You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In http://material-admin/material-manage/src/main/java/cn/enilu/material/admin/config/web/ShiroConfig.java we can find a fixed key and uses this key to encrypt the rememberMe parameter in the cookie. It will cause deserialization vulnerability
I set up a a local environment for attacks.
I found that the source code contains commons-collections-3.2.2.jar and commons-beanutils-1.9.4.jar dependency, which is actually a dependency included in shiro.
Using this dependency, it is possible to generate a deserialized payload and then encrypt the payload using the key obtained by blasting. write this payload after the rememberMe field and attack it. Successful RCE.
The text was updated successfully, but these errors were encountered:
In
http://material-admin/material-manage/src/main/java/cn/enilu/material/admin/config/web/ShiroConfig.javawe can find a fixed key and uses this key to encrypt the rememberMe parameter in the cookie. It will cause deserialization vulnerabilityI set up a a local environment for attacks.
I found that the source code contains commons-collections-3.2.2.jar and commons-beanutils-1.9.4.jar dependency, which is actually a dependency included in shiro.
Using this dependency, it is possible to generate a deserialized payload and then encrypt the payload using the key obtained by blasting. write this payload after the rememberMe field and attack it. Successful RCE.
The text was updated successfully, but these errors were encountered: