feat:apache shiro CVE-2020-1957的实际生产环境bypass例子

Author: “threedr3am”

shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java

@@ -35,9 +35,11 @@ ShiroFilterFactoryBean shiroFilterFactoryBean() {
         bean.setUnauthorizedUrl("/unauthorizedurl");
         Map<String, String> map = new LinkedHashMap();
         map.put("/login", "anon");
+        map.put("/aaaaa/**", "anon");
         map.put("/bypass", "authc");
         map.put("/bypass.*", "authc");
         map.put("/bypass/**", "authc");
+        map.put("/**", "authc");
         bean.setFilterChainDefinitionMap(map);
         return bean;
     }

shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java

@@ -15,6 +15,9 @@
  * todo    /aaaaa/..;/bypass  ->  bypass ->  ("/bypass", "authc")、("/bypass.*", "authc")、("/bypass/**", "authc")     (shiro <= 1.5.1)
  * todo    /bypass.xxxxx      ->  bypass ->  ("/bypass", "authc")、("/bypass/**", "authc")                             (shiro all version)
  *
+ * 有人说，实际开发不会这样配置，都是通过最后加一个("/**", "authc")全范围匹配，然而，实际上会存在某些放过的接口，例如/aaaaa/**，就能利用它进行bypass
+ * todo    /aaaaa/..;/bypass  利用存在（"/aaaaa/**", "anon"）去bypass ("/**", "authc")
+ *
  * @author threedr3am
  */
 @RestController