添加CVE-2022-32532

2023-04-13 15:16:05 +08:00 · 2023-04-13 15:16:05 +08:00 · ac65cc59c0
parent 4e81f5a91f
commit ac65cc59c0
8 changed files with 0 additions and 202 deletions
--- a/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore
@ -1,33 +0,0 @@
-HELP.md
-target/
-!.mvn/wrapper/maven-wrapper.jar
-!**/src/main/**/target/
-!**/src/test/**/target/
-
-### STS ###
-.apt_generated
-.classpath
-.factorypath
-.project
-.settings
-.springBeans
-.sts4-cache
-
-### IntelliJ IDEA ###
-.idea
-*.iws
-*.iml
-*.ipr
-
-### NetBeans ###
-/nbproject/private/
-/nbbuild/
-/dist/
-/nbdist/
-/.nb-gradle/
-build/
-!**/src/main/**/build/
-!**/src/test/**/build/
-
-### VS Code ###
-.vscode/
--- a/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml
@ -1,38 +0,0 @@
-<?xml version="1.0" encoding="UTF-8"?>
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
-    <modelVersion>4.0.0</modelVersion>
-    <parent>
-        <groupId>org.springframework.boot</groupId>
-        <artifactId>spring-boot-starter-parent</artifactId>
-        <version>2.7.0</version>
-        <relativePath/>
-    </parent>
-    <groupId>com.example</groupId>
-    <artifactId>shiro-demo</artifactId>
-    <version>0.0.1-SNAPSHOT</version>
-    <name>shiro-demo</name>
-    <description>CVE-2022-32532</description>
-    <properties>
-        <java.version>1.8</java.version>
-    </properties>
-    <dependencies>
-        <dependency>
-            <groupId>org.springframework.boot</groupId>
-            <artifactId>spring-boot-starter-web</artifactId>
-        </dependency>
-        <dependency>
-            <groupId>org.apache.shiro</groupId>
-            <artifactId>shiro-spring</artifactId>
-            <version>1.9.0</version>
-        </dependency>
-    </dependencies>
-    <build>
-        <plugins>
-            <plugin>
-                <groupId>org.springframework.boot</groupId>
-                <artifactId>spring-boot-maven-plugin</artifactId>
-            </plugin>
-        </plugins>
-    </build>
-</project>
--- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java
@ -1,21 +0,0 @@
-package com.example.shirodemo;
-
-import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RestController;
-
-@RestController
-public class DemoController {
-    @RequestMapping(path = "/permit/{value}")
-    public String permit(@PathVariable String value) {
-        System.out.println("success!");
-        return "success";
-    }
-
-    // Another Bypass
-    // @RequestMapping(path = "/permit/*")
-    public String permit() {
-        System.out.println("success!");
-        return "success";
-    }
-}
--- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java
@ -1,35 +0,0 @@
-package com.example.shirodemo;
-
-import org.apache.shiro.util.RegExPatternMatcher;
-import org.apache.shiro.web.filter.AccessControlFilter;
-
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-
-public class MyFilter extends AccessControlFilter {
-
-    public MyFilter(){
-        super();
-        this.pathMatcher = new RegExPatternMatcher();
-    }
-
-    @Override
-    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
-        String token = ((HttpServletRequest)request).getHeader("Token");
-        // todo: check permission ...
-        return token != null && token.equals("4ra1n");
-    }
-
-    @Override
-    protected boolean onAccessDenied(ServletRequest request, ServletResponse response) {
-        System.out.println("deny -> "+((HttpServletRequest)request).getRequestURI());
-        try {
-            response.getWriter().println("access denied");
-        } catch (IOException e) {
-            e.printStackTrace();
-        }
-        return false;
-    }
-}
--- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java
@ -1,40 +0,0 @@
-package com.example.shirodemo;
-
-import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
-import org.apache.shiro.mgt.SecurityManager;
-import org.apache.shiro.util.RegExPatternMatcher;
-import org.apache.shiro.web.filter.mgt.*;
-import org.apache.shiro.web.mgt.WebSecurityManager;
-import org.apache.shiro.web.servlet.AbstractShiroFilter;
-
-
-public class MyShiroFilterFactoryBean extends ShiroFilterFactoryBean {
-
-    public MyShiroFilterFactoryBean() {
-        super();
-    }
-
-    @Override
-    protected AbstractShiroFilter createInstance() {
-        SecurityManager securityManager = this.getSecurityManager();
-        FilterChainManager manager = new DefaultFilterChainManager();
-        manager.addFilter("myFilter",new MyFilter());
-        // my filter
-        manager.addToChain("/permit/.*", "myFilter");
-        // todo: add other filters
-
-        PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver();
-        chainResolver.setFilterChainManager(manager);
-        // set RegExPatternMatcher
-        chainResolver.setPathMatcher(new RegExPatternMatcher());
-        return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver);
-    }
-
-    static class SpringShiroFilter extends AbstractShiroFilter {
-        protected SpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) {
-            this.setSecurityManager(webSecurityManager);
-            this.setFilterChainResolver(resolver);
-        }
-    }
-}
-
--- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java
@ -1,22 +0,0 @@
-package com.example.shirodemo;
-
-import org.apache.shiro.mgt.SecurityManager;
-import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-
-@Configuration
-public class ShiroConfig {
-
-    @Bean
-    public SecurityManager securityManager() {
-        return new DefaultWebSecurityManager();
-    }
-
-    @Bean
-    public MyShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
-        MyShiroFilterFactoryBean shiroFilterFactoryBean = new MyShiroFilterFactoryBean();
-        shiroFilterFactoryBean.setSecurityManager(securityManager);
-        return shiroFilterFactoryBean;
-    }
-}
--- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java
@ -1,13 +0,0 @@
-package com.example.shirodemo;
-
-import org.springframework.boot.SpringApplication;
-import org.springframework.boot.autoconfigure.SpringBootApplication;
-
-@SpringBootApplication
-public class ShiroDemoApplication {
-
-    public static void main(String[] args) {
-        SpringApplication.run(ShiroDemoApplication.class, args);
-    }
-
-}
--- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties