diff --git a/Shiro/CVE-2016-4437/CVE-2016-4437_1.png b/Shiro/CVE-2016-4437/CVE-2016-4437_1.png new file mode 100644 index 0000000..2123aa4 Binary files /dev/null and b/Shiro/CVE-2016-4437/CVE-2016-4437_1.png differ diff --git a/Shiro/CVE-2016-4437/CVE-2016-4437_2.png b/Shiro/CVE-2016-4437/CVE-2016-4437_2.png new file mode 100644 index 0000000..dfd6ca0 Binary files /dev/null and b/Shiro/CVE-2016-4437/CVE-2016-4437_2.png differ diff --git a/Shiro/CVE-2016-4437/README.md b/Shiro/CVE-2016-4437/README.md new file mode 100644 index 0000000..01ffb43 --- /dev/null +++ b/Shiro/CVE-2016-4437/README.md @@ -0,0 +1,13 @@ +# CVE-2016-4437 Apache Shiro Deserialization Vulnerability + +Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter. + +**Affected Version**: Apache Shiro < 1.2.5 + +**[FOFA](https://fofa.so/result?qbase64=YXBwPSJBcGFjaGUtU2hpcm8i) query rule**: app="Apache-Shiro" + +# Demo + +![](CVE-2016-4437_1.png) + +![](CVE-2016-4437_2.png) \ No newline at end of file