_poc.py upload, attention to the need to enter the / tmp / directory before downloading
5. Install ysoserial jar file
git clone https://github.com/frohoff/ysoserial.git
cd ysoserial /
mvn Package Penalty for -DskipTests
here can not find the command prompt, so the need for mvn install
apt update
apt upgrade
apt install maven
mvn -versionNote: mvn install required under the premise of jdk installed, kali default have installed.
As shown below the installation was successful.
Re-run
mvn package -DskipTestsI found an error
discovered after the Internet search for the following reasons, but I do not really understand what he was saying
so to re-start the installation java
because kali has built openjdk, so the installation was successful installation when installed java, but java -version operating results or openjdk, no run javac -version show the command to install the Java kali after downloading a new virtual machine or not,
so I went straight ysoserial.jar downloaded and then uploaded to the same directory
Reproduction process
Reproduction process reference to the article
https://www.cnblogs.com/paperpen/p/11312671.html
eventually reproduce successfully.