CVE-2020-11989

Author: jingfeng

shiro/auth-bypass(shiro<1.5.3)/pom.xml

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+  <parent>
+    <groupId>org.springframework.boot</groupId>
+    <artifactId>spring-boot-starter-parent</artifactId>
+    <version>1.5.22.RELEASE</version>
+    <relativePath/>
+  </parent>
+  <modelVersion>4.0.0</modelVersion>
+
+  <artifactId>auth-bypass-cve-2020-11989</artifactId>
+
+  <dependencies>
+    <dependency>
+      <groupId>org.springframework.boot</groupId>
+      <artifactId>spring-boot-starter-web</artifactId>
+    </dependency>
+
+    <dependency>
+      <groupId>org.apache.shiro</groupId>
+      <artifactId>shiro-web</artifactId>
+      <version>1.5.2</version>
+    </dependency>
+    <dependency>
+      <groupId>org.apache.shiro</groupId>
+      <artifactId>shiro-spring</artifactId>
+      <version>1.5.2</version>
+    </dependency>
+  </dependencies>
+
+</project>

shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/Application.java

@@ -0,0 +1,13 @@
+package me.threedr3am.bug.shiro.bypass.auth;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class Application {
+
+    public static void main(String[] args) {
+        SpringApplication.run(Application.class, args);
+    }
+
+}

shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/config/ShiroConfig.java

@@ -0,0 +1,43 @@
+package me.threedr3am.bug.shiro.bypass.auth.config;
+
+import java.util.LinkedHashMap;
+import java.util.Map;
+import me.threedr3am.bug.shiro.bypass.auth.realm.MyRealm;
+import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
+import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+/**
+ * @author threedr3am
+ */
+@Configuration
+public class ShiroConfig {
+    @Bean
+    MyRealm myRealm() {
+        return new MyRealm();
+    }
+
+    @Bean
+    SecurityManager securityManager() {
+        DefaultWebSecurityManager manager = new DefaultWebSecurityManager();
+        manager.setRealm(myRealm());
+        return manager;
+    }
+
+    @Bean
+    ShiroFilterFactoryBean shiroFilterFactoryBean() {
+        ShiroFilterFactoryBean bean = new ShiroFilterFactoryBean();
+        bean.setSecurityManager(securityManager());
+        bean.setLoginUrl("/login");
+        bean.setSuccessUrl("/index");
+        bean.setUnauthorizedUrl("/unauthorizedurl");
+        Map<String, String> map = new LinkedHashMap();
+        map.put("/login", "anon");
+        map.put("/aaaaa/**", "anon");
+        map.put("/bypass/*", "authc");
+        bean.setFilterChainDefinitionMap(map);
+        return bean;
+    }
+}

shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/BypassTestController.java

@@ -0,0 +1,33 @@
+package me.threedr3am.bug.shiro.bypass.auth.controller;
+
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * todo 这个洞利用价值不大，基本使用shiro做认证的系统，都会利用/** authc兜底
+ * CVE-2020-11989
+ *
+ * todo-1. 通过访问 http://localhost:8080/bypass/bypass/aaa%252Faaa (两次编码的"aaa/aaa") 绕过接口/bypass的认证控制
+ *  * 漏洞点在于tomcat只会对url进行一次解码，而shiro进行了两次解码
+ *  * 两次解码后，路径变成 http://localhost:8080/bypass/bypass/aaa/aaa 绕过了权限 "/bypass/*" 的match
+ *
+ * todo-2. 通过访问 http://localhost:8080/;/bypass/bypass/111 绕过接口/bypass的认证控制
+ *  * 漏洞点在于shiro会对;分号进行截断，访问的 /;/bypass/bypass/111 变成了 / ，自然就绕过了权限 "/bypass/*" 的match
+ *  * server:
+ *      context-path: /bypass
+ *
+ * @author threedr3am
+ */
+@RestController
+public class BypassTestController {
+
+    /**
+     * @return
+     */
+    @RequestMapping(value = "/bypass/{id}", method = RequestMethod.GET)
+    public String bypass(@PathVariable(name = "id") String id) {
+        return "bypass1 -> " + id;
+    }
+}

shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/controller/LoginController.java

@@ -0,0 +1,29 @@
+package me.threedr3am.bug.shiro.bypass.auth.controller;
+
+import org.apache.shiro.SecurityUtils;
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.UsernamePasswordToken;
+import org.apache.shiro.subject.Subject;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RequestMethod;
+import org.springframework.web.bind.annotation.RestController;
+
+/**
+ * @author threedr3am
+ */
+@RestController
+public class LoginController {
+
+    @RequestMapping(value = "/login", method = RequestMethod.POST)
+    public String login(String username, String password) {
+        Subject subject = SecurityUtils.getSubject();
+        try {
+            subject.login(new UsernamePasswordToken(username, password));
+            return "登录成功!";
+        } catch (AuthenticationException e) {
+            e.printStackTrace();
+            return "登录失败!";
+        }
+
+    }
+}

shiro/auth-bypass(shiro<1.5.3)/src/main/java/me/threedr3am/bug/shiro/bypass/auth/realm/MyRealm.java

@@ -0,0 +1,28 @@
+package me.threedr3am.bug.shiro.bypass.auth.realm;
+
+import org.apache.shiro.authc.AuthenticationException;
+import org.apache.shiro.authc.AuthenticationInfo;
+import org.apache.shiro.authc.AuthenticationToken;
+import org.apache.shiro.authc.SimpleAuthenticationInfo;
+import org.apache.shiro.authc.UnknownAccountException;
+import org.apache.shiro.authz.AuthorizationInfo;
+import org.apache.shiro.realm.AuthorizingRealm;
+import org.apache.shiro.subject.PrincipalCollection;
+
+/**
+ * @author threedr3am
+ */
+public class MyRealm extends AuthorizingRealm {
+    @Override
+    protected AuthorizationInfo doGetAuthorizationInfo(PrincipalCollection principals) {
+        return null;
+    }
+    @Override
+    protected AuthenticationInfo doGetAuthenticationInfo(AuthenticationToken token) throws AuthenticationException {
+        String username = (String) token.getPrincipal();
+        if (!"threedr3am".equals(username)) {
+            throw new UnknownAccountException("账户不存在!");
+        }
+        return new SimpleAuthenticationInfo(username, "123456", getName());
+    }
+}

shiro/auth-bypass(shiro<1.5.3)/src/main/resources/application.yml

@@ -0,0 +1,2 @@
+server:
+  context-path: /bypass

shiro/pom.xml

@@ -11,6 +11,9 @@
 
   <artifactId>shiro</artifactId>
   <packaging>pom</packaging>
+  <modules>
+    <module><![CDATA[auth-bypass(shiro<1.5.3)]]></module>
+  </modules>
 
 
 </project>