Apache Shiro Servlet未授权访问漏洞(CVE-2020-1957)深度分析与教学文档<\/h1>

漏洞概述<\/h2>
CVE-2020-1957是Apache Shiro与Spring Boot集成时存在的一个权限绕过漏洞。攻击者可以构造特殊的URL，利用Shiro和Spring Boot对URL解析的差异，绕过Shiro的权限控制，实现未授权访问受保护的Servlet。<\/p>

环境要求<\/h2>

Java环境：Java(TM) SE Runtime Environment (build 1.8.0_112-b16)<\/li>
Apache Shiro版本：1.5.1<\/li>

Spring Boot版本：1.5.22.RELEASE<\/li> <\/ul>

漏洞复现环境搭建<\/h2>

项目依赖配置(pom.xml)<\/h3>

<?xml version="1.0" encoding="UTF-8"?><\/span>
<\/span><\/span><project<\/span> xmlns=<\/span>"http:\/\/maven.apache.org\/POM\/4.0.0"<\/span> 
<\/span><\/span>         xmlns:xsi=<\/span>"http:\/\/www.w3.org\/2001\/XMLSchema-instance"<\/span>
<\/span><\/span>         xsi:schemaLocation=<\/span>"http:\/\/maven.apache.org\/POM\/4.0.0 http:\/\/maven.apache.org\/xsd\/maven-4.0.0.xsd"<\/span>><\/span>
<\/span><\/span>    <parent><\/span>
<\/span><\/span>        <groupId><\/span>org.springframework.boot<\/groupId><\/span>
<\/span><\/span>        <artifactId><\/span>spring-boot-starter-parent<\/artifactId><\/span>
<\/span><\/span>        <version><\/span>1.5.22.RELEASE<\/version><\/span>
<\/span><\/span>        <relativePath\/><\/span>
<\/span><\/span>    <\/parent><\/span>
<\/span><\/span>    <modelVersion><\/span>4.0.0<\/modelVersion><\/span>
<\/span><\/span>    <artifactId><\/span>cve-2020-1957<\/artifactId><\/span>
<\/span><\/span>    <build><\/span>
<\/span><\/span>        <plugins><\/span>
<\/span><\/span>            <plugin><\/span>
<\/span><\/span>                <groupId><\/span>org.apache.maven.plugins<\/groupId><\/span>
<\/span><\/span>                <artifactId><\/span>maven-compiler-plugin<\/artifactId><\/span>
<\/span><\/span>                <configuration><\/span>
<\/span><\/span>                    <source><\/span>7<\/source><\/span>
<\/span><\/span>                    <target><\/span>7<\/target><\/span>
<\/span><\/span>                <\/configuration><\/span>
<\/span><\/span>            <\/plugin><\/span>
<\/span><\/span>        <\/plugins><\/span>
<\/span><\/span>    <\/build><\/span>
<\/span><\/span>    <dependencies><\/span>
<\/span><\/span>        <dependency><\/span>
<\/span><\/span>            <groupId><\/span>org.springframework.boot<\/groupId><\/span>
<\/span><\/span>            <artifactId><\/span>spring-boot-starter-web<\/artifactId><\/span>
<\/span><\/span>        <\/dependency><\/span>
<\/span><\/span>        <dependency><\/span>
<\/span><\/span>            <groupId><\/span>org.apache.shiro<\/groupId><\/span>
<\/span><\/span>            <artifactId><\/span>shiro-web<\/artifactId><\/span>
<\/span><\/span>            <version><\/span>1.5.1<\/version><\/span>
<\/span><\/span>        <\/dependency><\/span>
<\/span><\/span>        <dependency><\/span>
<\/span><\/span>            <groupId><\/span>org.apache.shiro<\/groupId><\/span>
<\/span><\/span>            <artifactId><\/span>shiro-spring<\/artifactId><\/span>
<\/span><\/span>            <version><\/span>1.5.1<\/version><\/span>
<\/span><\/span>        <\/dependency><\/span>
<\/span><\/span>    <\/dependencies><\/span>
<\/span><\/span><\/project><\/span>
<\/span><\/span><\/code><\/pre>核心代码实现<\/h3>
1. Realm实现类<\/h4>
public<\/span> class<\/span> Realm<\/span> extends<\/span> AuthorizingRealm {<\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    protected<\/span> AuthorizationInfo doGetAuthorizationInfo<\/span>(<\/span>PrincipalCollection principals)<\/span> {<\/span>
<\/span><\/span>        return<\/span> null<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    @Override<\/span>
<\/span><\/span>    protected<\/span> AuthenticationInfo doGetAuthenticationInfo<\/span>(<\/span>AuthenticationToken token)<\/span> 
<\/span><\/span>        throws<\/span> AuthenticationException {<\/span>
<\/span><\/span>        String username =<\/span> (<\/span>String)<\/span> token.<\/span>getPrincipal<\/span>();<\/span>
<\/span><\/span>        if<\/span> (!<\/span>"rai4over"<\/span>.<\/span>equals<\/span>(<\/span>username))<\/span> {<\/span>
<\/span><\/span>            throw<\/span> new<\/span> UnknownAccountException(<\/span>"账户不存在!"<\/span>);<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>        return<\/span> new<\/span> SimpleAuthenticationInfo(<\/span>username,<\/span> "123456"<\/span>,<\/span> getName());<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. Shiro配置类<\/h4>
@Configuration<\/span>
<\/span><\/span>public<\/span> class<\/span> ShiroConfig<\/span> {<\/span>
<\/span><\/span>    @Bean<\/span>
<\/span><\/span>    MyRealm myRealm<\/span>()<\/span> {<\/span>
<\/span><\/span>        return<\/span> new<\/span> MyRealm();<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    @Bean<\/span>
<\/span><\/span>    SecurityManager securityManager<\/span>()<\/span> {<\/span>
<\/span><\/span>        DefaultWebSecurityManager manager =<\/span> new<\/span> DefaultWebSecurityManager();<\/span>
<\/span><\/span>        manager.<\/span>setRealm<\/span>(<\/span>myRealm());<\/span>
<\/span><\/span>        return<\/span> manager;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    @Bean<\/span>
<\/span><\/span>    ShiroFilterFactoryBean shiroFilterFactoryBean<\/span>()<\/span> {<\/span>
<\/span><\/span>        ShiroFilterFactoryBean bean =<\/span> new<\/span> ShiroFilterFactoryBean();<\/span>
<\/span><\/span>        bean.<\/span>setSecurityManager<\/span>(<\/span>securityManager());<\/span>
<\/span><\/span>        bean.<\/span>setLoginUrl<\/span>(<\/span>"\/login"<\/span>);<\/span>
<\/span><\/span>        bean.<\/span>setSuccessUrl<\/span>(<\/span>"\/index"<\/span>);<\/span>
<\/span><\/span>        bean.<\/span>setUnauthorizedUrl<\/span>(<\/span>"\/unauthorizedurl"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        Map<<\/span>String,<\/span> String><\/span> map =<\/span> new<\/span> LinkedHashMap<>();<\/span>
<\/span><\/span>        map.<\/span>put<\/span>(<\/span>"\/login"<\/span>,<\/span> "anon"<\/span>);<\/span>
<\/span><\/span>        map.<\/span>put<\/span>(<\/span>"\/xxxxx\/**"<\/span>,<\/span> "anon"<\/span>);<\/span>
<\/span><\/span>        map.<\/span>put<\/span>(<\/span>"\/aaaaa\/**"<\/span>,<\/span> "anon"<\/span>);<\/span>
<\/span><\/span>        map.<\/span>put<\/span>(<\/span>"\/admin"<\/span>,<\/span> "authc"<\/span>);<\/span>
<\/span><\/span>        map.<\/span>put<\/span>(<\/span>"\/admin.*"<\/span>,<\/span> "authc"<\/span>);<\/span>
<\/span><\/span>        map.<\/span>put<\/span>(<\/span>"\/admin\/**"<\/span>,<\/span> "authc"<\/span>);<\/span>
<\/span><\/span>        map.<\/span>put<\/span>(<\/span>"\/**"<\/span>,<\/span> "authc"<\/span>);<\/span>
<\/span><\/span>        
<\/span><\/span>        bean.<\/span>setFilterChainDefinitionMap<\/span>(<\/span>map);<\/span>
<\/span><\/span>        return<\/span> bean;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>3. 测试Controller<\/h4>
@RestController<\/span>
<\/span><\/span>public<\/span> class<\/span> TestController<\/span> {<\/span>
<\/span><\/span>    @RequestMapping<\/span>(<\/span>value =<\/span> "\/login"<\/span>)<\/span>
<\/span><\/span>    public<\/span> String login<\/span>(<\/span>String username,<\/span> String password)<\/span> {<\/span>
<\/span><\/span>        Subject subject =<\/span> SecurityUtils.<\/span>getSubject<\/span>();<\/span>
<\/span><\/span>        try<\/span> {<\/span>
<\/span><\/span>            subject.<\/span>login<\/span>(<\/span>new<\/span> UsernamePasswordToken(<\/span>username,<\/span> password));<\/span>
<\/span><\/span>            return<\/span> "登录成功!"<\/span>;<\/span>
<\/span><\/span>        }<\/span> catch<\/span> (<\/span>AuthenticationException e)<\/span> {<\/span>
<\/span><\/span>            e.<\/span>printStackTrace<\/span>();<\/span>
<\/span><\/span>            return<\/span> "登录失败!"<\/span>;<\/span>
<\/span><\/span>        }<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    @RequestMapping<\/span>(<\/span>value =<\/span> "\/admin"<\/span>,<\/span> method =<\/span> RequestMethod.<\/span>GET<\/span>)<\/span>
<\/span><\/span>    public<\/span> String admin<\/span>()<\/span> {<\/span>
<\/span><\/span>        return<\/span> "admin secret bypass and unauthorized access"<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>
<\/span><\/span>    @RequestMapping<\/span>(<\/span>value =<\/span> "\/xxxxx"<\/span>,<\/span> method =<\/span> RequestMethod.<\/span>GET<\/span>)<\/span>
<\/span><\/span>    public<\/span> String xxxxx<\/span>()<\/span> {<\/span>
<\/span><\/span>        return<\/span> "xxxxx"<\/span>;<\/span>
<\/span><\/span>    }<\/span>
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>漏洞复现步骤<\/h2>

正常访问\/xxxxx<\/code>路径 - 无需认证即可访问<\/li>
直接访问\/admin<\/code>路径 - 会被重定向到登录页面<\/li>
构造恶意URL访问\/xxxxx\/..;\/admin<\/code> - 成功绕过认证访问admin内容<\/li>
<\/ol>
漏洞原理深度分析<\/h2>
Shiro处理流程<\/h3>


请求拦截<\/strong>：恶意请求\/xxxxx\/..;\/admin<\/code>首先经过Shiro的PathMatchingFilterChainResolver#getChain<\/code>方法处理<\/p>
<\/li>

路径解析<\/strong>：<\/p>

getPathWithinApplication<\/code>方法负责解析请求路径<\/li>
WebUtils#getRequestUri<\/code>获取原始URI \/xxxxx\/..;\/admin<\/code><\/li>
decodeAndCleanUriString<\/code>方法将;<\/code>后面的内容截断，变为\/xxxxx\/..<\/code><\/li>
normalize<\/code>方法对路径进行规范化处理，结果仍为\/xxxxx\/..<\/code><\/li>
<\/ul>
<\/li>

权限校验<\/strong>：<\/p>

规范化后的路径\/xxxxx\/..<\/code>与过滤器规则\/xxxxx\/**<\/code>匹配成功<\/li>
由于\/xxxxx\/**<\/code>配置为anon<\/code>(允许匿名访问)，请求通过Shiro校验<\/li>
<\/ul>
<\/li>
<\/ol>
Spring Boot处理流程<\/h3>


请求路由<\/strong>：通过Shiro校验的请求进入Spring Boot的UrlPathHelper#getPathWithinServletMapping<\/code><\/p>
<\/li>

Servlet路径解析<\/strong>：<\/p>

getServletPath<\/code>方法从请求上下文中获取Servlet路径<\/li>
Spring Boot的解析器将\/xxxxx\/..;\/admin<\/code>解析为\/admin<\/code><\/li>
最终路由到\/admin<\/code>对应的Controller方法<\/li>
<\/ul>
<\/li>
<\/ol>
关键差异点<\/h3>


Shiro的路径解析<\/strong>：<\/p>

将;<\/code>作为分隔符，截断后面的内容<\/li>
对..<\/code>的处理不够彻底，保留了路径遍历的痕迹<\/li>
最终匹配的是\/xxxxx\/..<\/code>与\/xxxxx\/**<\/code><\/li>
<\/ul>
<\/li>

Spring Boot的路径解析<\/strong>：<\/p>

能够正确处理;<\/code>和路径遍历符..<\/code><\/li>
最终解析出真实的请求路径\/admin<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
漏洞修复方案<\/h2>
Apache Shiro在后续版本中修复了此漏洞，主要修改了requestURI<\/code>的获取方式：<\/p>

修复commit: https:\/\/github.com\/apache\/shiro\/commit\/3708d7907016bf2fa12691dff6ff0def1249b8ce<\/li>
关键修改：改进了路径解析逻辑，确保更准确地获取请求URI<\/li>
<\/ol>
防御建议<\/h2>

升级Apache Shiro到最新版本<\/li>
在Shiro配置中，对敏感路径使用更严格的匹配规则<\/li>
避免使用过于宽松的通配符(如\/**<\/code>)<\/li>
实施多层防御机制，不单纯依赖Shiro的URL过滤<\/li>
<\/ol>
总结<\/h2>
CVE-2020-1957漏洞揭示了在安全框架集成时可能存在的解析差异问题。通过深入分析Shiro和Spring Boot对URL处理的不同方式，我们可以更好地理解这类权限绕过漏洞的本质。开发人员在集成多个安全组件时，应当特别注意各组件对请求处理的细微差异，避免形成安全盲点。<\/p>

Apache Shiro Servlet未授权访问漏洞(CVE-2020-1957)深度分析与教学文档<\/h1>

漏洞概述<\/h2> CVE-2020-1957是Apache Shiro与Spring Boot集成时存在的一个权限绕过漏洞。攻击者可以构造特殊的URL，利用Shiro和Spring Boot对URL解析的差异，绕过Shiro的权限控制，实现未授权访问受保护的Servlet。<\/p>

漏洞复现环境搭建<\/h2>

核心代码实现<\/h3>

漏洞原理深度分析<\/h2>

漏洞概述<\/h2>
CVE-2020-1957是Apache Shiro与Spring Boot集成时存在的一个权限绕过漏洞。攻击者可以构造特殊的URL，利用Shiro和Spring Boot对URL解析的差异，绕过Shiro的权限控制，实现未授权访问受保护的Servlet。<\/p>