Full usage guide: docs/USAGE.md

CVE-2016-4437, discovered in 2016, remains exploitable for three reasons:
Default key. Shiro ≤1.2.4 hardcodes an AES key in CookieRememberMeManager: kPH+bIxk5D2deZiIxcaaaA==. Tutorials and scaffold code have been copying this value for years.
Keys are hard to rotate. rememberMe requires the same key on client and server. Once embedded in configs, Docker images, and source repos, replacing it requires updating all nodes.
Low exploitation cost. GUI clicks for shell access. CLI for scripting. The lower the cost, the larger the attack surface.
Detect ── Send rememberMe=yes, check for Set-Cookie: rememberMe=deleteMe
Shiro 1.x always returns deleteMe on invalid cookies
Crack ── Serialize SimplePrincipalCollection, encrypt with candidate keys
Response without deleteMe = valid key found
Gadget ── Encrypt full payload (gadget chain + TemplatesImpl echo class) with confirmed key
Exec ── rememberMe cookie carries gadget payload, command embedded in Authorization header
Memshell ── Inject Filter/Servlet via same gadget chain, no longer needs rememberMe
Key Replace ── Swap Shiro's AES key via memshell mechanism, old key invalidated
Since 5.0, the CLI mode shares the same AttackService (1000+ lines) without modification. It works by subclassing TextArea to intercept logging output and injecting a mock MainController via the ControllersFactory registry. CLI initializes JavaFX headlessly with a JFXPanel — no window needed.
java -cp shiro_attack-<version>.jar com.summersec.attack.CLI.MainCLI <command> [options]
| Command | Purpose |
|---|---|
detect |
Check if target runs Shiro framework |
crack |
Brute-force or verify Shiro AES key |
exec |
Execute system commands (auto gadget detection) |
memshell |
Inject memshell (Godzilla/Behinder/AntSword etc.) |
changekey |
Replace target's Shiro key |
gui |
Launch JavaFX GUI |
With --json, output splits into two channels: lines starting with { are structured JSON logs (parseable by AI/scripts). Plain text lines are raw command output (grab with tail -1).
AES mode: --cbc (Shiro ≤1.2.4), --gcm (Shiro ≥1.2.5).
Gadget auto-detection prioritizes String/AttrCompare/ObjectToStringComparator variants (no commons-collections dependency), falling back to CB variants requiring ComparableComparator.
See @skills/shiro-attack-cli/SKILL.md for detailed CLI usage (structured as an AI Agent skill descriptor).
--json structured output for scripting and AI# Install local JARs (required once)
mvn install:install-file -Dfile=libs/jEG-Core-1.0.0.jar -DgroupId=jeg -DartifactId=jeg-core -Dversion=1.0.0 -Dpackaging=jar
mvn install:install-file -Dfile=libs/jmg-sdk-1.0.9.jar -DgroupId=jmg -DartifactId=jmg-sdk -Dversion=1.0.9 -Dpackaging=jar
# Build fat JAR (Java 8)
mvn clean package -DskipTests
# Output: target/shiro_attack-5.1.1-all.jar
Two artifact types per release:
shiro_attack-<version>-<jdk>.jar: standalone executableshiro_attack-<version>-<jdk>-bundle.zip: full bundle with data/ and lib/Runtime directory structure:
./
├── shiro_attack-{version}-{jdk}.jar
├── data/
│ └── shiro_keys.txt # Key dictionary, one Base64 key per line
└── lib/ # CommonsBeanutils JARs
Releases are auto-built by GitHub Actions on tag push (v* or X.Y.Z). Optional release notes at docs/releases/<tag>.md.
| Document | Description |
|---|---|
| docs/USAGE.md | Full feature usage guide |
| docs/FAQ.md | Frequently asked questions |
| docs/ShiroAttack2-v5-guide.md | In-depth 5.x feature walkthrough |
| docs/memshell.md | Memshell notes |
| docs/BypassWaf.md | WAF bypass |
| docs/NoGadget.md | No-gadget scenarios |
| docs/THIRD_PARTY_GENERATORS.md | jEG/jMG integration guide |
| @skills/shiro-attack-cli/SKILL.md | AI Agent skill descriptor |
This tool is intended solely for authorized internal security assessments. The author assumes no responsibility for any consequences arising from its use.
$ claude mcp add ShiroAttack2 \
-- python -m otcore.mcp_server <graph>