文章目录
影响版本
1.0.0-incubating
漏洞原理
未标准化路径造成/./
越权访问
漏洞复现
环境配置
环境采用springboot+shiro,配置基础见下文:
https://ho1aas.blog.csdn.net/article/details/125367641
ShiroConfig
package com.example.shirospring.config;
import org.apache.shiro.realm.text.IniRealm;
import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import java.util.HashMap;
import java.util.Map;
@Configuration
public class ShiroConfig {
@Bean
public IniRealm getIniRealm(){
return new IniRealm("classpath:shiro.ini");
}
@Bean
public DefaultWebSecurityManager getDefaultWebSecurityManager(IniRealm iniRealm){
DefaultWebSecurityManager securityManager = new DefaultWebSecurityManager();
securityManager.setRealm(iniRealm);
return securityManager;
}
@Bean
public ShiroFilterFactoryBean getShiroFilterFactoryBean(DefaultWebSecurityManager defaultWebSecurityManager){
ShiroFilterFactoryBean filter = new ShiroFilterFactoryBean();
filter.setSecurityManager(defaultWebSecurityManager);
Map<String,String> filterMap = new HashMap<>();
filterMap.put("/**", "anon");
filter.setFilterChainDefinitionMap(filterMap);
filter.setLoginUrl("/login.html");
filter.setUnauthorizedUrl("/unauthorized.html");
return filter;
}
}
UserController
package com.example.shirospring.controller;
import com.example.shirospring.service.UserServiceImpl;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.PostMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;
@RestController
@RequestMapping("/user")
public class UserController {
@Autowired
UserServiceImpl userService;
@PostMapping("/login")
public String login(String username,String password){
try {
userService.checkLogin(username,password);
return "login successfully!";
} catch (Exception e) {
return "error";
}
}
}
UserServiceImpl
package com.example.shirospring.service;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.subject.Subject;
import org.springframework.stereotype.Service;
@Service
public class UserServiceImpl {
public void checkLogin(String username, String password) throws Exception{
Subject subject = SecurityUtils.getSubject();
UsernamePasswordToken token = new UsernamePasswordToken(username, password);
subject.login(token);
}
}
index login unauthorized
写三个简单的html就行了
shiro.ini
写两个用户和角色就行
[users]
user=user,user
admin=admin,admin
[roles]
admin=*
user=use
复现操作
在resources下写一个secret.html
然后在ShiroConfig.getShiroFilterFactoryBean,也就是过滤器,添加需要鉴权才可访问
使用burp在未登录情况访问secret.html
,提示未登录需要鉴权
然后尝试访问/./secret.html
,读取成功,这一步不能使用hackbar
代码审计
PathMatchingFilterChainResolver.getChain
获取过滤器链然后调用过滤器
获取请求URL,这里直接截取了,没有任何处理
接下来就是依次匹配,直到匹配成功
匹配利用AntPathMatcher.matches
直接全字匹配了,用的是字符串比较
这样配置filter就会导致未授权/越权访问
参考
https://su18.org/post/shiro-1/
完
欢迎关注我的CSDN博客 :@Ho1aAs
版权属于:Ho1aAs
本文链接:https://ho1aas.blog.csdn.net/article/details/125404334
版权声明:本文为原创,转载时须注明出处及本声明