Description
The author has set a fixed key in the com.hope.shiro.config.ShiroConfig under the hope-admin package and uses this key to encrypt the rememberMe parameter in the cookie. This situation can lead to a deserialisation attack with very serious consequences.
This key can also be obtained by decrypting the ciphertext corresponding to the rememberMe parameter.
Set up a local environment for attacks. When the attacker logs in and selects remember me, the cookie will have the rememberMe field
After blasting or auditing the source code, we can find that the encoded key is 1QWLxg+NYmxraMoxAXu/Iw==, which is the same as the key set in the source code.
After an audit, I found that the source code contains commons-beanutils-1.9.4.jar dependency, which is actually a dependency included in shiro.
Using this dependency, it is possible to generate a deserialized payload and then encrypt the payload using the key obtained by blasting.
Finally, write this payload after the rememberMe field and attack it. Successful RCE
Note that the JSESSIONID in the cookie field should be deleted, otherwise the system will make judgments directly based on the JSESSIONID.