search

SummerSec / ShiroAttack2

shiro反序列化漏洞综合利用,包含(回显执行命令/注入内存马)修复原版中NoCC的问题 https://github.com/j1anFen/shiro_attack
MIT License
2.04k stars 262 forks source link

最新版4.5.6版本检测shiro框架bug #39

Closed wwsuixin closed 1 year ago

wwsuixin commented 1 year ago

第一次检测目标请求包如下,可正常识别框架:

GET /salary/login HTTP/1.1
Cookie: rememberMe=yes
Accept: text/html,application/json,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Hutool
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Host: xxxx.cn
Connection: close

image 第二次检测目标请求包如下,无法识别出框架:

GET /salary/login HTTP/1.1
Cookie: rememberMe=yes
Accept: text/html,application/json,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.142 Safari/537.36 Hutool
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.8
Cookie: BIGipServerj98Jz77D1botFNwi19B7uQ=!PDqHcpQNxeQIvO/ZCZ9QxSHa8ugO20c5xec/V4fjR2zJKhjd49+Ftq36DuwH7pYKAx0/18QR7AaGzrQ=
Cookie: shiroCookie=0069220b-14c6-48e8-b497-1ae5fb8084d3
Host: xxx.cn
Connection: close

image 分析得出 程序构造请求包时未将两个cookie合并到一起,导致第一个关键cookie值被覆盖,服务器无法接收到rememberMe=yes,望修复

SummerSec commented 1 year ago

貌似重复的issues,直接关了。