45 lines
1.6 KiB
YAML
45 lines
1.6 KiB
YAML
id: shiro-deserialization-detection
|
||
|
||
info:
|
||
name: Shiro <= 1.2.4 Deserialization Detection
|
||
author: hotpot,j4vaovo
|
||
severity: unknown
|
||
description: |
|
||
This template is designed to detect the Shiro framework's default key vulnerabilities. It leverages 51 built-in Shiro keys to probe for potential vulnerabilities.
|
||
reference:
|
||
- https://github.com/sv3nbeast/ShiroScan
|
||
metadata:
|
||
max-request: 102
|
||
tags: shiro,deserialization,rce,apache
|
||
|
||
http:
|
||
- raw:
|
||
- |
|
||
GET / HTTP/1.1
|
||
Host: {{Hostname}}
|
||
Cookie: JSESSIONID={{randstr}};rememberMe=123;
|
||
- |
|
||
GET / HTTP/1.1
|
||
Host: {{Hostname}}
|
||
Cookie: JSESSIONID={{randstr}};rememberMe={{key}};
|
||
|
||
payloads:
|
||
key: helpers/wordlists/shiro_encrypted_keys.txt
|
||
stop-at-first-match: true
|
||
|
||
matchers-condition: and
|
||
matchers:
|
||
- type: dsl # WAF Block Page
|
||
dsl:
|
||
- 'contains(header_1, "Set-Cookie") && (contains(header_1, "rememberMe=") || contains(header_1, "=deleteMe"))'
|
||
- '!contains(header_2, "rememberMe=") && !contains(header_2, "=deleteMe")'
|
||
condition: and
|
||
|
||
- type: dsl
|
||
dsl:
|
||
- '!contains(body_2, "<p>当前访问疑似黑客攻击,已被网站管理员设置拦截并记录</p>")'
|
||
- '!contains(body_2, "很抱歉,由于您访问的URL有可能对网站造成安全威胁,您的访问被阻断")'
|
||
condition: and
|
||
|
||
# digest: 4a0a00473045022100d31e9314ce77be5a00ae9fa4bb30686fef3506b2d8008154e0ac30c99c7ba0f502201170dc3d229d2e3770bd9b734ce65414d1ef189b2518dec525a60f636a17e152:922c64590222798bb761d5b6d8e72950
|