feat:添加apache shiro CVE-2020-1957 authentication bypass.

Author: “threedr3am”

shiro/auth-bypass(shiro<1.5.2)/pom.xml

@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <groupId>org.springframework.boot</groupId>
+    <artifactId>spring-boot-starter-parent</artifactId>
+    <version>1.5.22.RELEASE</version>
+    <relativePath/>
+  </parent>
+
+  <modelVersion>4.0.0</modelVersion>
+  <artifactId>auth-bypass-cve-2020-1957</artifactId>
+  <build>
+    <plugins>
+      <plugin>
+        <groupId>org.apache.maven.plugins</groupId>
+        <artifactId>maven-compiler-plugin</artifactId>
+        <configuration>
+          <source>7</source>
+          <target>7</target>
+        </configuration>
+      </plugin>
+    </plugins>
+  </build>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-web</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.shiro</groupId>
+      <artifactId>shiro-web</artifactId>
+      <version>1.5.1</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.shiro</groupId>
+      <artifactId>shiro-spring</artifactId>
+      <version>1.5.1</version>
+    </dependency>
+  </dependencies>
+
+</project>

shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/Application.java

@@ -0,0 +1,13 @@
+package com.threedr3am.bug.shiro.bypass.auth;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class Application {
+
+    public static void main(String[] args) {
+        SpringApplication.run(Application.class, args);
+    }
+
+}

shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java

@@ -0,0 +1,42 @@
+package com.threedr3am.bug.shiro.bypass.auth.config;
+
+import com.threedr3am.bug.shiro.bypass.auth.realm.MyRealm;
+import java.util.LinkedHashMap;
+import java.util.Map;
+import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
+import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+/**
+ * @author threedr3am
+ */
+@Configuration
+public class ShiroConfig {
+    @Bean
+    MyRealm myRealm() {
+        return new MyRealm();
+    }
+
+    @Bean
+    SecurityManager securityManager() {
+        DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
+        manager.setRealm(myRealm());
+        return manager;
+    }
+
+    @Bean
+    ShiroFilterFactoryBean shiroFilterFactoryBean() {
+        ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
+        bean.setSecurityManager(securityManager());
+        bean.setLoginUrl("/login");
+        bean.setSuccessUrl("/index");
+        bean.setUnauthorizedUrl("/unauthorizedurl");
+        Map<String, String> map = new LinkedHashMap();
+        map.put("/login", "anon");
+        map.put("/bypass", "authc");
+        bean.setFilterChainDefinitionMap(map);
+        return bean;
+    }
+}

shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java

@@ -0,0 +1,47 @@
+package com.threedr3am.bug.shiro.bypass.auth.controller;
+
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * CVE-2020-1957
+ *
+ * todo 当存在某个Controller使用了动态Controller时，例：存在接口/bypass和/bypass/{id}，就能通过访问 http://localhost:8080/bypass.xxxxx 或 http://localhost:8080/aaaaa/..;/bypass 绕过接口/bypass的认证控制
+ * todo When there is a dynamic Controller, the Controller USES the example: there are api interface /bypass and /bypass/{id}, you can visit http://localhost:8080/bypass.xxxxx or http://localhost:8080/aaaaa/..;bypass to bypass authentication
+ *
+ * todo 漏洞点在于使用了getRequestURI
+ * todo The vulnerability point is in use 'getRequestURI()'
+ *
+ * /aaaaa/..;/bypass
+ * /bypass.xxxxx
+ *
+ * @author threedr3am
+ */
+@RestController
+public class BypassTestController {
+
+    /**
+     *
+     * 例：配置"/bypass", "authc"，请求http://localhost:8080/bypass.xxxxx
+     *
+     * Example: configuration "/bypass", "authc", request to http://localhost:8080/bypass.xxxxx bypass
+     *
+     * shiro < 1.5.2
+     *
+     * @return
+     */
+    @RequestMapping(value = "/bypass", method = RequestMethod.GET)
+    public String bypass() {
+        return "bypass1";
+    }
+
+    /**
+     * @param id
+     * @return
+     */
+    @RequestMapping(value = "/bypass/{id}", method = RequestMethod.GET)
+    public String bypass2(String id) {
+        return "bypass2";
+    }
+}

shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java

@@ -0,0 +1,29 @@
+package com.threedr3am.bug.shiro.bypass.auth.controller;
+
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.subject.Subject;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * @author threedr3am
+ */
+@RestController
+public class LoginController {
+
+    @RequestMapping(value = "/login", method = RequestMethod.POST)
+    public String login(String username, String password) {
+        Subject subject = SecurityUtils.getSubject();
+        try {
+            subject.login(new UsernamePasswordToken(username, password));
+            return "登录成功!";
+        } catch (AuthenticationException e) {
+            e.printStackTrace();
+            return "登录失败!";
+        }
+
+    }
+}

shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java

@@ -0,0 +1,28 @@
+package com.threedr3am.bug.shiro.bypass.auth.realm;
+
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.SimpleAuthenticationInfo;
+import org.apache.shiro.authc.UnknownAccountException;
+import org.apache.shiro.authz.AuthorizationInfo;
+import org.apache.shiro.realm.AuthorizingRealm;
+import org.apache.shiro.subject.PrincipalCollection;
+
+/**
+ * @author threedr3am
+ */
+public class MyRealm extends AuthorizingRealm {
+    @Override
+    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
+        return null;
+    }
+    @Override
+    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
+        String username = (String) token.getPrincipal();
+        if (!"threedr3am".equals(username)) {
+            throw new UnknownAccountException("账户不存在!");
+        }
+        return new SimpleAuthenticationInfo(username, "123456", getName());
+    }
+}

shiro/auth-bypass(shiro<1.5.2)/src/main/resources/application.yml

@@ -0,0 +1,2 @@
+server:
+  port: 9999