Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The project has a shiro deserialization vulnerability #37

Open
qxlsl1 opened this issue Aug 1, 2023 · 1 comment
Open

The project has a shiro deserialization vulnerability #37

qxlsl1 opened this issue Aug 1, 2023 · 1 comment

Comments

@qxlsl1
Copy link

qxlsl1 commented Aug 1, 2023

1、First, set up a local service and ensure that it can run properly
Find its background login address
image
2、We can see that remeberMe cipherKey has been written in the source code
image
3、Inspect the shiro frame using the shiro Blasting tool
image
4、Once the cipherKey is specified, blow up shiro's utilization chain
image
5、Discover the construction chain :CommonsBeanutilsString_183 The command output mode is AllEcho
6、The whoami command was successfully executed, confirming the existence of the vulnerability
image
7、Tool link:https://github.com/SummerSec/ShiroAttack2
@gg110
Copy link

gg110 commented Aug 1, 2023 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gg110 @qxlsl1