CVE-2020-11989 & op README.md

“threedr3am” · threedr3am · commit a4a3d6807265 · 2020-07-18T19:32:25.000+08:00
diff --git a/README.md b/README.md
@@ -1,9 +1,14 @@
 *本项目仅用于安全研究，禁止使用本项目发起非法攻击，造成的后果使用者负责*
 
+这是一个个人用于复现、公开一些感兴趣、或者影响稍大的漏洞的项目，没有多少技术含量，权当个人技术笔记。
+
 ---
 
 ### fastjson
-##### RCE
+
+该模块主要记录一些fastjson的利用gadget，不过很多gadget并没有记录在案。
+
+##### RCE相关
 package：com.threedr3am.bug.fastjson.rce
 
 1. com.threedr3am.bug.fastjson.rce.FastjsonSerialize(TemplatesImpl) 利用条件：fastjson <= 1.2.24 + Feature.SupportNonPublicField
@@ -14,19 +19,30 @@ package：com.threedr3am.bug.fastjson.rce
 6. com.threedr3am.bug.fastjson.rce.HadoopHikariPoc(HikariConfig) 利用条件：fastjson <= 1.2.62 RCE，需要开启AutoType
 7. com.threedr3am.bug.fastjson.rce.IbatisSqlmapPoc(JtaTransactionConfig) 利用条件：fastjson <= 1.2.62 RCE，需要开启AutoType
 8. com.threedr3am.bug.fastjson.rce.ShiroPoc(shiro-core) 利用条件：fastjson <= 1.2.66 RCE，需要开启AutoType
+...省略若干
 
-##### SSRF
+##### SSRF相关
 package：com.threedr3am.bug.fastjson.ssrf
 
 1. com.threedr3am.bug.fastjson.ssrf.ApacheCxfSSRFPoc(WadlGenerator) 利用条件：fastjson <= 1.2.66 SSRF，需要开启AutoType
 2. com.threedr3am.bug.fastjson.ssrf.ApacheCxfSSRFPoc2(SchemaHandler) 利用条件：fastjson <= 1.2.66 SSRF，需要开启AutoType
 3. com.threedr3am.bug.fastjson.ssrf.CommonsJellySSRFPoc(Embedded) 利用条件：fastjson <= 1.2.66 SSRF，需要开启AutoType
 4. com.threedr3am.bug.fastjson.ssrf.JREJeditorPaneSSRFPoc(JEditorPane) 利用条件：fastjson <= 1.2.66 SSRF，需要开启AutoType
+...省略若干
+
+##### DNS域名解析相关
+package：com.threedr3am.bug.fastjson.dns
+
+##### Dos拒绝服务相关
+package：com.threedr3am.bug.fastjson.dos
+
+##### leak信息泄露相关
+package：com.threedr3am.bug.fastjson.leak
 
 ---
 
 ### jackson
-##### RCE
+##### RCE相关
 package：com.threedr3am.bug.jackson.rce
 
 1. com.threedr3am.bug.jackson.rce.AnterosPoc
@@ -37,24 +53,32 @@ package：com.threedr3am.bug.jackson.rce
 6. com.threedr3am.bug.jackson.rce.IbatisSqlmapPoc
 7. com.threedr3am.bug.jackson.rce.JndiConverterPoc
 8. com.threedr3am.bug.jackson.rce.LogbackJndi
+...省略若干
 
 ##### SSRF
 package：com.threedr3am.bug.jackson.ssrf
+...省略若干
 
 ---
 
 ### dubbo
+
+该模块主要记录dubbo相关的漏洞利用、安全加固等
+
 1. com.threedr3am.bug.dubbo.RomePoc 利用条件：存在rome依赖
 2. com.threedr3am.bug.dubbo.ResinPoc 利用条件：存在com.caucho:quercus依赖
 3. com.threedr3am.bug.dubbo.XBeanPoc 利用条件：存在org.apache.xbean:xbean-naming依赖
 4. com.threedr3am.bug.dubbo.SpringAbstractBeanFactoryPointcutAdvisorPoc 利用条件：存在org.springframework:spring-aop依赖
 
-#### dubbo/dubbo-hessian2-safe-reinforcement
+##### dubbo-hessian2-safe-reinforcement
 dubbo hessian2安全加固demo，使用黑名单方式禁止部分gadget
 
 ---
 
 ### padding-oracle-cbc
+
+用Java实现padding-oracle-cbc攻击的一些实验代码记录
+
 1. com.threedr3am.bug.paddingoraclecbc.PaddingOracle ```padding oracle java实现（多组密文实现）```
 2. com.threedr3am.bug.paddingoraclecbc.PaddingOracleCBC ```padding oracle cbc java实现（单组 <= 16bytes 密文实现）```
 3. com.threedr3am.bug.paddingoraclecbc.PaddingOracleCBC2 ```padding oracle cbc java实现（多组密文实现）```
@@ -63,29 +87,36 @@ dubbo hessian2安全加固demo，使用黑名单方式禁止部分gadget
 ---
 
 ### xxe
-paclage：com.threedr3am.bug.xxe
+
+各种XML解析组件导致XXE的复现，以及其fix代码记录
 
 ---
 
 ### commons-collections
-package：com.threedr3am.bug.collections
+
+好几年前学习反序列化的时候瞎写的东西
 
 ---
 
-###  security-anager
-package：com.threedr3am.bug.security.manager
+###  security-manager
+
+java security manager的一些绕过实验代码
 
 ---
 
 ### rmi
-package：com.threedr3am.bug.rmi
+
+rmi相关服务，以及其利用等
+
 
 ---
 
 ### tomcat
+
 tomcat相关漏洞
 
 #### ajp-bug
+
 tomcat ajp协议相关漏洞 
 1. com.threedr3am.bug.tomcat.ajp 任意文件读取和jsp渲染RCE CVE-2020-1938
 
@@ -101,6 +132,41 @@ cas相关漏洞
 ---
 
 ### spring
+
+一些Spring漏洞的复现实验代码记录
+
 1. spring-actuator(jolokia、snake-yaml、h2-hikariCP、eureka)
 2. spring-cloud-config-server(CVE-2019-3799)
-3. spring-cloud-config-server(CVE-2020-5405)
+3. spring-cloud-config-server(CVE-2020-5405)
+4. spring-cloud-config-server(CVE-2020-5410)
+5. spring-session-data-redis RCE
+
+### apache-poi
+
+apache-poi excel解析漏洞相关记录
+
+### feature
+
+一些攻击的数据特征，本来想法是看看正则等能不能都检测到
+
+### java-compile
+
+java动态编译、操纵字节码的实现代码
+
+### nexus
+
+maven nexus的一些RCE、Auth Bypass漏洞的复现记录
+
+### ShardingSphere-UI
+
+ShardingSphere-UI的一些漏洞记录
+
+1. CVE-2020-1947 (YAML反序列化RCE漏洞)
+
+### shiro
+
+记录了最近shiro被发现的一些认证bypass漏洞
+
+1. bypass shiro <= 1.4.1
+2. bypass shiro <= 1.5.2 (CVE-2020-1957)
+3. bypass shiro <= 1.5.3 (CVE-2020-11989)
diff --git a/fastjson/src/main/java/com/threedr3am/bug/fastjson/test/Threedr3am.java b/fastjson/src/main/java/com/threedr3am/bug/fastjson/test/Threedr3am.java
diff --git a/shiro/auth-bypass(shiro<1.5.3)/pom.xml b/shiro/auth-bypass(shiro<1.5.3)/pom.xml
@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <groupId>org.springframework.boot</groupId>
+    <artifactId>spring-boot-starter-parent</artifactId>
+    <version>1.5.22.RELEASE</version>
+    <relativePath/>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+
+  <artifactId>auth-bypass-cve-2020-11989</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-web</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.shiro</groupId>
+      <artifactId>shiro-web</artifactId>
+      <version>1.5.2</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.shiro</groupId>
+      <artifactId>shiro-spring</artifactId>
+      <version>1.5.2</version>
+    </dependency>
+  </dependencies>
+
+</project>
diff --git a/shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java b/shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java
@@ -0,0 +1,13 @@
+package me.threedr3am.bug.shiro.bypass.auth;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class Application {
+
+    public static void main(String[] args) {
+        SpringApplication.run(Application.class, args);
+    }
+
+}
diff --git a/shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java b/shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java
@@ -0,0 +1,43 @@
+package me.threedr3am.bug.shiro.bypass.auth.config;
+
+import java.util.LinkedHashMap;
+import java.util.Map;
+import me.threedr3am.bug.shiro.bypass.auth.realm.MyRealm;
+import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
+import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+/**
+ * @author threedr3am
+ */
+@Configuration
+public class ShiroConfig {
+    @Bean
+    MyRealm myRealm() {
+        return new MyRealm();
+    }
+
+    @Bean
+    SecurityManager securityManager() {
+        DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
+        manager.setRealm(myRealm());
+        return manager;
+    }
+
+    @Bean
+    ShiroFilterFactoryBean shiroFilterFactoryBean() {
+        ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
+        bean.setSecurityManager(securityManager());
+        bean.setLoginUrl("/login");
+        bean.setSuccessUrl("/index");
+        bean.setUnauthorizedUrl("/unauthorizedurl");
+        Map<String, String> map = new LinkedHashMap();
+        map.put("/login", "anon");
+        map.put("/aaaaa/**", "anon");
+        map.put("/bypass/*", "authc");
+        bean.setFilterChainDefinitionMap(map);
+        return bean;
+    }
+}
diff --git a/shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java b/shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java
@@ -0,0 +1,33 @@
+package me.threedr3am.bug.shiro.bypass.auth.controller;
+
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * todo 这个洞利用价值不大，基本使用shiro做认证的系统，都会利用/** authc兜底
+ * CVE-2020-11989
+ *
+ * todo-1. 通过访问 http://localhost:8080/bypass/bypass/aaa%252Faaa (两次编码的"aaa/aaa") 绕过接口/bypass的认证控制
+ *  * 漏洞点在于tomcat只会对url进行一次解码，而shiro进行了两次解码
+ *  * 两次解码后，路径变成 http://localhost:8080/bypass/bypass/aaa/aaa 绕过了权限 "/bypass/*" 的match
+ *
+ * todo-2. 通过访问 http://localhost:8080/;/bypass/bypass/111 绕过接口/bypass的认证控制
+ *  * 漏洞点在于shiro会对;分号进行截断，访问的 /;/bypass/bypass/111 变成了 / ，自然就绕过了权限 "/bypass/*" 的match
+ *  * server:
+ *      context-path: /bypass
+ *
+ * @author threedr3am
+ */
+@RestController
+public class BypassTestController {
+
+    /**
+     * @return
+     */
+    @RequestMapping(value = "/bypass/{id}", method = RequestMethod.GET)
+    public String bypass(@PathVariable(name = "id") String id) {
+        return "bypass1 -> " + id;
+    }
+}
diff --git a/shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java b/shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java
@@ -0,0 +1,29 @@
+package me.threedr3am.bug.shiro.bypass.auth.controller;
+
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.subject.Subject;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * @author threedr3am
+ */
+@RestController
+public class LoginController {
+
+    @RequestMapping(value = "/login", method = RequestMethod.POST)
+    public String login(String username, String password) {
+        Subject subject = SecurityUtils.getSubject();
+        try {
+            subject.login(new UsernamePasswordToken(username, password));
+            return "登录成功!";
+        } catch (AuthenticationException e) {
+            e.printStackTrace();
+            return "登录失败!";
+        }
+
+    }
+}
diff --git a/shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java b/shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java
@@ -0,0 +1,28 @@
+package me.threedr3am.bug.shiro.bypass.auth.realm;
+
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.SimpleAuthenticationInfo;
+import org.apache.shiro.authc.UnknownAccountException;
+import org.apache.shiro.authz.AuthorizationInfo;
+import org.apache.shiro.realm.AuthorizingRealm;
+import org.apache.shiro.subject.PrincipalCollection;
+
+/**
+ * @author threedr3am
+ */
+public class MyRealm extends AuthorizingRealm {
+    @Override
+    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
+        return null;
+    }
+    @Override
+    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
+        String username = (String) token.getPrincipal();
+        if (!"threedr3am".equals(username)) {
+            throw new UnknownAccountException("账户不存在!");
+        }
+        return new SimpleAuthenticationInfo(username, "123456", getName());
+    }
+}
diff --git a/shiro/auth-bypass(shiro<1.5.3)/src/main/resources/application.yml b/shiro/auth-bypass(shiro<1.5.3)/src/main/resources/application.yml
diff --git a/shiro/pom.xml b/shiro/pom.xml
