“ RASP漏洞防御之 shiro 反序列化”
ApacheShiro框架提供了记住我的功能(RememberMe),用户登陆成功后会生成经过加密并编码的cookie,在服务端接收cookie值后,Base64解码–>AES解密–>反序列化。攻击者只要找到AES加密的密钥,就可以构造一个恶意对象,对其进行序列化–>AES加密–>Base64编码,然后将其作为cookie的rememberMe字段发送,Shiro将rememberMe进行解密并且反序列化,最终造成反序列化漏洞。
在反序列化时,不会对其进行过滤,所以如果传入恶意代码将会造成安全问题在 1.2.4 版本前,是默认ASE秘钥,Key: kPH+bIxk5D2deZiIxcaaaA==,可以直接反序列化执行恶意代码,而在1.2.4之后,ASE秘钥就不为默认了,需要获取到Key才可以进行渗透。
01
—
模块编写
了解下攻击原理之后,很容易针对性的构建防御模块,借助 jrasp基础设施,很容易堵住漏洞。
hook类以及密钥设置
private Set<String> shiroBlackKeySet = new HashSet<String>(Arrays.asList(// 在 1.2.4 版本前,是默认ASE秘钥,Key: kPH+bIxk5D2deZiIxcaaaA== 可以直接反序列化执行恶意代码"kPH+bIxk5D2deZiIxcaaaA=="));@Overridepublic void loadCompleted() {new EventWatchBuilder(moduleEventWatcher).onClass(new ClassMatcher("org/apache/shiro/mgt/AbstractRememberMeManager").onMethod("getDecryptionCipherKey()[B", new GetDecryptionCipherKeyListener())).build();}
检测方法:
public class GetDecryptionCipherKeyListener extends AdviceListener {@Overrideprotected void afterReturning(Advice advice) throws Throwable {if (disable) {return;}String key = Base64.encode((byte[]) advice.getReturnObj());for (String item : shiroBlackKeySet) {if (StringUtils.isNotBlank(item) && item.equals(key)) {boolean enableBlock = shiroRememberMeAction == 1;AttackInfo attackInfo = new AttackInfo(context.get(), metaInfo, key, enableBlock,"Shiro default passwd", SHIRO_REMEMBER_ME,"detect shiro default cipher key: " + key,100);log.attack(attackInfo);if (enableBlock) {ProcessController.throwsImmediatelyAndSendResponse(attackInfo, raspConfig, new RuntimeException("detect shiro default cipher key block by JRASP."));}return;}}}}
代码详见:https://github.com/jvm-rasp/jrasp-agent.git
说明:代码由 @是小易呀、@hycsxs 提供
02
—
实战
攻击日志:
2023-06-30 23:03:16.597 WARNING MacBook-Pro.local [http-nio-8080-exec-1] [attack.attack]{"context":{"method":"GET","protocol":"HTTP/1.1","localAddr":"127.0.0.1","remoteHost":"127.0.0.1","requestURL":"http://localhost:8080/login","requestURI":"/login","contentType":"null","contentLength":-1,"characterEncoding":"null","parameters":"","header":"c:cHdk\naccept-language:zh-CN,zh;q=0.9\ncookie:rememberMe=iIJnNjiUTIHEC7iiowOrSJg2KNEvxWSzFAhkyB57S4SdR1ovC7rQ2Q69yBzQG1YSR4b0Oct5F7kwgXoC5eoXjDlPf45F77RQpt2RxO3xO5F+t0hpRP+tW2O/vPxeM7KFMlCVenJs4/XuNvuVDiNa17o0/DfDNRm5+hArH30fm3JOptnubtBOXTC0btpYfqanrpt2eBH3Zl4JJXd+L1hba/f3djqjG+Q7jOPg4UIfnPeGdxvr1xP2b44KsWKXVcbN/YopzvAAczoIAy0VydQBmlVDRyY5NVPQocLjdiTG4dVwqgXS+qJDFasnzbSvPQejVfjrEhCE2o6zKCW2fl3uT93fMj5kZVzxTo8t2xPh6ASPa/I9O4AF/Db2xeWIGxNcyMsdmxjDTntc5NYLEuwtMA+TKw8km6OKGgjcMLR1NGxdRlMfcy5n4poJxpOeex7QSsp6QB80Ex0KTmYN1jlhxXCOdqEwmA7keTwhypoyH+eVxg5wBNCBew71akE+M8AsezyOdTyvG1H5u9uoWLIHJ23pFcHMxysVG4EXVGrDKx35GwAQNmONggQ7Fn3pILTdJHOpKYH72tV4wCQ8ajjK4f1IOSZFQQp0BL9S6N1Yatp2zEs0C3Y/pbcvzNijxy/dK0JEKQU9PhYKPRi3yQM/Skuv9Ff3bx9YVDw3YAXz027fTZZWKrbDlzNW2m7wdsE89USThz7a7jaKP/NSR7/FpVcElS5xzsvQRFW3L4X3T6b9i5CXMWSVF6VetBSxyjI60C9DNUTHt/sG+aDIAsP0Q2jUjIi2txW45P1jzQc4zdwF5Xab0hv71FFJphSdTXtDu2DVIpQyeo2twR1rvwt/OyiSoBfBmHfwLziOEZmqBMY5Hpq9I+pjhqcip5B2KyYdBRuQtBXjA57XZPz/ypdheQgmQ220bByvkc14Nf6xTboWOu2zCYtTuumCmFyLr0prq1+/vHddbyV7VEeOYNnx9gsaK2Zx4caec9WO5QKsCaKkwlhCRZ8CSqRSXp0dq6sAEgSKj2XJPxWY8+Bk0Hv8hm/kurCFlOU8TB3FwW0/tz7NO0fMOefGxsXb8tP9tSqzAknQGQ4khcorWM6wxjMBg3u4p/vcKQ2luvooOvb8vHLhj9P2w8dbkqF/Wk03RSKfCOmBr9O0PWQsHski6OTjNwhfr3Ca89c3a6qSzh0ERuDvvq8sevyzjYwsXFXjOxsLUk6YC/UPMKA6CQ96oSMYUA3wowOk1FEsPSurZk9ff2p7sW+MrCMzMpq4vW+jx2ilmlJwVbk0JpQPskJmWeLYRX8MsNVsLbMKtp1WNQpXFCouUiAW7WBzRFXn+h+YrdhSjjXFBVk54+o0WSE6066fUKnlmSD3d5A6qdaXbT5mByYcYUBl9sTGDiZa1b5nbCTjLAK93ZqpyNjBQ+lmnsmvMvpJAhbXQ9CbaxAtYoHJX0qjjrkxsWVb3rIx4lnR4EaELfBh7boAHfxmb8p8SZSh08Aap4ztkVp3pADLiK353zlVmI90MRl6ovOVUGbdrvsIf59igCCP6b6Ub57Wjkj9gSzNXgPaNEzpmcXxY7kju7Tbaq6ZnaylpJnsutmj6dGIv+bEaEOzHHrBgmG5lHbIPxVltx1DONpbjkKwIF1IAxYE/S5UkMZkqjorKCIhKWg5VMFest5scZ20x9kMrMBFKBBPmo0RYdctelxp+YaT4TKscgnNDjWb/ZhOoIdDQ0pqwnFbydox4QMThX/gEYuzmt3ZLKuV2QvcTI1Hosjd/QqTsSOJpBCNQ+/UaHSxH8lsuEnYz7GH3O3Dww2g8T6pOOON6EWUBv8T3DCaivxF0us1h4A1xuIMUHwPwfmUgkgl1uLL6uqGgOchrj1YoPHq8ePFCjEeCWfCpqKU6rJZkj9eiBEUiQxoWLg2NXexxcnhYMwxnf+FlHbDCtzqL+bTOjvBWZV/oeJoq7/ITnJD2pdkRmXxcgagFJKUesKRu32kFh6wDXnBPLdx2uaaBU+iv1RLodeKzEfBp5spIpfFDFHdOgY++98OxEUUGAopPdmthpOwniIv94w1rzbcUWe91RCC0a/CSCs9KgkAKGI/IG7nNLdSao8ZmNkxBJYguoPNQZqdRYXnIIChgp2guSoxsD34orFgoXCIK1NQpJPhmxXefyTFc6GWhWbJ6mrmL41SDEE0VZCVfFUC1dAtO5yvZH/B4eooLTxCj59J31CzroHNn8plem/9Rq4Uva4pqk8wvL7yH0u6vVJJrhO90ehas2LlJXo/pZa5og5GETy2Co1dW3whpOCJQKuEyWBm7rDAH19cQD+tgI6apYEdFwdCY/mliwuzS+eOXiGH7yNsfnEPiPMVEyq4HGwEtM1tnuSbMcxcRdX8L6x+OyFGr0TPVSolWkz9+ObgTaEFmGJJUs76DIsPkSF8ps+6fsa5OGJY+d9vzEQ0sW9Jw+oCUIpcrcfZU3fh2ipbTo17ipRUMuPipwlWEmEAzErg1iyhrHFvuP7CMrIcqAzIJdbHnzdAWAKg+lnOe4BlBe0O4Y7IsmAmFevNjgYGf9/goWNtLmuOnioRvMUH57mYHOw/22lFgpj/Bn/2DhVMAUFUer57puuMnYTwcnrs7UAa7XW9oXbBystxMoHsc/b5iXUszhidhXs1zO5WOj53EcgUtyVpdin660peAkgIwA9LHvqSQX4cesqSciyN+MZS3NCbzLfusRZRNfJy0u9f0EA8e9BWt8s1l1SDtuX3X492sdfC+2yL+70tFW7r1mWe0w/F6fttEyhDIH3EemIQiS2drL2lbYXETVzd/0rqkJqNYRn/frw0BzqT8kUDJeBeV6tLvVILaE1yq+MY65RRvhggGm3v/CoGAQBM2ffgSCV3uvG74vy7lasloE9VmLdMaEfLemS9RtCamw0PxHwrfHfGXoZ0qGABNrmOuAr2Ulxoez5nr8mpbqOUs38hze2eBoLYd/3JGytHdgI1m6sq3HSsr/a28rVs3xIHjb1kWy/cdQItljfS7l+qeHUFH7DbDJ9arliziCPQ5adGLsGUc2JMKwb3QdmMPrLhtITWPHxaz2AsBk+n7yb4twUGsbK7cgfvLuK91Ysqow/sbsUrJqTRwyky2crtMW0hu5wQ+N2QsaPLiV+P72sgWiUPOoJG09zw5/D9ZTZtA2O7UXuKdrfnXeq8TzLwdY5hvP1RKEWMzoT1GztzDYsDLKDXaKnRhxPwwc433kDuibbWPxgNsmZPjNE5o35ELm7VShc6SdCNJ6B8HceEvyYinrmQKYKVpIvDjDw6IiKSdmw/FhetRERUi4kBTwjeGstd4Yhkyv1mGwl3LxBv/OT6FSfM0WUyzq43NGnlqkzuq7u6znpfz6+F6mq7zq/PqzUhw0OLYRSzMxUsqbaCSMMZ0J7A9eFNC3FKkWGRaDZv7H+EuXZeG4EzcHjUX64rM1/bKnjSLd4SadFOdglCHjZBnfZcXTuXRuAUGfkQRz2YroTL7b9KQG0ABaMOy0+4ex3fpGN+P2j3jNh9iCOW1GTY6CSt9aRX6Yx8ppXcDMFhxhNhGsqoCf9X1dM8aMn9wO4Lt21EDEJ7jCM5nPfdA5B5uvuRYK/3r1/ibPyM7XN2DUYbo86mJdMAzGY0G7O32tUb+jsGzT/DCBZYw93y5s2gwIOhhC2OmOpt+Kxu8r4vKWBBdq5t1UZtX9beC5VEpiGV3wdHLwHTqzYA1enRmsaFoWlGicJQd+Uxb0JMX6Oe0QDs2aJAYz+t6VmQJVv34bURhf9ZNj/aMhclhRn1Z8qP5cIiipzzIpuVDa2yoBA+EW+Kifi1OBBUxv2U//HA+vZ0hBfvSvMr0lVmB4/rTVxUajTtm8ilGC0MUL3FJOf7SMWZwNMRWOukjOw8aLn3QMO6UmfciRomrcAHEy5ebdQvzI+7WuzH9wX8LuzQd4vtvWqD1jC1WmZQdPPGMzem3Z0O7NDk3kFS+VzNYJ6agnn+wBYpEDQ8/G4PrdhYxfuoM66+d+WKfPqgPjC0/DjJbg98ZwpfnWFvgxRvunEKcBs7ooytIsZLidmOTC4uf4M8XnpjhvJSqHdqRh1154rRXAsimLi7VAVdchIPaTbNwtS4HEuG5KKV45eidv+BBf/NOzjK7EhH4HqqjKem3EThDpH5D+lSYoKNlb/Cybc15Q0xkkPrTM72oAWXx/LJhlv7qQeYfIxLErBNZ2vytDLYW6noZCCYWYFZBXO8Itzs23rn0tfM8E+APq027frJxD3rURA6sZojGm7TjUsizkONEw3LjPc4B3kmIIQatw38092ZLHNQePk0FH6SDNVEnoRINW1ZOqV+mWr6wrJLqVDpzbS/fjXFJCj2tW8vExkFqq7sQ23VFpJtm+w7E9DY51xYrKWyW3KyW9znoHzNdP4cwtBpU7Gb6fOYnjGSxoHrQFQRrSZf5Elj32t1zdHrcc0+1Pw3W0e2bX5dB4CD8d80sXI2KgJd6kyWYht5mhKKmO3vi+1R0EQJs3A+XHYQTnKpn7f001t3V5qfe7sHl32IhUqT7IMgOQ5o6DZ4uimg4aKlhAsZCTJy7064TUFHIdZ00+SunAx3SktscbnSZQZ/BkaB631AKO2Ezqm/RBso/bPFowc2mIRxkRILpwE/R3g1gvpfBvUY1OlW0A4nzB/CGoZrpIAjnbTdQT0GGHbizW7oIBUBfM4xgr3e1poqn7/FK/sZ09isGfFbLtoPKDMDMe20Ogjr7p68dqeuYW1ghrk/ddu09LlvIWjRWRV2uou/PmSi0jzCFWbs0ApHSQm+cbPu79Xehx+qM+yk1tn9OUzJ9QLTaFD8k8dk9Eg9NEVwqGa+2Rjt5tvIZpbFhO4LtA1k7SaRqEKQKlNoN9BJyRIVR3+p6mMvts05M/8zU2z5lYL+H8rRtH0ER2qnNQZtSVkaDTw8vKDNMtG7Atk6ElhmKVwCk1GK7XpKIzYS2BGQPecafZD5LWy8E8wMsWNnSTUu+rJ8zbRQxncU+96O1hHHXyRVQYePF93V4wG4ytMHsMEaD543EoL31yVj3XC13TDAe7kbwcHhNWyjZNR4ucl+x8h2Vu9soCdLsBFoyCQAg/WDY1GuyWWBbkgKmqnuT88IS1Q0/NLshGF0Jg5jW2/k7pD7Vj2i7/cwLfGF7LSnZVZa9Aq68OS253jtwDCl5Fd99M0nJ8b0Yv8VSsLTBWnZHOpgrEa3/XO4aTc9izB1iexrkKP9lPKkxPDe2uWRLcjMRoVWJVpDimE1j4aG9kz8j4TnEZ075Zpyx51/oMjKNSm6KsVOScDGxJjCujBn80gBhiVP8hiLQzubQxsgj3aktbeeReamw7TTGr+AjaEj9ezc36B7AHoWzs+HGSouRPmLAS0ngJ19L5/XJyJQYA6ZrHSJjFoKqO+AHiPQLJ4Gd3VGeSAx7NF2dV3mRsdLjYmsX4MFrt8+kxhX8CnibrFPTbGinfjI/Y89L1Av0B4lKz+DcpuEfM9cvnsW7JYurUD/e4tZbnmuS3hRFvRteiGPuyclqtI1vGc2f22PpptgPiiMrM+ZxgLiCV8NrH5tSFlx0k+T9jjBqo/iMgqugSt4GsBb84zQ5Tk5ahkl1qF5Dbgobu3yt3uPLcgMdSqqpWeARK8zSuBjL0ZrdbdzZuVO1sYIHkEJepvMoL+3ReFs0HBgKLNAqgLsBhSlRX4py6/sVzXOZu6Mn0EmG1YxaDuKUJ8LPaCKnYTP/QV6PZQnz9xCz6hgmKfcFa2sEIrk2N2Trv4C6LhJbzGJ7780KdXHtpS3kyf4qI32TgkXncUroHb8IPzPii1d+hqar1jEYurKxW2pzoe8uSV3fzUli8dVnm6K3Z+DJI7tjLWcDv7aVrMurE+CXZMQiKfzAl/tRbo2/SF3U/tkxC3RUj34ijrW6chYjRHh7uZMKJ1YHFFP7IVIMsVsCguWtBBvd+JA+xGori6y5fNPxtGZLYdQ6RafoPuWxJUhq5tkLpTg3dU8piMW4lqOcxd5wLZAW4lbypfS9bzg+6TbfZHT00Zfwxujtg94uNgRknj14sAnfSIPUdz3QsSeYgbSgH4EqKklDVgQ3y0lUVhCk3afH35b8ygk+xALyDLDclgJt/MABQ8GQ8PwVQelYKRwvhhG+Pm6eC9VgOQPMl+GmZJ0KWmAByvu7QO7eAWr5PjQ3WeO4mb9JQ8uMzp4+m2Hu9GFFIM97B0lY+KrbG3FN9T0dnM1XkSor1Jd8hcut3gudStRSzJJWruf1MjXURd7BJpb73iJN8dzCoXaohSLUBOAvwCvbA9obFcwiZF+0RilovwXrU0RC4XxO1ecWchZtFG9+TAMMDjXnrAG+eeD+D5XpvuJpUm9Ot0/OlGe5sc/jfcwL5+SppGh7Tw3ieRBxARVkfaiL8fA5IFTd5sVMBImhw3IJMawxw5SwbsBHmwipGfMF5w4N13YO2ITyiKg0Vwvkal+2yE2I0Ri1veJv3RoFWcEw8nN+8rH/Cm7CgmqMyqa+CZ/Ke1GRJIdxOzv9ZpNhL+HzkEZROxyQx3e12zI9CxqHUTUFTLhxv7ANJiQm2ooFuNedSckykPQIlXB6dZa3hs9AF1sPMCYyRkbaVqc6NEt90DGX2o6WnWAQhgmUl+rc3qVTcg2dy9D9Po4JMn+B+PXXjRPIfir5GaxCsNAuQqZ7SEqHyED11B/5qCaQcqH/g==\nhost:localhost:8080\nconnection:close\naccept-encoding:gzip, deflate\nuser-agent:Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)\naccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","queryString":"","marks":"","body":""},"appName":"null","metaInfo":"shiro-hook-1.1.2-2023-06-30T15:00:36Z","stackTrace":"org.apache.shiro.mgt.AbstractRememberMeManager.getDecryptionCipherKey(AbstractRememberMeManager.java:202),org.apache.shiro.mgt.AbstractRememberMeManager.decrypt(AbstractRememberMeManager.java:489),org.apache.shiro.mgt.AbstractRememberMeManager.convertBytesToPrincipals(AbstractRememberMeManager.java:429),org.apache.shiro.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:396),org.apache.shiro.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:604),org.apache.shiro.mgt.DefaultSecurityManager.resolvePrincipals(DefaultSecurityManager.java:492),org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:342),org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:846),org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:148),org.apache.shiro.web.servlet.AbstractShiroFilter.createSubject(AbstractShiroFilter.java:292),org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:359),org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125),org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193),org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100),org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119),org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193),org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93),org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119),org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193),org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201),org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119),org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193),org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202),org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96),org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526),org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139),org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92),org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74),org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343),org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367),org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65),org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860),org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1591),org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49),java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149),java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624),org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61),java.lang.Thread.run(Thread.java:748)","payload":"kPH+bIxk5D2deZiIxcaaaA==","isBlocked":false,"attackType":"Shiro default passwd","algorithm":"shiro-remember-me","extend":"detect shiro default cipher key: kPH+bIxk5D2deZiIxcaaaA==","attackTime":1688137396594,"level":100}
如果不阻断,还会有rce日志
2023-06-30 23:03:26.352 WARNING MacBook-Pro.local [http-nio-8080-exec-1] [attack.attack]{"context":{"method":"GET","protocol":"HTTP/1.1","localAddr":"127.0.0.1","remoteHost":"127.0.0.1","requestURL":"http://localhost:8080/login","requestURI":"/login","contentType":"null","contentLength":-1,"characterEncoding":"null","parameters":"","header":"c:cHdk\naccept-language:zh-CN,zh;q=0.9\ncookie:rememberMe=iIJnNjiUTIHEC7iiowOrSJg2KNEvxWSzFAhkyB57S4SdR1ovC7rQ2Q69yBzQG1YSR4b0Oct5F7kwgXoC5eoXjDlPf45F77RQpt2RxO3xO5F+t0hpRP+tW2O/vPxeM7KFMlCVenJs4/XuNvuVDiNa17o0/DfDNRm5+hArH30fm3JOptnubtBOXTC0btpYfqanrpt2eBH3Zl4JJXd+L1hba/f3djqjG+Q7jOPg4UIfnPeGdxvr1xP2b44KsWKXVcbN/YopzvAAczoIAy0VydQBmlVDRyY5NVPQocLjdiTG4dVwqgXS+qJDFasnzbSvPQejVfjrEhCE2o6zKCW2fl3uT93fMj5kZVzxTo8t2xPh6ASPa/I9O4AF/Db2xeWIGxNcyMsdmxjDTntc5NYLEuwtMA+TKw8km6OKGgjcMLR1NGxdRlMfcy5n4poJxpOeex7QSsp6QB80Ex0KTmYN1jlhxXCOdqEwmA7keTwhypoyH+eVxg5wBNCBew71akE+M8AsezyOdTyvG1H5u9uoWLIHJ23pFcHMxysVG4EXVGrDKx35GwAQNmONggQ7Fn3pILTdJHOpKYH72tV4wCQ8ajjK4f1IOSZFQQp0BL9S6N1Yatp2zEs0C3Y/pbcvzNijxy/dK0JEKQU9PhYKPRi3yQM/Skuv9Ff3bx9YVDw3YAXz027fTZZWKrbDlzNW2m7wdsE89USThz7a7jaKP/NSR7/FpVcElS5xzsvQRFW3L4X3T6b9i5CXMWSVF6VetBSxyjI60C9DNUTHt/sG+aDIAsP0Q2jUjIi2txW45P1jzQc4zdwF5Xab0hv71FFJphSdTXtDu2DVIpQyeo2twR1rvwt/OyiSoBfBmHfwLziOEZmqBMY5Hpq9I+pjhqcip5B2KyYdBRuQtBXjA57XZPz/ypdheQgmQ220bByvkc14Nf6xTboWOu2zCYtTuumCmFyLr0prq1+/vHddbyV7VEeOYNnx9gsaK2Zx4caec9WO5QKsCaKkwlhCRZ8CSqRSXp0dq6sAEgSKj2XJPxWY8+Bk0Hv8hm/kurCFlOU8TB3FwW0/tz7NO0fMOefGxsXb8tP9tSqzAknQGQ4khcorWM6wxjMBg3u4p/vcKQ2luvooOvb8vHLhj9P2w8dbkqF/Wk03RSKfCOmBr9O0PWQsHski6OTjNwhfr3Ca89c3a6qSzh0ERuDvvq8sevyzjYwsXFXjOxsLUk6YC/UPMKA6CQ96oSMYUA3wowOk1FEsPSurZk9ff2p7sW+MrCMzMpq4vW+jx2ilmlJwVbk0JpQPskJmWeLYRX8MsNVsLbMKtp1WNQpXFCouUiAW7WBzRFXn+h+YrdhSjjXFBVk54+o0WSE6066fUKnlmSD3d5A6qdaXbT5mByYcYUBl9sTGDiZa1b5nbCTjLAK93ZqpyNjBQ+lmnsmvMvpJAhbXQ9CbaxAtYoHJX0qjjrkxsWVb3rIx4lnR4EaELfBh7boAHfxmb8p8SZSh08Aap4ztkVp3pADLiK353zlVmI90MRl6ovOVUGbdrvsIf59igCCP6b6Ub57Wjkj9gSzNXgPaNEzpmcXxY7kju7Tbaq6ZnaylpJnsutmj6dGIv+bEaEOzHHrBgmG5lHbIPxVltx1DONpbjkKwIF1IAxYE/S5UkMZkqjorKCIhKWg5VMFest5scZ20x9kMrMBFKBBPmo0RYdctelxp+YaT4TKscgnNDjWb/ZhOoIdDQ0pqwnFbydox4QMThX/gEYuzmt3ZLKuV2QvcTI1Hosjd/QqTsSOJpBCNQ+/UaHSxH8lsuEnYz7GH3O3Dww2g8T6pOOON6EWUBv8T3DCaivxF0us1h4A1xuIMUHwPwfmUgkgl1uLL6uqGgOchrj1YoPHq8ePFCjEeCWfCpqKU6rJZkj9eiBEUiQxoWLg2NXexxcnhYMwxnf+FlHbDCtzqL+bTOjvBWZV/oeJoq7/ITnJD2pdkRmXxcgagFJKUesKRu32kFh6wDXnBPLdx2uaaBU+iv1RLodeKzEfBp5spIpfFDFHdOgY++98OxEUUGAopPdmthpOwniIv94w1rzbcUWe91RCC0a/CSCs9KgkAKGI/IG7nNLdSao8ZmNkxBJYguoPNQZqdRYXnIIChgp2guSoxsD34orFgoXCIK1NQpJPhmxXefyTFc6GWhWbJ6mrmL41SDEE0VZCVfFUC1dAtO5yvZH/B4eooLTxCj59J31CzroHNn8plem/9Rq4Uva4pqk8wvL7yH0u6vVJJrhO90ehas2LlJXo/pZa5og5GETy2Co1dW3whpOCJQKuEyWBm7rDAH19cQD+tgI6apYEdFwdCY/mliwuzS+eOXiGH7yNsfnEPiPMVEyq4HGwEtM1tnuSbMcxcRdX8L6x+OyFGr0TPVSolWkz9+ObgTaEFmGJJUs76DIsPkSF8ps+6fsa5OGJY+d9vzEQ0sW9Jw+oCUIpcrcfZU3fh2ipbTo17ipRUMuPipwlWEmEAzErg1iyhrHFvuP7CMrIcqAzIJdbHnzdAWAKg+lnOe4BlBe0O4Y7IsmAmFevNjgYGf9/goWNtLmuOnioRvMUH57mYHOw/22lFgpj/Bn/2DhVMAUFUer57puuMnYTwcnrs7UAa7XW9oXbBystxMoHsc/b5iXUszhidhXs1zO5WOj53EcgUtyVpdin660peAkgIwA9LHvqSQX4cesqSciyN+MZS3NCbzLfusRZRNfJy0u9f0EA8e9BWt8s1l1SDtuX3X492sdfC+2yL+70tFW7r1mWe0w/F6fttEyhDIH3EemIQiS2drL2lbYXETVzd/0rqkJqNYRn/frw0BzqT8kUDJeBeV6tLvVILaE1yq+MY65RRvhggGm3v/CoGAQBM2ffgSCV3uvG74vy7lasloE9VmLdMaEfLemS9RtCamw0PxHwrfHfGXoZ0qGABNrmOuAr2Ulxoez5nr8mpbqOUs38hze2eBoLYd/3JGytHdgI1m6sq3HSsr/a28rVs3xIHjb1kWy/cdQItljfS7l+qeHUFH7DbDJ9arliziCPQ5adGLsGUc2JMKwb3QdmMPrLhtITWPHxaz2AsBk+n7yb4twUGsbK7cgfvLuK91Ysqow/sbsUrJqTRwyky2crtMW0hu5wQ+N2QsaPLiV+P72sgWiUPOoJG09zw5/D9ZTZtA2O7UXuKdrfnXeq8TzLwdY5hvP1RKEWMzoT1GztzDYsDLKDXaKnRhxPwwc433kDuibbWPxgNsmZPjNE5o35ELm7VShc6SdCNJ6B8HceEvyYinrmQKYKVpIvDjDw6IiKSdmw/FhetRERUi4kBTwjeGstd4Yhkyv1mGwl3LxBv/OT6FSfM0WUyzq43NGnlqkzuq7u6znpfz6+F6mq7zq/PqzUhw0OLYRSzMxUsqbaCSMMZ0J7A9eFNC3FKkWGRaDZv7H+EuXZeG4EzcHjUX64rM1/bKnjSLd4SadFOdglCHjZBnfZcXTuXRuAUGfkQRz2YroTL7b9KQG0ABaMOy0+4ex3fpGN+P2j3jNh9iCOW1GTY6CSt9aRX6Yx8ppXcDMFhxhNhGsqoCf9X1dM8aMn9wO4Lt21EDEJ7jCM5nPfdA5B5uvuRYK/3r1/ibPyM7XN2DUYbo86mJdMAzGY0G7O32tUb+jsGzT/DCBZYw93y5s2gwIOhhC2OmOpt+Kxu8r4vKWBBdq5t1UZtX9beC5VEpiGV3wdHLwHTqzYA1enRmsaFoWlGicJQd+Uxb0JMX6Oe0QDs2aJAYz+t6VmQJVv34bURhf9ZNj/aMhclhRn1Z8qP5cIiipzzIpuVDa2yoBA+EW+Kifi1OBBUxv2U//HA+vZ0hBfvSvMr0lVmB4/rTVxUajTtm8ilGC0MUL3FJOf7SMWZwNMRWOukjOw8aLn3QMO6UmfciRomrcAHEy5ebdQvzI+7WuzH9wX8LuzQd4vtvWqD1jC1WmZQdPPGMzem3Z0O7NDk3kFS+VzNYJ6agnn+wBYpEDQ8/G4PrdhYxfuoM66+d+WKfPqgPjC0/DjJbg98ZwpfnWFvgxRvunEKcBs7ooytIsZLidmOTC4uf4M8XnpjhvJSqHdqRh1154rRXAsimLi7VAVdchIPaTbNwtS4HEuG5KKV45eidv+BBf/NOzjK7EhH4HqqjKem3EThDpH5D+lSYoKNlb/Cybc15Q0xkkPrTM72oAWXx/LJhlv7qQeYfIxLErBNZ2vytDLYW6noZCCYWYFZBXO8Itzs23rn0tfM8E+APq027frJxD3rURA6sZojGm7TjUsizkONEw3LjPc4B3kmIIQatw38092ZLHNQePk0FH6SDNVEnoRINW1ZOqV+mWr6wrJLqVDpzbS/fjXFJCj2tW8vExkFqq7sQ23VFpJtm+w7E9DY51xYrKWyW3KyW9znoHzNdP4cwtBpU7Gb6fOYnjGSxoHrQFQRrSZf5Elj32t1zdHrcc0+1Pw3W0e2bX5dB4CD8d80sXI2KgJd6kyWYht5mhKKmO3vi+1R0EQJs3A+XHYQTnKpn7f001t3V5qfe7sHl32IhUqT7IMgOQ5o6DZ4uimg4aKlhAsZCTJy7064TUFHIdZ00+SunAx3SktscbnSZQZ/BkaB631AKO2Ezqm/RBso/bPFowc2mIRxkRILpwE/R3g1gvpfBvUY1OlW0A4nzB/CGoZrpIAjnbTdQT0GGHbizW7oIBUBfM4xgr3e1poqn7/FK/sZ09isGfFbLtoPKDMDMe20Ogjr7p68dqeuYW1ghrk/ddu09LlvIWjRWRV2uou/PmSi0jzCFWbs0ApHSQm+cbPu79Xehx+qM+yk1tn9OUzJ9QLTaFD8k8dk9Eg9NEVwqGa+2Rjt5tvIZpbFhO4LtA1k7SaRqEKQKlNoN9BJyRIVR3+p6mMvts05M/8zU2z5lYL+H8rRtH0ER2qnNQZtSVkaDTw8vKDNMtG7Atk6ElhmKVwCk1GK7XpKIzYS2BGQPecafZD5LWy8E8wMsWNnSTUu+rJ8zbRQxncU+96O1hHHXyRVQYePF93V4wG4ytMHsMEaD543EoL31yVj3XC13TDAe7kbwcHhNWyjZNR4ucl+x8h2Vu9soCdLsBFoyCQAg/WDY1GuyWWBbkgKmqnuT88IS1Q0/NLshGF0Jg5jW2/k7pD7Vj2i7/cwLfGF7LSnZVZa9Aq68OS253jtwDCl5Fd99M0nJ8b0Yv8VSsLTBWnZHOpgrEa3/XO4aTc9izB1iexrkKP9lPKkxPDe2uWRLcjMRoVWJVpDimE1j4aG9kz8j4TnEZ075Zpyx51/oMjKNSm6KsVOScDGxJjCujBn80gBhiVP8hiLQzubQxsgj3aktbeeReamw7TTGr+AjaEj9ezc36B7AHoWzs+HGSouRPmLAS0ngJ19L5/XJyJQYA6ZrHSJjFoKqO+AHiPQLJ4Gd3VGeSAx7NF2dV3mRsdLjYmsX4MFrt8+kxhX8CnibrFPTbGinfjI/Y89L1Av0B4lKz+DcpuEfM9cvnsW7JYurUD/e4tZbnmuS3hRFvRteiGPuyclqtI1vGc2f22PpptgPiiMrM+ZxgLiCV8NrH5tSFlx0k+T9jjBqo/iMgqugSt4GsBb84zQ5Tk5ahkl1qF5Dbgobu3yt3uPLcgMdSqqpWeARK8zSuBjL0ZrdbdzZuVO1sYIHkEJepvMoL+3ReFs0HBgKLNAqgLsBhSlRX4py6/sVzXOZu6Mn0EmG1YxaDuKUJ8LPaCKnYTP/QV6PZQnz9xCz6hgmKfcFa2sEIrk2N2Trv4C6LhJbzGJ7780KdXHtpS3kyf4qI32TgkXncUroHb8IPzPii1d+hqar1jEYurKxW2pzoe8uSV3fzUli8dVnm6K3Z+DJI7tjLWcDv7aVrMurE+CXZMQiKfzAl/tRbo2/SF3U/tkxC3RUj34ijrW6chYjRHh7uZMKJ1YHFFP7IVIMsVsCguWtBBvd+JA+xGori6y5fNPxtGZLYdQ6RafoPuWxJUhq5tkLpTg3dU8piMW4lqOcxd5wLZAW4lbypfS9bzg+6TbfZHT00Zfwxujtg94uNgRknj14sAnfSIPUdz3QsSeYgbSgH4EqKklDVgQ3y0lUVhCk3afH35b8ygk+xALyDLDclgJt/MABQ8GQ8PwVQelYKRwvhhG+Pm6eC9VgOQPMl+GmZJ0KWmAByvu7QO7eAWr5PjQ3WeO4mb9JQ8uMzp4+m2Hu9GFFIM97B0lY+KrbG3FN9T0dnM1XkSor1Jd8hcut3gudStRSzJJWruf1MjXURd7BJpb73iJN8dzCoXaohSLUBOAvwCvbA9obFcwiZF+0RilovwXrU0RC4XxO1ecWchZtFG9+TAMMDjXnrAG+eeD+D5XpvuJpUm9Ot0/OlGe5sc/jfcwL5+SppGh7Tw3ieRBxARVkfaiL8fA5IFTd5sVMBImhw3IJMawxw5SwbsBHmwipGfMF5w4N13YO2ITyiKg0Vwvkal+2yE2I0Ri1veJv3RoFWcEw8nN+8rH/Cm7CgmqMyqa+CZ/Ke1GRJIdxOzv9ZpNhL+HzkEZROxyQx3e12zI9CxqHUTUFTLhxv7ANJiQm2ooFuNedSckykPQIlXB6dZa3hs9AF1sPMCYyRkbaVqc6NEt90DGX2o6WnWAQhgmUl+rc3qVTcg2dy9D9Po4JMn+B+PXXjRPIfir5GaxCsNAuQqZ7SEqHyED11B/5qCaQcqH/g==\nhost:localhost:8080\nconnection:close\naccept-encoding:gzip, deflate\nuser-agent:Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)\naccept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9","queryString":"","marks":"","body":""},"appName":"null","metaInfo":"rce-algorithm-1.1.2-2023-06-30T15:00:36Z","stackTrace":"java.lang.UNIXProcess.forkAndExec(UNIXProcess.java),java.lang.UNIXProcess.<init>(UNIXProcess.java:247),java.lang.ProcessImpl.start(ProcessImpl.java:134),java.lang.ProcessBuilder.start(ProcessBuilder.java:1029),x.Test1188778292502339.<init>(Test1188778292502339.java),sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method),sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62),sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45),java.lang.reflect.Constructor.newInstance(Constructor.java:423),com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.getTransletInstance(TemplatesImpl.java:457),com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.newTransformer(TemplatesImpl.java:485),sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method),sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62),sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43),java.lang.reflect.Method.invoke(Method.java:498),org.apache.commons.collections.functors.InvokerTransformer.transform(InvokerTransformer.java:126),org.apache.commons.collections.map.LazyMap.get(LazyMap.java:158),org.apache.commons.collections.keyvalue.TiedMapEntry.getValue(TiedMapEntry.java:74),org.apache.commons.collections.keyvalue.TiedMapEntry.hashCode(TiedMapEntry.java:121),java.util.HashMap.hash(HashMap.java:339),java.util.HashMap.readObject(HashMap.java:1413),sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method),sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62),sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43),java.lang.reflect.Method.invoke(Method.java:498),java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1185),java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2256),java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2147),java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1646),java.io.ObjectInputStream.readObject(ObjectInputStream.java:482),java.io.ObjectInputStream.readObject(ObjectInputStream.java:440),org.apache.shiro.io.DefaultSerializer.deserialize(DefaultSerializer.java:77),org.apache.shiro.mgt.AbstractRememberMeManager.deserialize(AbstractRememberMeManager.java:514),org.apache.shiro.mgt.AbstractRememberMeManager.convertBytesToPrincipals(AbstractRememberMeManager.java:431),org.apache.shiro.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:396),org.apache.shiro.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:604),org.apache.shiro.mgt.DefaultSecurityManager.resolvePrincipals(DefaultSecurityManager.java:492),org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:342),org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:846),org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:148),org.apache.shiro.web.servlet.AbstractShiroFilter.createSubject(AbstractShiroFilter.java:292),org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:359),org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125),org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193),org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),org.springframework.web.filter.RequestContextFilter.doFilterInternal(RequestContextFilter.java:100),org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119),org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193),org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),org.springframework.web.filter.FormContentFilter.doFilterInternal(FormContentFilter.java:93),org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119),org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193),org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),org.springframework.web.filter.CharacterEncodingFilter.doFilterInternal(CharacterEncodingFilter.java:201),org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:119),org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193),org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166),org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:202),org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96),org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:526),org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:139),org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:92),org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:74),org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:343),org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:367),org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65),org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:860),org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1591),org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49),java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149),java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624),org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61),java.lang.Thread.run(Thread.java:748)","payload":"/bin/sh -cpwd","isBlocked":false,"attackType":"\u547d\u4ee4\u6267\u884c","algorithm":"rce token contains in http headers","extend":" ","attackTime":1688137406351,"level":80}
官网地址:https://www.jrasp.com
开源地址: https://github.com/jvm-rasp
文章来源: https://mp.weixin.qq.com/s?__biz=Mzg5MjQ1OTkwMg==&mid=2247484544&idx=1&sn=69bc11516e13d7b0f020588ad06a8a7c&chksm=c03c8a91f74b0387fa88fe50886b22d59a547899f31e7b731fe67cdeb26e4951a324ea3cca69&scene=58&subscene=0#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh