The cause of the vulnerability
The project uses shiro1.7.0 version, this version should not have this vulnerability;


Code layer troubleshooting:

1. The default key is used (one of the reasons for this vulnerability)
   
2. From the point of view of the exploited gadget, the commonscollection exploit chain is used (the second reason for this vulnerability), and the commons-collections vulnerability should use version 3.2.2 and above
   
3. Check shiro related calling code:
   
   The Shiro deserialization vulnerability is caused by calling the getRememberedSerializedIdentity() function of the CookieRememberMeManager class. The official repair code is as follows, the repair plan is to delete the CookieRememberMeManager class
   
   The CookieRememberMeManager class was added when the open source project was rewritten, which led to the generation of vulnerabilities.

Exploit：
You can use the following tools to exploit this vulnerability, Github project: https://github.com/j1anFen/shiro_attack

Execute system commands