shiro

工具开源项目

https://github.com/feihong-cs/ShiroExploit-Deprecated
https://github.com/sv3nbeast/ShiroScan/
https://github.com/wyzxxz/shiro_rce

分析

shiro功能类 - CookieRememberMeManager

参考文章

https://shiro.apache.org/security-reports.html
https://issues.apache.org/jira/browse/SHIRO-550
https://blog.csdn.net/three_feng/article/details/52189559
https://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/
https://markmail.org/thread/fl2bcu75hese4tzb
https://stackoverflow.com/questions/26639205/shiro-how-does-remember-me-work/35633675
https://shiro.apache.org/static/1.2.1/apidocs/org/apache/shiro/crypto/JcaCipherService.html
https://github.com/pledbrook/grails-shiro/issues/28
http://shiro-user.582556.n2.nabble.com/Randomized-key-for-RememberMe-token-td7579078.html
https://shiro.apache.org/static/1.7.0/apidocs/org/apache/shiro/mgt/AbstractRememberMeManager.html
https://balusc.omnifaces.org/2013/01/apache-shiro-is-it-ready-for-java-ee-6.html#RememberMe
https://issues.apache.org/jira/browse/SHIRO-441
https://issues.apache.org/jira/browse/SHIRO-561
https://issues.apache.org/jira/browse/SHIRO-721
https://www.mail-archive.com/user@shiro.apache.org/msg05870.html
https://issues.apache.org/jira/browse/SHIRO-682
https://github.com/apache/shiro/pull/127
https://github.com/apache/shiro/pull/181
https://blog.riskivy.com/shiro-%E6%9D%83%E9%99%90%E7%BB%95%E8%BF%87%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%EF%BC%88cve-2020-1957%EF%BC%89/

权限绕过

/;/[api/

CVE-2020-17510

影响版本
shiro-1.6.9

CVE-2020-13933

影响版本
shiro-1.5.9

poc
权限绕过

CVE-2020-11989 | shiro-782

影响版本
shiro-1.5.2

poc
权限绕过

shiro-721

影响版本
shiro1.2.5
shiro1.2.6
shiro1.3.0
shiro1.3.1
shiro1.3.2
shiro1.4.0-RC2
shiro1.4.0
shiro1.4.1

CVE-2020-2957 | shiro-682

影响版本
shiro-1.3.1

CVE-2020-1957 | shiro-

影响版本

poc
权限绕过

CVE-2019-12422

影响版本
shiro-1.4.3

CVE-2016-6802

影响版本
shiro-1.3.1

poc
权限绕过

CVE-2016-4437 | shiro-550

影响版本
shiro-1.2.4

CVE-2014-0074 | shiro-460

影响版本
shiro-1.0.0 - shiro-1.2.2

CVE-2010-3863

影响版本
shiro-1.0.9

poc
权限绕过

shiro-31

影响版本
shiro-0.9

poc
CSRF

posted @ 2019-06-18 09:39 7hang 阅读(1639) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

7hang.

网络安全爱好者，blog is just for notes.

shiro

CVE-2020-17510

CVE-2020-13933

CVE-2020-11989 | shiro-782

shiro-721

CVE-2020-2957 | shiro-682

CVE-2020-1957 | shiro-

CVE-2019-12422

CVE-2016-6802

CVE-2016-4437 | shiro-550

CVE-2014-0074 | shiro-460

CVE-2010-3863

shiro-31

公告