CVE-2022-40664 Shiro Bypass研究历程 | © 哨兵

GITLAB

I. GITLAB CVE-2020-10977 任意文件读取漏洞

II. GITLAB CVE-2020-10977 任意文件读取漏洞导致的RCE

III. GITLAB CVE-2021-22205 SNIPPET RCE

COBALT STRIKE

I. COBALT STRIKE服务器搭建历程

II. COBALT STRIKE服务器隐藏真实IP

III. CS上线木马免杀入门

APACHE LOG4J2

I. APACHE LOG4J2 RCE复现历程

II. APACHE LOG4J2 RCE JDK限制实验

OCR IN BP

I. BURPSUITE验证码插件实验

GET-STARTED

I. GET-STARTED

CTF

I. CTF - 代码审计向

II. CTF - 杂项

III. CTF - 密码学与杂项

IV. 2022年网鼎杯玄武组-解题记录

V. 2022年网鼎杯玄武组赛题复盘-[WEB-FINDIT]

VI. 2022年网鼎杯玄武组赛题复盘-[WEB-EZJAVA]

二进制研究/BIN

I. HIKVISION-CONFIGURATIONFILES-DECRYPTER

II. ROUTER-BINFILE-ANALYSIS

POLKIT

I. POLKIT-CVE-2021-3560

II. POLKIT-CVE-2021-4034复现

代理池：BASED ON SCYLLA

I. SCYLLA 搭建步骤

WAF

I. MOD-WAF-BYPASS-WALKTHROUGH

II. MODSEC & CLOUDFLARE WAF INITIAL RESEARCH

代码审计

I. DYNAMIC-ANALYSIS-OF-JAVA-FRAMEWORK-CODE

II. 安全与开发之：MAVEN构建排错

III. 浪潮CLUSTERENGINEV4.0代码审计历程

IV. CVE-2022-40664 SHIRO BYPASS研究历程

SPRING

I. SPRINGBOOT-MEMORY-FILES-HEAPDUMP-ANALYSIS

II. CVE-2022-22947 SPRING-CLOUD-GATEWAY-RCE

其他研究

I. SQL注入原理分析

II. STRUTS2DESER

III. 基于内存的SHIRO框架WEBSHELL攻击研究

IV. 通达OA利用代码分析

V. JRMP-GADGET

反序列化

I. SHIRODESER

II. JAVADESER

sentrylab.cn /

研究
/

代码审计


Bin4xin
post
on Oct 26, 2022

Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.¹

YouTube BiliBili

不良视频反馈 | Inappropriate video feedback.

walkthrough²

GET /admin/auth_pass HTTP/1.1

GET /admin/auth HTTP/1.1

GET /admin/auth HTTP/1.1
Token: 4ra1n

exchange redirect from forward ?³

    @RequestMapping("/admin/{value}")
    public String CVE_2022_40664_bypass(@PathVariable String value, HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
        System.out.println("=========== /admin" +((HttpServletRequest)request).getRequestURI()+ "/ ===========");
        //        request.getRequestDispatcher("/admin/auth").forward(request, response);
        //        return "forward:"+((HttpServletRequest)request).getRequestURI();
        response.sendRedirect("/admin/auth");
        return ("Redirect:/admin/auth");
    }

forward⁴

request.getRequestDispatcher("/admin/auth").forward(request, response);

shiro 1.10.0

Define Bean⁵

SecurityManager⁶

@Bean
public MyShiroFilterFactoryBean filterRegBean(SecurityManager securityManager) throws Exception{
        // CVE-2022-40664
        // fixed conf
        ShiroFilterConfiguration conf=new ShiroFilterConfiguration();
        conf.setFilterOncePerRequest(false);

        ShiroFilterFactoryBean shiroFilterFactoryBean=new ShiroFilterFactoryBean();
        shiroFilterFactoryBean.setSecurityManager(securityManager);
        shiroFilterFactoryBean.setShiroFilterConfiguration(conf);
        AbstractShiroFilter filter=shiroFilterFactoryBean.getObject();

        MyShiroFilterFactoryBean reg=new MyShiroFilterFactoryBean();
        reg.setFilter(filter);
        reg.addUrlPattern("/*");
        reg.setName("shiroFilter");
        reg.setSecurityManager(securityManager);
        reg.setDispatcherTypes(EnumSet.allOf(DispatcherType.class));
        //fixed conf end.
        return reg;
        }

Do not work.

Print document Edit on github

walkthrough2

exchange redirect from forward ?3

shiro 1.10.0

reference

walkthrough²

exchange redirect from forward ?³