Vulnerability details
During path control, Shiro failed to decode the incoming url encoding, allowing attackers to bypass the filter and access the filtered path.
The version affected by the vulnerability
Shiro 1.0.0-incubating
There are also corresponding Maven Repo
[One-by-one help for security learning, all resources are obtained one by one]
①Network security learning route
②20 penetration testing e-books
③Security attack and defense 357-page notes
④50 security attack and defense interview guides
⑤Security red team penetration toolkit
⑥Network security essential books
⑦100 Vulnerability cases
⑧ internal video resources of major security companies
⑨ analysis of CTF capture the flag questions over the years
Environment build
This is something more than Shiro550 and Shiro721. First look at the pom.xml configuration file, because the vulnerability is shiro version 1.0.0
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-core</artifactId>
<version>1.0.0-incubating</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-web</artifactId>
<version>1.0.0-incubating</version>
</dependency>
<dependency>
<groupId>org.apache.shiro</groupId>
<artifactId>shiro-spring</artifactId>
<version>1.0.0-incubating</version>
</dependency>
Adjust ShiroConfig.java , add code as follows
filterMap.put("/user/add","perms[user:add]");
filterMap.put("/user/update","perms[user:update]");
filterMap.put("/secret.html","authc,roles[admin]");
filterMap.put("/user/*", "authc");
filterMap.put("/**","anon")
HTML file - static/secret.html
<!DOCTYPE html>
<html lang="en" xmlns:th="http://www.thymeleaf.org">
<head>
<meta charset="UTF-8">
<title>首页</title>
</head>
<body>
<div>
<h1>秘密界面</h1>
</div>
</body>
</html>
At this time, the visit secret.html
will get a 302 redirect
Can get through with PoC
- At this point, the environment is set up. Of course, the following error may be encountered when setting up the environment.
unable to correctly extract the initialization vector or ciphertext.
The solution to this problem is to clear the browser cache.
Vulnerability reproduction and analysis
Let’s talk about PoC first, unstandardized paths cause /./
unauthorized access
Put the breakpoint org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver#getChain()
and start debugging
getChain()
The method will first save all URIs into the i$
iterator named variable, and then loop one by one for pathMatches()
matching. After looping twice, let's look at the processing /./secret.html
code. follow up pathMatches()
method
Follow up pathMatcher.matches()
, follow up again, and finally come org.apache.shiro.util.AntPathMatcher#doMatch()
, this method has done a specific realization of the business.
First judge whether the beginning of the URL of the current request and the beginning of the target URL are both /
, if not return false
; then, the method is called StringUtils.tokenizeToStringArray()
, and the previous one /secret.html
is converted into ["secret.html"]
this array, which /./secret.html
is converted into[".","secret.html"]
Go on down, judge patDir
whether there are **
characters in , if it exists break
; go on down, judge whether the directory of html is the same as the directory of the current request, because our request is split out [".","secret.html"]
, .
and secret.html
is not the same, so it will return false
Because it cannot match all the URLs we set before, it has entered /**
the matching range. The access method we set before here is /**,anon
to access without authentication, which results in unauthorized access
Based on this logic, /;/secret.html
the bypass method is also reasonable, and some other special characters may also be possible, provided that it does not affect the request. For example ..
, #
such characters will cause problems.
The error message of the error character is as follows
Invalid character found in the request target [/\/secret.html ]. The valid characters are defined in RFC 7230 and RFC 3986
Vulnerability analysis ends here
Bug fixes
Shiro
Added normalized path functions in Commit update .
, /
, //
, /./
etc. /../
are processed.