Shulou(Shulou.com)06/01 Report--

This "how to achieve Java Filter access bypass" article most people do not understand, so the editor summed up the following content, detailed, clear steps, with a certain reference value, I hope you can get something after reading this article, let's take a look at this "how to achieve Java Filter authority bypass" article.

Implementation of authority control

In common implementation, without calling permission control components such as Spring Security and Shiro, Filter will be used to obtain the request path for verification.

Write a servlet

Package com.nice0e3;import javax.servlet.ServletException;import javax.servlet.annotation.WebServlet;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import java.io.IOException;@WebServlet ("/ helloServlet") public class helloServlet extends HttpServlet {protected void doPost (HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {response.getWriter () .write ("hellograms!") } protected void doGet (HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {this.doPost (request, response);}}

Define a Filter

Package com.nice0e3.filter;import com.nice0e3.User;import javax.servlet.*;import javax.servlet.annotation.WebFilter;import javax.servlet.http.HttpServletRequest;import java.io.IOException;@WebFilter ("/ *") public class demoFilter implements Filter {public void destroy () {} public void doFilter (ServletRequest req, ServletResponse resp, FilterChain chain) throws ServletException, IOException {HttpServletRequest request = (HttpServletRequest) req; String uri = request.getRequestURI (); StringBuffer requestURL = request.getRequestURL () System.out.println (requestURL); if (uri.startsWith ("/ system/login")) {/ / the login interface sets the whitelist, that is, login page System.out.println ("login_page"); resp.getWriter (). Write ("login_page"); chain.doFilter (request, resp);} else if (uri.endsWith (".do") | | uri.endsWith (".action")) {/ / detect whether the current account logs in to User user = (User) request.getSession (). GetAttribute ("user"); if (user = = null) {resp.getWriter (). Write ("unauthorized access"); / / unauthorized access to System.out.println ("unauthorized access"); resp.getWriter (). Write ("go to login_page"); / / Redirect login System.out.println ("go to login_page");} public void init (FilterConfig config) throws ServletException {}}

Request.getRequestURI () is used here; if the URI starts with / system/login, it will be released directly. At the end, check for requests for .do and .action to get whether session has a value of user, return unauthorized access if not, and release it if there is no user in the request for .do and .action or if there is a user in the request.

Visit the main page, display unauthorized access and jump to the login page

In Java, you usually use the methods request.getRequestURL () and request.getRequestURI () to get the request path, and then verify the request path.

.. / bypass mode

It uses a.. / way to bypass here.

Instead of showing unauthorized access, you can access the main directly, bypassing the permission control. You can find some whitelist paths when bypassing, and then use.. / to bypass.

Payload:/system/login/../../login/main.do

Bypass principle analysis

As you can see in the picture above, we begin with system/login in front of us

Match the matching rule, and after matching the rule, it is released directly, so that the system thinks that the access path is a login path, but then add 2.. / to jump to the root directory, and splice the login/main.do. At this time, the actual access is http://127.0.0.1/login/main.do.

Usable

StringBuffer requestURL = request.getRequestURL (); if (requestURL.toString () .startsWith ("/ system/login"))

Request.getRequestURL (); this method acquires URL that carries information such as http://127.xxx. In fact, this is a bit of nonsense, because if you verify the character path of the header, use request.getRequestURI (); to get the request path part for verification.

URL truncation bypass

Filter.. / based on the previous Filter code

Package com.nice0e3.filter;import com.nice0e3.User;import javax.servlet.*;import javax.servlet.annotation.WebFilter;import javax.servlet.http.HttpServletRequest;import java.io.IOException;@WebFilter ("/ *") public class demoFilter implements Filter {public void destroy () {} public void doFilter (ServletRequest req, ServletResponse resp, FilterChain chain) throws ServletException, IOException {HttpServletRequest request = (HttpServletRequest) req; String uri = request.getRequestURI (); StringBuffer requestURL = request.getRequestURL () System.out.println (requestURL); if (uri.startsWith ("/ system/login")) {/ / the login interface sets the whitelist, that is, login page System.out.println ("login_page"); resp.getWriter (). Write ("login_page"); chain.doFilter (request, resp);} else if (uri.endsWith (".do") | | uri.endsWith (".action")) {/ / detect whether the current account logs in to User user = (User) request.getSession (). GetAttribute ("user"); if (user = = null) {resp.getWriter (). Write ("unauthorized access"); / / unauthorized access to System.out.println ("unauthorized access"); resp.getWriter (). Write ("go to login_page"); / / Redirect login System.out.println ("go to login_page");} public void init (FilterConfig config) throws ServletException {}}

Add an extra uri.contains (". /") to filter as long as it contains. / characters to report errors directly.

An error will be reported at this time, as can be seen in the picture above. Be able to bypass

Payload:/login/main.do;123

Bypass analysis

There is a semicolon in URL; it is mainly used for parameter segmentation. Sometimes too many parameters are passed in the request, so the semicolon is used; the parameter pair (key=value) is concatenated and passed as a request parameter.

Let's take a look at the code, which recognizes the characters with the suffixes of .do and .action and adds them; after adding random content, it won't be recognized in the code. Then you go to the bottom chain.doFilter (request,resp); and add it later; the semicolon has no effect on the access to the address.

Many / bypass

Create a background interface that allows only admin users to log in and access

Package com.nice0e3.Servlet;import javax.servlet.ServletException;import javax.servlet.annotation.WebServlet;import javax.servlet.http.HttpServlet;import javax.servlet.http.HttpServletRequest;import javax.servlet.http.HttpServletResponse;import java.io.IOException;@WebServlet ("/ system/UserInfoSearch.do") public class UserInfoServlet extends HttpServlet {protected void doPost (HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {response.getWriter () .write ("adminstration loginboxes!") } protected void doGet (HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {this.doPost (request, response);}}

And the step of access control must be implemented in Filter.

String uri = request.getRequestURI (); if (uri.equals ("/ system/UserInfoSearch.do")) {User user = (User) request.getSession (). GetAttribute ("user"); String role = user.getRole (); if (role.equals ("admin")) {/ / the current subscriber is admin, which allows access to the receiving chain.doFilter (request, resp) } else {resp.getWriter () .write ("Unauthorized"); return;}}

At this time, the / system/UserInfoSearch.do is checked. After obtaining the URI address, the match is made. If it is this / system/UserInfoSearch.do, the user's identity is verified. If the user is not admin, the Unauthorized is displayed and the access is ultra vires.

You can directly access the page that can only be accessed by admin users.

Payload: / / system/UserInfoSearch.do;123

Bypass analysis

You can see that the code only compares whether URI is / system/UserInfoSearch.do, and adding one more / does not affect normal parsing, but makes the rule mismatch.

URL coding bypass

Still use the above code demonstration, bypass technique is replaced with url coding bypass way.

Payload:/system/%55%73%65%72%49%6e%66%6f%53%65%61%72%63%68%2e%64%6f

Bypass analysis

When the Filter processes the relevant process, the middleware will perform a URL decoding operation on the requested URL, and then request the decoded Servlet, but it will not be automatically decoded in request.getRequestURL () and request.getRequestURI (), so it will not be recognized if it is directly received for rule matching at this time. This led to a bypass.

Append / bypass in Spring MVC

In SpringMVC, it is assumed that it is configured as follows:

SpringMVC/

Under certain circumstances, Spring will be fault-tolerant when it matches the web path, followed by /

For example, / admin/main.do/

Repair

Use this code to accept URI

String uri1 = request.getServletPath () + (request.getPathInfo ()! = null? Request.getPathInfo (): "")

Let's try the previous ways to bypass.

The semicolon phase bypasses payload: / login/main.do;123

Multiple / Bypass payload: / / system/UserInfoSearch.do;123

URL encoding bypasses payload:/system/%55%73%65%72%49%6e%66%6f%53%65%61%72%63%68%2e%64%6f

.. / Bypass payload:/system/login/../../login/main.do

Both are not available. After using the above method to accept URI, the special characters sent when accepting the past will be deleted. The break point is visible.

Focus

Request.getRequestURL () and request.getRequestURI () are mentioned earlier, and these dangerous characters are not automatically removed. Focus can be placed on this method.

The above is about the content of this article on "how to achieve Filter access bypass of Java". I believe we all have a certain understanding. I hope the content shared by the editor will be helpful to you. If you want to know more about the relevant knowledge, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.