Giter VIP home page Giter VIP logo

shiropoc's People

Contributors

center-sun avatar potats0 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

harry1080 kong-f yzddmr6 laowang1026 freefv kikaylee evilashz n1f2c3 vrirus moyuwa naxg yut0u yeshuibo pyking pochubs uyid paladin1412 vvone123 hkylin sry309 pikaqi fanyibo2009 bravery9 k0bee aa506 liao10086 center-sun cleanmgr112 gold1029 rassec omiter asdlei99 ikv163 warren-jace gmwshz gloomywind dawson0x00 weaglew xiangcaojc bbghunter feisec 0neatsec yhblkey kerlingcode dnsmaitreya yuusuke4 diannaofengzi jeromeyoung 5l1v3r1 lehendsec m4ph1n

shiropoc's Issues

检测某个站出现误报情况 

                                                            Powered by UnicodeSec
                                                                  Version  0.0.2
八月 01, 2020 4:31:56 下午 org.apache.http.client.protocol.ResponseProcessCookies processCookies
警告: Invalid cookie header: "Set-Cookie: 8VY9p00ccvVgS=5s7CnSS.ODpwYT_v50JzmQn.x0G6eIvX0a8hwJN_WEumAi_mwmJTdsCMnZzgt1NxHtMXnLqaQe.bUAFr1uZ83Cq; Path=/; expires=Tue, 3
0 Jul 2030 08:32:54 GMT; HttpOnly". Invalid 'expires' attribute: Tue, 30 Jul 2030 08:32:54 GMT
found Shiro Vulnerability, Shiro key wGiHplamyXlVB11UXWol8g==

image

授权测试某站时,发现返回头里没有rememberMe=deleteMe相关字段并且会默认返回Set-Cookie相关的字段,但是检测出了key,日志如上图,返回头如下图
image

HTTP/1.1 200 OK
Server: nginx
Date: Sat, 01 Aug 2020 08:31:57 GMT
Content-Type: text/html;charset=utf-8
Connection: keep-alive
Set-Cookie: sid=z0Tscj1n+2962467490-Nd1D_qJ28lD1diGfMbUlBWZ1Bf12So0Zi0wwzMr8UiilkY..vOKPORkhuzylS87u68qiFJTKD37xlQTLdabG_a; Path=/xlplatform; HttpOnly
Content-Language: en-US
Pragma: no-cache
Cache-Control: no-store
Expires: Sat, 01 Aug 2020 08:32:54 GMT
Set-Cookie: 8VY9p00ccvVgS=5s7CnSS.ODpwYT_v50JzmQn.x0G6eIvX0a8hwJN_WEumAi_mwmJTdsCMnZzgt1NxHtMXnLqaQe.bUAFr1uZ83Cq; Path=/; expires=Tue, 30 Jul 2030 08:32:54 GMT; HttpOnly
Busscid: unnet
Content-Length: 26689

bug

java -cp shiroPoc-0.5-SNAPSHOT-jar-with-dependencies.jar org.unicodesec.poc http://localhost:8080/

直接使用jar检测的话,测试时发现bug,无论对任何URL检测都会返回成功

QQ截图20200807084452

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.