first commit

shiro/CVE-2020-1957/README.md

@@ -0,0 +1,46 @@
+# Apache Shiro Authentication Bypass Vulnerability (CVE-2020-1957)
+
+[中文版本(Chinese version)](README.zh-cn.md)
+
+Apache Shiro is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management.
+
+In versions of Apache Shiro prior to 1.5.2 with the Spring dynamic controller, an attacker can construct a maliciously crafted request using `..;` to bypass the directory authentication.
+
+Reference links:
+
+- <https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce#diff-98f7bc5c0391389e56531f8b3754081aL139>
+- <https://xz.aliyun.com/t/8281>
+- <https://blog.spoock.com/2020/05/09/cve-2020-1957/>
+
+## Vulnerability environment
+
+Start an application with Spring 2.2.2 and Shiro 1.5.1 by executing the following command.
+
+```
+docker compose up -d
+```
+
+Once the environment is started, visit ``http://your-ip:8080`` to see the home page.
+
+The configuration of URL permissions in this application is as follows.
+
+``` java
+@Bean
+public ShiroFilterChainDefinition shiroFilterChainDefinition() {
+    DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
+    chainDefinition.addPathDefinition("/login.html", "authc"); // need to accept POSTs from the login form
+    chainDefinition.addPathDefinition("/logout", "logout");
+    chainDefinition.addPathDefinition("/admin/**", "authc");
+    return chainDefinition;
+}
+```
+
+## Exploit
+
+A direct request to the admin page `/admin/` is inaccessible and will be redirected to the login page.
+
+![](1.png)
+
+Construct a malicious request `/xxx/..;/admin/` to bypass authentication checks and access the admin page.
+
+![](2.png)

shiro/CVE-2020-1957/README.zh-cn.md

@@ -0,0 +1,44 @@
+# Apache Shiro 认证绕过漏洞（CVE-2020-1957）
+
+Apache Shiro是一款开源安全框架，提供身份验证、授权、密码学和会话管理。Shiro框架直观、易用，同时也能提供健壮的安全性。
+
+在Apache Shiro 1.5.2以前的版本中，在使用Spring动态控制器时，攻击者通过构造`..;`这样的跳转，可以绕过Shiro中对目录的权限限制。
+
+参考链接：
+
+- <https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce#diff-98f7bc5c0391389e56531f8b3754081aL139>
+- <https://xz.aliyun.com/t/8281>
+- <https://blog.spoock.com/2020/05/09/cve-2020-1957/>
+
+## 环境搭建
+
+执行如下命令启动一个搭载Spring 2.2.2与Shiro 1.5.1的应用：
+
+```
+docker compose up -d
+```
+
+环境启动后，访问`http://your-ip:8080`即可查看首页。
+
+这个应用中对URL权限的配置如下：
+
+```java
+@Bean
+public ShiroFilterChainDefinition shiroFilterChainDefinition() {
+    DefaultShiroFilterChainDefinition chainDefinition = new DefaultShiroFilterChainDefinition();
+    chainDefinition.addPathDefinition("/login.html", "authc"); // need to accept POSTs from the login form
+    chainDefinition.addPathDefinition("/logout", "logout");
+    chainDefinition.addPathDefinition("/admin/**", "authc");
+    return chainDefinition;
+}
+```
+
+## 漏洞复现
+
+直接请求管理页面`/admin/`，无法访问，将会被重定向到登录页面：
+
+![](1.png)
+
+构造恶意请求`/xxx/..;/admin/`，即可绕过权限校验，访问到管理页面：
+
+![](2.png)

shiro/CVE-2020-1957/docker-compose.yml

@@ -0,0 +1,5 @@
+services:
+ web:
+   image: vulhub/shiro:1.5.1
+   ports:
+    - "8080:8080"