Posted April 10Apr 10

Apache Shiro padding oracle attack漏洞复现

Shiro uses AES-128-CBC mode to encrypt cookies, resulting in malicious users who can construct serialized data through padding oracle attacks for deserialization.

For example, the SHIRO-550 vulnerability that was exposed before is a problem with the remember cookie.

环境搭建

shiro package environment download address https://github.com/jas502n/SHIRO-721

exp Download address https://github.com/Geekby/shiro_rce_exp

Reproduce environment: ubuntu16.04 + tomcat8 + shiro 1.4.1

apt-get install tomcat8 tomcat8-docs tomcat8-examples tomcat8-admin

Then deploy the downloaded samples-web-1.4.1.war package to tomcat.

漏洞复现

Visit the shiro login page

20191120105640.png-water_print

Enter the username and password, click Remember Me

20191120105850.png-water_print

Visit any page to get the rememberMe in the cookie

20191120105923.png-water_print

Generate java class payload

20191120105957.png-water_print

Execute exp

20191120110023.png-water_print

Get the cookie after padding oracle attack

20191120110056.png-water_print

Note: The cracking time is long, lasting about 100min - 120min.

Copy the cookie and replay the packet

20191120110159.png-water_print

Check the execution results

20191120110222.png-water_print

Found that the success file was successfully created and the command can be executed

参考

https://www.anquanke.com/post/id/192819

https://github.com/jas502n/SHIRO-721

https://github.com/wuppp/shiro_rce_exp

Quote

Sign In

Title: Apache Shiro padding oracle attack vulnerability reappears

Featured Replies

Apache Shiro padding oracle attack漏洞复现

环境搭建

漏洞复现

参考

Join the conversation

Important Information

Account

Navigation

Search