设为首页收藏本站
开启辅助访问 切换到窄版

安全矩阵

 找回密码
 立即注册
搜索
安全矩阵»安全矩阵 安全矩阵实验室 技术转载 Shiro权限绕过合集
返回列表 发新帖
查看: 4856|回复: 0

Shiro权限绕过合集

[复制链接]
gclome

991

主题

1063

帖子

4315

积分

论坛元老

Rank: 8Rank: 8

积分
4315
发表于 2021-2-24 22:13:06 | 显示全部楼层 |阅读模式
本帖最后由 gclome 于 2021-2-24 22:15 编辑

原文链接:Shiro权限绕过合集

CVE-2020-1957


影响版本

Apache Shiro <= 1.5.1

Shiro处理
  1. org.apache.shiro.web.filter.mgt.PathMatchingFilterChainResolver#getChain,
复制代码
其中getPathWithinApplication方法处理路径,pathMatches方法匹配路由
  1. public FilterChain getChain(ServletRequest request, ServletResponse response, FilterChain originalChain) {
  2. FilterChainManager filterChainManager = getFilterChainManager();
  3. if (!filterChainManager.hasChains()) {
  4. return null;
  5. }


  8. String requestURI = getPathWithinApplication(request);


  11. // in spring web, the requestURI "/resource/menus" ---- "resource/menus/" bose can access the resource
  12. // but the pathPattern match "/resource/menus" can not match "resource/menus/"
  13. // user can use requestURI + "/" to simply bypassed chain filter, to bypassed shiro protect
  14. if(requestURI != null && !DEFAULT_PATH_SEPARATOR.equals(requestURI)
  15. && requestURI.endsWith(DEFAULT_PATH_SEPARATOR)) {
  16. requestURI = requestURI.substring(0, requestURI.length() - 1);
  17. }




  22. //the 'chain names' in this implementation are actually path patterns defined by the user.  We just use them
  23. //as the chain name for the FilterChainManager's requirements
  24. for (String pathPattern : filterChainManager.getChainNames()) {
  25. if (pathPattern != null && !DEFAULT_PATH_SEPARATOR.equals(pathPattern)
  26. && pathPattern.endsWith(DEFAULT_PATH_SEPARATOR)) {
  27. pathPattern = pathPattern.substring(0, pathPattern.length() - 1);
  28. }


  31. // If the path does match, then pass on to the subclass implementation for specific checks:
  32. if (pathMatches(pathPattern, requestURI)) {
  33. ......
  34. return null;
  35. }
复制代码
  1. org.apache.shiro.web.util.WebUtils#getPathWithinApplication
复制代码
  1. public static String getPathWithinApplication(HttpServletRequest request) {
  2. String contextPath = getContextPath(request);
  3. String requestUri = getRequestUri(request);
  4. if (StringUtils.startsWithIgnoreCase(requestUri, contextPath)) {
  5. // Normal case: URI contains context path.
  6. String path = requestUri.substring(contextPath.length());
  7. return (StringUtils.hasText(path) ? path : "/");
  8. } else {
  9. // Special case: rather unusual.
  10. return requestUri;
  11. }
  12. }


  15. public static String getContextPath(HttpServletRequest request) {
  16. String contextPath = (String) request.getAttribute(INCLUDE_CONTEXT_PATH_ATTRIBUTE);
  17. if (contextPath == null) {
  18. contextPath = request.getContextPath();
  19. }
  20. contextPath = normalize(decodeRequestString(request, contextPath));
  21. if ("/".equals(contextPath)) {
  22. // the normalize method will return a "/" and includes on Jetty, will also be a "/".
  23. contextPath = "";
  24. }
  25. return contextPath;
  26. }


  29. public static String getRequestUri(HttpServletRequest request) {
  30. String uri = (String) request.getAttribute(INCLUDE_REQUEST_URI_ATTRIBUTE);
  31. if (uri == null) {
  32. uri = request.getRequestURI();
  33. }
  34. return normalize(decodeAndCleanUriString(request, uri));
  35. }


  38. public static boolean startsWithIgnoreCase(String str, String prefix) {
  39. if (str == null || prefix == null) {
  40. return false;
  41. }
  42. if (str.startsWith(prefix)) {
  43. return true;
  44. }
  45. if (str.length() < prefix.length()) {
  46. return false;
  47. }
  48. String lcStr = str.substring(0, prefix.length()).toLowerCase();
  49. String lcPrefix = prefix.toLowerCase();
  50. return lcStr.equals(lcPrefix);
  51. }


  54. public static boolean hasText(String str) {
  55. if (!hasLength(str)) {
  56. return false;
  57. }
  58. int strLen = str.length();
  59. for (int i = 0; i < strLen; i++) {
  60. if (!Character.isWhitespace(str.charAt(i))) {
  61. return true;
  62. }
  63. }
  64. return false;
  65. }


  68. private static String normalize(String path, boolean replaceBackSlash) {


  71. if (path == null)
  72. return null;


  75. // Create a place for the normalized path
  76. String normalized = path;


  79. if (replaceBackSlash && normalized.indexOf('\\') >= 0)
  80. normalized = normalized.replace('\\', '/');


  83. if (normalized.equals("/."))
  84. return "/";


  87. // Add a leading "/" if necessary
  88. if (!normalized.startsWith("/"))
  89. normalized = "/" + normalized;


  92. // Resolve occurrences of "//" in the normalized path
  93. while (true) {
  94. int index = normalized.indexOf("//");
  95. if (index < 0)
  96. break;
  97. normalized = normalized.substring(0, index) +
  98. normalized.substring(index + 1);
  99. }


  102. // Resolve occurrences of "/./" in the normalized path
  103. while (true) {
  104. int index = normalized.indexOf("/./");
  105. if (index < 0)
  106. break;
  107. normalized = normalized.substring(0, index) +
  108. normalized.substring(index + 2);
  109. }


  112. // Resolve occurrences of "/../" in the normalized path
  113. while (true) {
  114. int index = normalized.indexOf("/../");
  115. if (index < 0)
  116. break;
  117. if (index == 0)
  118. return (null);  // Trying to go outside our context
  119. int index2 = normalized.lastIndexOf('/', index - 1);
  120. normalized = normalized.substring(0, index2) +
  121. normalized.substring(index + 3);
  122. }


  125. // Return the normalized path that we have completed
  126. return (normalized);


  129. }


  132. private static String decodeAndCleanUriString(HttpServletRequest request, String uri) {
  133. uri = decodeRequestString(request, uri);
  134. int semicolonIndex = uri.indexOf(';');
  135. return (semicolonIndex != -1 ? uri.substring(0, semicolonIndex) : uri);
  136. }
复制代码
   hasText方法判断path是否只有空格,是返回根路径.getContextPath方法处理context_path(返回站点的根路径,也就是项目的名字)其中/./、/../、//与/..getRequestUri与getContextPath方法基本相同,处理request_uri(返回整个请求路径).decodeAndCleanUriString对uri进行url解码并根据分号切割,取出分号之前的字符串.
        springboot处理分号,

  1. org.springframework.web.util.UrlPathHelper#removeSemicolonContentInternal
复制代码
  1. private String removeSemicolonContentInternal(String requestUri) {
  2. for(int semicolonIndex = requestUri.indexOf(59); semicolonIndex != -1; semicolonIndex = requestUri.indexOf(59, semicolonIndex)) {
  3. int slashIndex = requestUri.indexOf(47, semicolonIndex);
  4. String start = requestUri.substring(0, semicolonIndex);
  5. requestUri = slashIndex != -1 ? start + requestUri.substring(slashIndex) : start;
  6. }


  9. return requestUri;
  10. }
复制代码

漏洞点


        在shiro处理路径时,/..;/会变为/..,从而匹配到未需授权路由,再springboot处理时,会根据;截断并重新拼接之前字符串,/..会向上跳跃目录,进一步显示页面.

修复方式

        修改了获取uri的方式



CVE-2020-11989

影响范围

Apache Shiro < 1.5.3

Shiro处理

        根据之前的修复手段,可以看到uri的获取已经完善,但是对于路径中带分号的情况并未处理,进而导致此次绕过,当存在context-path时,通过访问/;/的情况直接访问到根目录,而springboot会将分号删除拼接,进一步导致绕过.还有一种利用方式在于shiro中*与**路由的区别,当为*时,只对路由下的第一个路径进行鉴权,当存在/admin/a%25%2f%2f/a时,由于shiro会进行url解码,而springboot不会,在springboot设置为/admin/{name}时,导致差异解析.

修复方式
        不单独对context-path以及url解码做处理.



CVE-2020-13933


影响版本

Apache Shiro < 1.6.0

Shiro处理

        在除去url解码context-path解析处理后,对分号还是没有进行处理,在shiro处理uri时,当路径以/为结尾时,会截取到最后一个/之前的字符串为uri,这时如果鉴权以*为末尾,就会产生绕过无法匹配到处理后类似/admin这样的路径,而在springboot中未进行处理,导致差异解析,这个问题在1.7.0后版本中才正式得到修复.同时再此问题上,可以配合分号,因一直未对其处理,直接截断同样适用此方式.




修复手段



        增加了InvalidRequestFilter类,全局判断是否存在;、\和其余不可见字符.





CVE-2020-17523

影响版本

Apache Shiro < 1.7.1

Shiro处理

        经过之前的修复,对于分号和路径都进行了处理,此次问题出现在pathMatches方法匹配路由中,
  1. org.apache.shiro.util.AntPathMatcher#doMatch
复制代码
  1. protected boolean doMatch(String pattern, String path, boolean fullMatch) {
  2. if (path.startsWith(this.pathSeparator) != pattern.startsWith(this.pathSeparator)) {
  3. return false;
  4. }


  7. String[] pattDirs = StringUtils.tokenizeToStringArray(pattern, this.pathSeparator);
  8. String[] pathDirs = StringUtils.tokenizeToStringArray(path, this.pathSeparator);


  11. int pattIdxStart = 0;
  12. int pattIdxEnd = pattDirs.length - 1;
  13. int pathIdxStart = 0;
  14. int pathIdxEnd = pathDirs.length - 1;


  17. // Match all elements up to the first **
  18. while (pattIdxStart <= pattIdxEnd && pathIdxStart <= pathIdxEnd) {
  19. String patDir = pattDirs[pattIdxStart];
  20. if ("**".equals(patDir)) {
  21. break;
  22. }
  23. if (!matchStrings(patDir, pathDirs[pathIdxStart])) {
  24. return false;
  25. }
  26. pattIdxStart++;
  27. pathIdxStart++;
  28. }


  31. if (pathIdxStart > pathIdxEnd) {
  32. // Path is exhausted, only match if rest of pattern is * or **'s
  33. if (pattIdxStart > pattIdxEnd) {
  34. return (pattern.endsWith(this.pathSeparator) ?
  35. path.endsWith(this.pathSeparator) : !path.endsWith(this.pathSeparator));
  36. }
  37. if (!fullMatch) {
  38. return true;
  39. }
  40. if (pattIdxStart == pattIdxEnd && pattDirs[pattIdxStart].equals("*") &&
  41. path.endsWith(this.pathSeparator)) {
  42. return true;
  43. }
  44. for (int i = pattIdxStart; i <= pattIdxEnd; i++) {
  45. if (!pattDirs[i].equals("**")) {
  46. return false;
  47. }
  48. }
  49. return true;
  50. } else if (pattIdxStart > pattIdxEnd) {
  51. // String not exhausted, but pattern is. Failure.
  52. return false;
  53. } else if (!fullMatch && "**".equals(pattDirs[pattIdxStart])) {
  54. // Path start definitely matches due to "**" part in pattern.
  55. return true;
  56. }


  59. // up to last '**'
  60. while (pattIdxStart <= pattIdxEnd && pathIdxStart <= pathIdxEnd) {
  61. String patDir = pattDirs[pattIdxEnd];
  62. if (patDir.equals("**")) {
  63. break;
  64. }
  65. if (!matchStrings(patDir, pathDirs[pathIdxEnd])) {
  66. return false;
  67. }
  68. pattIdxEnd--;
  69. pathIdxEnd--;
  70. }
  71. if (pathIdxStart > pathIdxEnd) {
  72. // String is exhausted
  73. for (int i = pattIdxStart; i <= pattIdxEnd; i++) {
  74. if (!pattDirs[i].equals("**")) {
  75. return false;
  76. }
  77. }
  78. return true;
  79. }


  82. while (pattIdxStart != pattIdxEnd && pathIdxStart <= pathIdxEnd) {
  83. int patIdxTmp = -1;
  84. for (int i = pattIdxStart + 1; i <= pattIdxEnd; i++) {
  85. if (pattDirs[i].equals("**")) {
  86. patIdxTmp = i;
  87. break;
  88. }
  89. }
  90. if (patIdxTmp == pattIdxStart + 1) {
  91. // '**/**' situation, so skip one
  92. pattIdxStart++;
  93. continue;
  94. }
  95. // Find the pattern between padIdxStart & padIdxTmp in str between
  96. // strIdxStart & strIdxEnd
  97. int patLength = (patIdxTmp - pattIdxStart - 1);
  98. int strLength = (pathIdxEnd - pathIdxStart + 1);
  99. int foundIdx = -1;


  102. strLoop:
  103. for (int i = 0; i <= strLength - patLength; i++) {
  104. for (int j = 0; j < patLength; j++) {
  105. String subPat = (String) pattDirs[pattIdxStart + j + 1];
  106. String subStr = (String) pathDirs[pathIdxStart + i + j];
  107. if (!matchStrings(subPat, subStr)) {
  108. continue strLoop;
  109. }
  110. }
  111. foundIdx = pathIdxStart + i;
  112. break;
  113. }


  116. if (foundIdx == -1) {
  117. return false;
  118. }


  121. pattIdxStart = patIdxTmp;
  122. pathIdxStart = foundIdx + patLength;
  123. }


  126. for (int i = pattIdxStart; i <= pattIdxEnd; i++) {
  127. if (!pattDirs[i].equals("**")) {
  128. return false;
  129. }
  130. }


  133. return true;
  134. }
复制代码
  1. org.apache.shiro.util.StringUtils#tokenizeToStringArray
复制代码

  中适用了trim会清除空格,当请求路径中存在空格时,返回之前的情况,shiro鉴权适用*时,存在/admin/*无法匹配到/admin/,而在springboot中可以正确匹配,导致差异解析绕过.


修复方式


        直接设置清除空格为false,默认不清除.





回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2024-11-28 20:42 , Processed in 0.014451 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表