Shiro authentication bypass vulnerability CVE-2020-1957 vulnerability recurrence
1.Vulnerability description
Apache Shiro is an open source security framework that provides authentication, authorization, cryptography, and session management. The Shiro framework is intuitive and easy to use, while also providing robust security.
CVE-2020-1957, when using Apache Shiro in Spring Boot for authentication and permission control, malicious URLs can be carefully constructed and the differences in URL processing between Apache Shiro and Spring Boot can be used. Apache Shiro's permission control on Servlets in Spring Boot can be bypassed to exceed authority and achieve unauthorized access.
Impact of the vulnerability:
Apache Shiro < 1.5.1
2. Vulnerability environment construction
UbuntuKyoroki ip: 192.168.241.129
vulhub enter/vulhub-master/shiro/CVE-2020-1957
Use command:
cd vulhub/shiro/CVE-2020-1957
docker-compose up -d
Visit: ip+8080
192.168.241.129:8080
3. Vulnerability recurrence
Use BurpSuite to capture data packets and access/admin/
directory
Echo 302 jump, construct malicious request
/xxx/..;/admin/
You can bypass permission verification and access the management page.
URL request process:
- Client request URL:
/xxx/..;/admin/
- Shrio’s internal processing resulted in the verification URL being
/xxxx/..
, and the verification passed - SpringBoot processing
/xxx/..;/admin/
, final request/admin/
, successfully accessed the background request