杂物间

shiro权限绕过

列表

CVE描述
CVE-2022-40664Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
CVE-2023-22602When using Apache Shiro before 1.11.0 together with Spring Boot 2.6+, a specially crafted HTTP request may cause an authentication bypass. The authentication bypass occurs when Shiro and Spring Boot are using different pattern-matching techniques. Both Shiro and Spring Boot < 2.6 default to Ant style pattern matching. Mitigation: Update to Apache Shiro 1.11.0, or set the following Spring Boot configuration value: spring.mvc.pathmatch.matching-strategy = ant_path_matcher
CVE-2021-41303Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
CVE-2020-11989Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CVE-2020-17510Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CVE-2020-13933Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
CVE-2020-1957Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
CVE-2020-17523Apache Shiro before 1.7.1, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
CVE-2014-0074Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

CVE-2022-40664

攻击者可通过访问指定的请求转发接口绕过系统后台的权限控制,从而实现系统身份权限绕过,例如访问一个请求转发到用户登录的接口,即可绕过系统对token或Auth等参数的验证,从而可以直接登录系统,造成未授权登录,从而出现系统信息泄漏等风险。需要一个为利用forward进行请求转发至另一个接口,而另一个接口为正常的身份验证接口。

CVE-2023-22602

CVE-2021-41303

在url后加/会导致绕过,参考:https://threedr3am.github.io/2021/09/22/%E4%BB%8E%E6%BA%90%E7%A0%81diff%E5%88%86%E6%9E%90Apache-Shiro%201.7.1%E7%89%88%E6%9C%AC%E7%9A%84auth%20bypass%EF%BC%88CVE-2021-41303%EF%BC%89/

CVE-2020-11989

/;/test/admin/page可导致绕过,URL进入到Tomcat时,Tomcat判断/;test/admin/page 为test应用下的/admin/page路由,进入到Shiro时被;截断被认作为/,再进入Spring时又被正确处理为test应用下的/admin/page路由,最后导致shiro的权限绕过。

CVE-2020-17510

当Shiro获得的uri为/hello时,是无法和/hello/*匹配的,所以就在/hello后面加上%2e,这样Shiro解码之后变成/hello/.,然后路径标准化成为/hello,绕过身份验证。

以下payload都可以用
/%2e
/%2e/
/%2e%2e
/%2e%2e/

CVE-2020-13933

/admin/%3bpage导致绕过

CVE-2020-1957

当Shiro 的Ant格式的pathPattern 中的的*通配符是不支持匹配路径的,所以/hello/*不能成功匹配/hello/1/,也就不会触发authc拦截器进行权限拦截。从而成功绕过了Shiro拦截器,而后再进入到spring拦截器中,/hello/1/与/hello/1能获取到相同的资源。

CVE-2020-17523

访问/admin/%20会绕过shiro的鉴权认证,url会由spring处理跳转至admin页面

CVE-2014-0074

当程序使用LDAP服务器并启用非身份验证绑定时,远程攻击者可借助空的用户名或密码利用该漏洞绕过身份验证。

Hi,Friend

© 2025 杂物间