Shiro反序列化漏洞深入分析与利用教学<\/h1>

1. 漏洞概述<\/h2>

Shiro是一个Java安全框架，提供身份验证、授权、密码学和会话管理功能。Shiro550（CVE-2016-4437）和Shiro721（CVE-2019-12422）是两个著名的反序列化漏洞：<\/p>

Shiro550<\/strong>：由于使用硬编码的AES加密密钥导致的反序列化漏洞<\/li>

Shiro721<\/strong>：Padding Oracle攻击导致的身份验证绕过漏洞<\/li> <\/ul>
2. 环境搭建<\/h2>

使用Vulhub搭建测试环境：<\/li> <\/ol>
git clone https:\/\/github.com\/vulhub\/vulhub.git <\/span><\/span>cd vulhub\/shiro\/CVE-2016-4437 <\/span><\/span>docker-compose up -d <\/span><\/span><\/code><\/pre> 获取运行中的JAR包：<\/li> <\/ol> docker ps # 获取容器ID<\/span> <\/span><\/span>docker cp <container_id>:\/path\/to\/shirodemo-1.0-SNAPSHOT.jar . <\/span><\/span><\/code><\/pre> 使用IDEA分析：<\/li> <\/ol> 创建项目<\/li> 新建libs目录并放入JAR包<\/li> 右键libs目录选择"Add as Library"<\/li> <\/ul> 3. 漏洞分析流程<\/h2> 3.1 路由分析<\/h3> 通过MANIFEST.MF<\/code>文件找到入口类，分析UserController<\/code>：<\/p> @Controller<\/span> <\/span><\/span>public<\/span> class<\/span> UserController<\/span> {<\/span> <\/span><\/span> @PostMapping<\/span>({<\/span>"\/doLogin"<\/span>})<\/span> <\/span><\/span> public<\/span> String doLoginPage<\/span>(<\/span>@RequestParam<\/span>(<\/span>"username"<\/span>)<\/span> String username,<\/span> <\/span><\/span> @RequestParam<\/span>(<\/span>"password"<\/span>)<\/span> String password,<\/span> <\/span><\/span> @RequestParam<\/span>(<\/span>name =<\/span> "rememberme"<\/span>,<\/span> defaultValue =<\/span> ""<\/span>)<\/span> String rememberMe)<\/span> {<\/span> <\/span><\/span> Subject subject =<\/span> SecurityUtils.<\/span>getSubject<\/span>();<\/span> <\/span><\/span> try<\/span> {<\/span> <\/span><\/span> subject.<\/span>login<\/span>(<\/span>new<\/span> UsernamePasswordToken(<\/span>username,<\/span> password,<\/span> rememberMe.<\/span>equals<\/span>(<\/span>"remember-me"<\/span>)));<\/span> <\/span><\/span> return<\/span> "forward:\/"<\/span>;<\/span> <\/span><\/span> }<\/span> catch<\/span> (<\/span>AuthenticationException var6)<\/span> {<\/span> <\/span><\/span> return<\/span> "forward:\/login"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> }<\/span> <\/span><\/span> \/\/ 其他路由方法... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>关键点：<\/p> rememberme<\/code>参数控制是否启用"记住我"功能<\/li> UsernamePasswordToken<\/code>构造方法处理认证信息<\/li> <\/ul> 3.2 认证流程分析<\/h3> Subject创建<\/strong>：<\/li> <\/ol> Subject subject =<\/span> SecurityUtils.<\/span>getSubject<\/span>();<\/span> <\/span><\/span><\/code><\/pre> 登录流程<\/strong>：<\/li> <\/ol> subject.<\/span>login<\/span>(<\/span>new<\/span> UsernamePasswordToken(...));<\/span> <\/span><\/span><\/code><\/pre> 深入login<\/code>方法<\/strong>：<\/li> <\/ol> 进入DelegatingSubject<\/code>类的login<\/code>方法<\/li> 调用securityManager.login(this, token)<\/code><\/li> <\/ul> 认证过程<\/strong>：<\/li> <\/ol> DefaultSecurityManager.authenticate()<\/code><\/li> AbstractAuthenticator.doAuthenticate()<\/code><\/li> AuthenticatingRealm.getAuthenticationInfo()<\/code><\/li> <\/ul> 3.3 反序列化触发点<\/h3> 关键路径：<\/p> DefaultSecurityManager.createSubject()<\/code><\/li> DefaultSecurityManager.resolvePrincipals()<\/code><\/li> DefaultSecurityManager.getRememberedIdentity()<\/code><\/li> AbstractRememberMeManager.getRememberedPrincipals()<\/code><\/li> <\/ol> 关键代码：<\/p> public<\/span> PrincipalCollection getRememberedPrincipals<\/span>(<\/span>SubjectContext subjectContext)<\/span> {<\/span> <\/span><\/span> byte<\/span>[]<\/span> bytes =<\/span> this<\/span>.<\/span>getRememberedSerializedIdentity<\/span>(<\/span>subjectContext);<\/span> <\/span><\/span> if<\/span> (<\/span>bytes !=<\/span> null<\/span> &&<\/span> bytes.<\/span>length<\/span> ><\/span> 0<\/span>)<\/span> {<\/span> <\/span><\/span> return<\/span> this<\/span>.<\/span>convertBytesToPrincipals<\/span>(<\/span>bytes,<\/span> subjectContext);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.4 漏洞核心<\/h3> 数据处理流程<\/strong>：<\/p> 从Cookie获取rememberMe<\/code>值<\/li> Base64解码<\/li> AES解密（使用硬编码密钥）<\/li> 反序列化解密后的数据<\/li> <\/ul> <\/li> 硬编码密钥<\/strong>：<\/p> <\/li> <\/ol> public<\/span> AbstractRememberMeManager<\/span>()<\/span> {<\/span> <\/span><\/span> this<\/span>.<\/span>serializer<\/span> =<\/span> new<\/span> DefaultSerializer();<\/span> <\/span><\/span> this<\/span>.<\/span>cipherService<\/span> =<\/span> new<\/span> AesCipherService();<\/span> <\/span><\/span> this<\/span>.<\/span>setCipherKey<\/span>(<\/span>DEFAULT_CIPHER_KEY_BYTES);<\/span> \/\/ 硬编码密钥 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 反序列化点<\/strong>：<\/li> <\/ol> protected<\/span> PrincipalCollection convertBytesToPrincipals<\/span>(<\/span>byte<\/span>[]<\/span> bytes,<\/span> SubjectContext context)<\/span> {<\/span> <\/span><\/span> bytes =<\/span> this<\/span>.<\/span>decrypt<\/span>(<\/span>bytes);<\/span> \/\/ AES解密 <\/span><\/span><\/span><\/span> return<\/span> this<\/span>.<\/span>deserialize<\/span>(<\/span>bytes);<\/span> \/\/ 反序列化 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>4. 漏洞利用<\/h2> 4.1 利用工具<\/h3> 使用ShiroAttack2<\/a>工具：<\/p> java -jar shiro_attack-4.7.0-SNAPSHOT-all.jar <\/span><\/span><\/code><\/pre>4.2 利用步骤<\/h3> 检测Shiro框架<\/li> 使用内置密钥检测<\/li> 选择利用链（如CommonsBeanutils1）<\/li> 构造恶意序列化对象<\/li> 执行命令<\/li> <\/ol> 4.3 Debug验证<\/h3> 启动应用并附加调试器：<\/li> <\/ol> java -agentlib:jdwp=<\/span>transport=<\/span>dt_socket,server=<\/span>y,suspend=<\/span>n,address=<\/span>65500<\/span> -jar shirodemo-1.0-SNAPSHOT.jar <\/span><\/span><\/code><\/pre> 关键断点设置：<\/li> <\/ol> AbstractRememberMeManager.getRememberedPrincipals()<\/code><\/li> AbstractRememberMeManager.convertBytesToPrincipals()<\/code><\/li> AbstractRememberMeManager.decrypt()<\/code><\/li> AbstractRememberMeManager.deserialize()<\/code><\/li> <\/ul> 5. 漏洞修复<\/h2> 升级到最新版本（≥1.2.5）<\/li> 自定义加密密钥：<\/li> <\/ol> public<\/span> class<\/span> CustomRememberMeManager<\/span> extends<\/span> CookieRememberMeManager {<\/span> <\/span><\/span> public<\/span> CustomRememberMeManager<\/span>()<\/span> {<\/span> <\/span><\/span> setCipherKey(<\/span>Base64.<\/span>decode<\/span>(<\/span>"your_random_base64_encoded_key"<\/span>));<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre> 配置Shiro：<\/li> <\/ol> @Bean<\/span> <\/span><\/span>public<\/span> SecurityManager securityManager<\/span>()<\/span> {<\/span> <\/span><\/span> DefaultWebSecurityManager securityManager =<\/span> new<\/span> DefaultWebSecurityManager();<\/span> <\/span><\/span> securityManager.<\/span>setRememberMeManager<\/span>(<\/span>new<\/span> CustomRememberMeManager());<\/span> <\/span><\/span> return<\/span> securityManager;<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>6. 总结<\/h2> Shiro550漏洞的核心在于：<\/p> 使用硬编码AES密钥（kPH+bIxk5D2deZiIxcaaaA==<\/code>）<\/li> 对用户控制的rememberMe cookie值进行反序列化<\/li> 缺乏对反序列化对象的白名单校验<\/li> <\/ol> 通过分析这个漏洞，我们可以学习到：<\/p> Java反序列化漏洞的原理<\/li> Shiro框架的认证流程<\/li> 加密机制的安全实现<\/li> 漏洞挖掘和利用的思路<\/li> <\/ul>