fix:shiro错误实例

“threedr3am” · “threedr3am” · commit b90bf78ab19a · 2020-03-27T14:28:35.000+08:00
diff --git a/shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java b/shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java
@@ -36,6 +36,8 @@ ShiroFilterFactoryBean shiroFilterFactoryBean() {
         Map<String, String> map = new LinkedHashMap();
         map.put("/login", "anon");
         map.put("/bypass", "authc");
+        map.put("/bypass.*", "authc");
+        map.put("/bypass/**", "authc");
         bean.setFilterChainDefinitionMap(map);
         return bean;
     }
diff --git a/shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java b/shiro/auth-bypass(shiro<1.5.2)/src/main/java/com/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java
@@ -7,41 +7,24 @@
 /**
  * CVE-2020-1957
  *
- * todo 当存在某个Controller使用了动态Controller时，例：存在接口/bypass和/bypass/{id}，就能通过访问 http://localhost:8080/bypass.xxxxx 或 http://localhost:8080/aaaaa/..;/bypass 绕过接口/bypass的认证控制
- * todo When there is a dynamic Controller, the Controller USES the example: there are api interface /bypass and /bypass/{id}, you can visit http://localhost:8080/bypass.xxxxx or http://localhost:8080/aaaaa/..;bypass to bypass authentication
+ * todo 通过访问 http://localhost:8080/bypass.xxxxx 或 http://localhost:8080/aaaaa/..;/bypass 绕过接口/bypass的认证控制
  *
- * todo 漏洞点在于使用了getRequestURI
- * todo The vulnerability point is in use 'getRequestURI()'
+ *  * todo 漏洞点在于使用了getRequestURI
+ *  * todo The vulnerability point is in use 'getRequestURI()'
  *
- * /aaaaa/..;/bypass
- * /bypass.xxxxx
+ * todo    /aaaaa/..;/bypass  ->  bypass ->  ("/bypass", "authc")、("/bypass.*", "authc")、("/bypass/**", "authc")     (shiro <= 1.5.1)
+ * todo    /bypass.xxxxx      ->  bypass ->  ("/bypass", "authc")、("/bypass/**", "authc")                             (shiro all version)
  *
  * @author threedr3am
  */
 @RestController
 public class BypassTestController {
 
     /**
-     *
-     * 例：配置"/bypass", "authc"，请求http://localhost:8080/bypass.xxxxx
-     *
-     * Example: configuration "/bypass", "authc", request to http://localhost:8080/bypass.xxxxx bypass
-     *
-     * shiro < 1.5.2
-     *
      * @return
      */
     @RequestMapping(value = "/bypass", method = RequestMethod.GET)
     public String bypass() {
         return "bypass1";
     }
-
-    /**
-     * @param id
-     * @return
-     */
-    @RequestMapping(value = "/bypass/{id}", method = RequestMethod.GET)
-    public String bypass2(String id) {
-        return "bypass2";
-    }
 }

Original file line number	Diff line number	Diff line change
`@@ -36,6 +36,8 @@ ShiroFilterFactoryBean shiroFilterFactoryBean() {`
`36`	`36`	`Map<String, String> map = new LinkedHashMap();`
`37`	`37`	`map.put("/login", "anon");`
`38`	`38`	`map.put("/bypass", "authc");`
	`39`	`+ map.put("/bypass.*", "authc");`
	`40`	`+ map.put("/bypass/**", "authc");`
`39`	`41`	`bean.setFilterChainDefinitionMap(map);`
`40`	`42`	`return bean;`
`41`	`43`	`}`