Vulnerability Principles
The core point is that shiro and spring on the uri to cooperate with the matching of defects caused by the shiro can easily be bypassed, followed by spring in the ; semicolon seems to have a penchant for, was found by the big bulls will also be bypassed all of a sudden.
Mainstream payload:/xxx/..;/admin/
The specific background route is not necessarily admin, it depends on the situation, but the following analysis are analyzed by admin for the background route.
Source code analysis and reproduction
Environment note: backend routed to /admin
Below I use vulhub to open the corresponding range
Then visit uri:/xxx/..;/admin
The xxx is filled in casually, and the most important authentication bypass is the..;Being able to get you to the admin backend and reproducing it worked.
In the vulnerability, the authentication process needs to go through two frameworks, one is shiro and the other is spring, uri the first to enter the shiro and then judged before handing over to spring, this time to spring also had a problem, the following began to explain the process.
There may be filters like this that match the uri, branching to determine whether authentication is required or not
Here is where the configuration can be problematic, so whether or not authentication bypass occurs also depends on how the matching rule is written, which doesn't matter, we agreed to configure it as: /admin/** Then authc is required under that rule, indicating that authentication is required, which seems normal, and the admin route does require authentication.
2. Then we begin to analyze the following when the request /xxx/.... ;/admin in the background is how to go:
First after shiro processing, and looking directly at the most important part, shiro's response to the;Handling of semicolons.
Role:Directly matches 59, the ascii code value of ;, and returns the field before the semicolon if a semicolon is found, otherwise returns the entire uri.
Then get uri here:xxx/..
3. The functions that follow are normalized, such as//process sth./Without further ado, let's just look at the last requestURI value given to the interceptor to judge as/xx/.., pathMatches will then determine if it's /admin/** based on the interceptor, then obviously it's not, and now it's equivalent to you bypassing shiro's authentication.
Authentication is done it's time to spring to authenticate the uri
How to get uri and skip it, mainly analyzing how he handles it;can be done
The main thing to follow up on is the removeSemicolonContentInternal(requestUri) method:Remove the semicolon between / and / in uri and the content after the semicolon.。
According to this sentence one can tell that the final uri should be:/xxx/../admin/ == /admin/。../ In order to get back to the upper level of the directory, it's up to admin, authentication bypass is over, call it a day.
Affected versions
Shiro < 1.5.3
SpringBoot version < 2.3
Reference Article:
/articles/web/
/2020/05/09/cve-2020-1957/
/archives/