实战遇到的Shiro,中间件为Undertow,利用链为cb193,jdk版本8u291,先是用了一系列工具梭哈无果,后用java-chains,但是实测TemplatesImp加sleep无法利用(jeg回显也无法利用,不知道是不是Undertow不允许加载字节码),经本地调试是无法加载[B,会被java.lang.ClassLoader#checkName过滤掉,最后改用LdapAttribute(LdapAttribute JNDI)利用成功
测试依赖如下,如果作者测试后确实如此的话希望在工具中添加 **Undertow(TemplatesImp?)关于加载字节码的利用** 说明
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<groupId>com.example</groupId>
<artifactId>shiro-demo</artifactId>
<version>1.0-SNAPSHOT</version>
<properties>
<maven.compiler.source>1.8</maven.compiler.source>
<maven.compiler.target>1.8</maven.compiler.target>
</properties>
<dependencies>
<!-- Source: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-web -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
<exclusions>
<exclusion>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-tomcat</artifactId>
</exclusion>
</exclusions>
<version>2.3.1.RELEASE</version>
<scope>compile</scope>
</dependency>
<!-- Source: https://mvnrepository.com/artifact/org.springframework.boot/spring-boot-starter-undertow -->
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-undertow</artifactId>
<version>2.3.1.RELEASE</version>
<scope>compile</scope>
</dependency>
<!-- Source: https://mvnrepository.com/artifact/org.apache.shiro/shiro-spring-boot-web-starter -->
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring-boot-web-starter</artifactId>
<version>1.5.3</version>
<scope>compile</scope>
</dependency>
<!-- Source: https://mvnrepository.com/artifact/commons-beanutils/commons-beanutils -->
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<version>1.9.3</version>
<scope>compile</scope>
</dependency>
<dependency>
<groupId>org.projectlombok</groupId>
<artifactId>lombok</artifactId>
<version>1.18.24</version>
<scope>provided</scope>
</dependency>
</dependencies>
</project>
实战遇到的Shiro,中间件为Undertow,利用链为cb193,jdk版本8u291,先是用了一系列工具梭哈无果,后用java-chains,但是实测TemplatesImp加sleep无法利用(jeg回显也无法利用,不知道是不是Undertow不允许加载字节码),经本地调试是无法加载[B,会被java.lang.ClassLoader#checkName过滤掉,最后改用
LdapAttribute(LdapAttribute JNDI)利用成功