MCPcopy Index your code
hub / github.com/SummerSec/ShiroAttack2

github.com/SummerSec/ShiroAttack2 @v5.1.1

Chat with this repo
repository ↗ · DeepWiki ↗ · release v5.1.1 ↗ · + Follow
1,025 symbols 3,408 edges 145 files 172 documented · 17%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

ShiroAttack2

A fast exploitation tool for Shiro-550 (Apache Shiro rememberMe deserialization)

ShiroAttack2 Forks Release Stars Follower SecSummers

Language / 语言切换:中文 | English

Full usage guide: docs/USAGE.md

ShiroAttack2 5.x


Why Shiro-550 Still Works

CVE-2016-4437, discovered in 2016, remains exploitable for three reasons:

Default key. Shiro ≤1.2.4 hardcodes an AES key in CookieRememberMeManager: kPH+bIxk5D2deZiIxcaaaA==. Tutorials and scaffold code have been copying this value for years.

Keys are hard to rotate. rememberMe requires the same key on client and server. Once embedded in configs, Docker images, and source repos, replacing it requires updating all nodes.

Low exploitation cost. GUI clicks for shell access. CLI for scripting. The lower the cost, the larger the attack surface.

Attack Flow

Detect ── Send rememberMe=yes, check for Set-Cookie: rememberMe=deleteMe
           Shiro 1.x always returns deleteMe on invalid cookies

Crack ── Serialize SimplePrincipalCollection, encrypt with candidate keys
          Response without deleteMe = valid key found

Gadget ── Encrypt full payload (gadget chain + TemplatesImpl echo class) with confirmed key
Exec ── rememberMe cookie carries gadget payload, command embedded in Authorization header
Memshell ── Inject Filter/Servlet via same gadget chain, no longer needs rememberMe
Key Replace ── Swap Shiro's AES key via memshell mechanism, old key invalidated

CLI Mode

Since 5.0, the CLI mode shares the same AttackService (1000+ lines) without modification. It works by subclassing TextArea to intercept logging output and injecting a mock MainController via the ControllersFactory registry. CLI initializes JavaFX headlessly with a JFXPanel — no window needed.

java -cp shiro_attack-<version>.jar com.summersec.attack.CLI.MainCLI <command> [options]
Command Purpose
detect Check if target runs Shiro framework
crack Brute-force or verify Shiro AES key
exec Execute system commands (auto gadget detection)
memshell Inject memshell (Godzilla/Behinder/AntSword etc.)
changekey Replace target's Shiro key
gui Launch JavaFX GUI

With --json, output splits into two channels: lines starting with { are structured JSON logs (parseable by AI/scripts). Plain text lines are raw command output (grab with tail -1).

AES mode: --cbc (Shiro ≤1.2.4), --gcm (Shiro ≥1.2.5).

Gadget auto-detection prioritizes String/AttrCompare/ObjectToStringComparator variants (no commons-collections dependency), falling back to CB variants requiring ComparableComparator.

See @skills/shiro-attack-cli/SKILL.md for detailed CLI usage (structured as an AI Agent skill descriptor).

Features

  • JavaFX GUI + CLI dual mode, shared attack logic
  • Multiple CommonsBeanutils gadget versions (1.8.3 / 1.9.2 / AttrCompare / ObjectToStringComparator)
  • Auto AES mode switching: tries CBC and GCM, locks whichever hits
  • Memshell injection (Filter / Servlet / Interceptor / HandlerMethod / TomcatValve)
  • Echo types: TomcatEcho / SpringEcho / DFS-AllEcho / ReverseEcho / NoEcho
  • Third-party generator integration (jEG for echo, jMG for memshell) with automatic Legacy fallback
  • Shiro Key replacement (6 injection paths, auto verifies old and new keys)
  • Custom headers, Cookie merging, POST-based detection
  • --json structured output for scripting and AI
  • HTTP/HTTPS proxy with authentication
  • AES Key generator

Build

# Install local JARs (required once)
mvn install:install-file -Dfile=libs/jEG-Core-1.0.0.jar -DgroupId=jeg -DartifactId=jeg-core -Dversion=1.0.0 -Dpackaging=jar
mvn install:install-file -Dfile=libs/jmg-sdk-1.0.9.jar -DgroupId=jmg -DartifactId=jmg-sdk -Dversion=1.0.9 -Dpackaging=jar

# Build fat JAR (Java 8)
mvn clean package -DskipTests
# Output: target/shiro_attack-5.1.1-all.jar

Download & Run

Two artifact types per release:

  • shiro_attack-<version>-<jdk>.jar: standalone executable
  • shiro_attack-<version>-<jdk>-bundle.zip: full bundle with data/ and lib/

Runtime directory structure:

./
├── shiro_attack-{version}-{jdk}.jar
├── data/
│   └── shiro_keys.txt   # Key dictionary, one Base64 key per line
└── lib/                 # CommonsBeanutils JARs

Releases are auto-built by GitHub Actions on tag push (v* or X.Y.Z). Optional release notes at docs/releases/<tag>.md.

Documentation

Document Description
docs/USAGE.md Full feature usage guide
docs/FAQ.md Frequently asked questions
docs/ShiroAttack2-v5-guide.md In-depth 5.x feature walkthrough
docs/memshell.md Memshell notes
docs/BypassWaf.md WAF bypass
docs/NoGadget.md No-gadget scenarios
docs/THIRD_PARTY_GENERATORS.md jEG/jMG integration guide
@skills/shiro-attack-cli/SKILL.md AI Agent skill descriptor

Disclaimer

This tool is intended solely for authorized internal security assessments. The author assumes no responsibility for any consequences arising from its use.


Star History

Extension points exported contracts — how you extend this code

Initializable (Interface)
Shiro container-agnostic interface that indicates that this object requires initialization. @since 0.2 [23 implementers]
src/main/java/org/apache/shiro/lang/util/Initializable.java
Destroyable (Interface)
Shiro container-agnostic interface that indicates that this object requires a callback during destruction. @since 0.2 [24 …
src/main/java/org/apache/shiro/lang/util/Destroyable.java
ObjectPayload (Interface)
(no doc) [19 implementers]
src/main/java/com/summersec/attack/deser/payloads/ObjectPayload.java
EchoPayload (Interface)
(no doc) [14 implementers]
src/main/java/com/summersec/attack/deser/echo/EchoPayload.java
EncryptInterface (Interface)
(no doc) [6 implementers]
src/main/java/com/summersec/attack/Encrypt/EncryptInterface.java

Core symbols most depended-on inside this repo

getClass
called by 338
src/main/java/com/summersec/attack/deser/util/CommonUtil.java
get
called by 232
src/main/java/org/apache/shiro/lang/util/SoftHashMap.java
invoke
called by 181
src/main/java/com/summersec/x/reGeorgServlet.java
appendText
called by 173
src/main/java/com/summersec/attack/utils/Console.java
setAccessible
called by 170
src/main/java/com/summersec/attack/deser/util/Reflections.java
put
called by 139
src/main/java/org/apache/shiro/lang/util/SoftHashMap.java
forName
called by 134
src/main/java/org/apache/shiro/lang/util/ClassUtils.java
append
called by 130
src/main/java/org/apache/shiro/lang/codec/H64.java

Shape

Method 868
Class 137
Interface 17
Enum 3

Languages

Java100%

Modules by API surface

src/main/java/com/summersec/attack/UI/MainController.java55 symbols
src/main/java/com/summersec/attack/core/AttackService.java41 symbols
src/main/java/org/apache/shiro/crypto/cipher/JcaCipherService.java25 symbols
src/main/java/org/apache/shiro/crypto/cipher/DefaultBlockCipherService.java25 symbols
src/main/java/com/summersec/x/GodzillaTomServlet.java21 symbols
src/main/java/com/summersec/x/GodzillaServlet.java21 symbols
src/main/java/com/summersec/attack/utils/HttpUtil.java21 symbols
src/main/java/com/summersec/x/NeoreGeorgServlet.java20 symbols
src/main/java/org/apache/shiro/lang/util/SoftHashMap.java19 symbols
src/main/java/com/summersec/x/BehinderServlet.java19 symbols
src/main/java/com/summersec/attack/utils/HttpUtil_bak.java19 symbols
src/main/java/com/summersec/attack/integration/generator/model/MemshellGenerateRequest.java19 symbols

For agents

$ claude mcp add ShiroAttack2 \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact