Shulou(Shulou.com)05/31 Report--

This article is about how to reproduce Shiro permissions to bypass the loophole CVE-2020-1957. The editor thinks it is very practical, so I share it with you. I hope you can get something after reading this article.

Introduction to 0x00

Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, password, and session management. With Shiro's easy-to-understand API, you can quickly and easily access any application, from the smallest mobile application to the largest network and enterprise application.

Overview of 0x01 vulnerabilities

Shiro framework controls user access rights through interceptor functions, such as anon, authc and other interceptors. Anon is an anonymous interceptor, which can be accessed without login; authc is a login interceptor, which can be accessed only if you log in. The main reason is that Spring web does not match / cause bypass when matching url.

0x02 scope of influence

Apache Shiro

3. Open the ShiroConfig.java file in the maim directory and add the intercept rule of the authc interceptor

Map.put ("/ hello/*", "authc")

4. Open the LoginController.java file, modify the route controller method, and add a method.

Import org.springframework.web.bind.annotation.PathVariable

@ GetMapping ("/ hello/ {currentPage}")

Public String hello (@ PathVariable Integer currentPage) {

Return "hello"

}

5. Click on the upper right triangle to launch the application, and the following picture appears to indicate that the startup is successful.

Recurrence of 0x04 vulnerabilities

1. Visit http://your-ip:8080/login, in the browser and you can see that you need to log in.

two。 Open the Burp to visit the home page to grab the package, and send the captured package to the Reapter module

3. Change url to / hello/1, send the package, and you can see that it jumps to the login interface.

4. Add a backslash after url / hello/1 / hello/1/, access is successful

0x05 repair recommendation

Upgrade to the latest version is recommended

The above is how to reproduce Shiro permissions to bypass the vulnerability CVE-2020-1957. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.