.. / CVE-2016-4437

Exploit for Apache Shiro 1.2.4 Cookie RememberME - Deserial Remote Code Execution Vulnerability (CVE-2016-4437)

Description:

Apache Shiro before 1.2.5, when a cipher key has not been configured for the “remember me” feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

Nuclei Template

View the template here CVE-2016-4437.yaml

Validate with Nuclei

echo "$URL" | nuclei -t ~/nuclei-templates/http/cves/2016/CVE-2016-4437.yaml

References:

https://nvd.nist.gov/vuln/detail/CVE-2016-4437
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4437
http://packetstormsecurity.com/files/157497/Apache-Shiro-1.2.4-Remote-Code-Execution.html
http://rhn.redhat.com/errata/RHSA-2016-2035.html
https://github.com/Medicean/VulApps/tree/master/s/shiro/1
http://packetstormsecurity.com/files/137310/Apache-Shiro-1.2.4-Information-Disclosure.html

.. / CVE-2016-4437 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for Apache Shiro 1.2.4 Cookie RememberME - Deserial Remote Code Execution Vulnerability (CVE-2016-4437)

Description:

Nuclei Template

Validate with Nuclei

.. / CVE-2016-4437