[CVE-2020-1957] Shiro小於1.5.2的認證繞過

參考示例：
https://github.com/apache/shiro/tree/master/samples/spring-boot-web
公告參考：

• https://help.aliyun.com/noticelist/articleid/1060253375.html?spm=a2c4g.789213612.n2.6.74ff6141cdyXDH
• https://seclists.org/oss-sec/2020/q1/120

官方修復測試用例：
https://github.com/apache/shiro/commit/3708d7907016bf2fa12691dff6ff0def1249b8ce

/hello(不帶憑據)

不帶憑據訪問/hello，被重定向到login進行登錄：

/hello（帶憑據）

使用繞過方式訪問/hello

Shiro登錄demo

import org.apache.catalina.Context;
import org.apache.catalina.core.ApplicationContext;
import org.apache.catalina.core.ApplicationFilterConfig;
import org.apache.catalina.core.StandardContext;
import org.apache.shiro.SecurityUtils;
import org.apache.shiro.authc.IncorrectCredentialsException;
import org.apache.shiro.authc.UnknownAccountException;
import org.apache.shiro.authc.UsernamePasswordToken;
import org.apache.shiro.authz.annotation.RequiresPermissions;
import org.apache.shiro.authz.annotation.RequiresRoles;
import org.apache.shiro.subject.Subject;
import org.apache.tomcat.util.descriptor.web.FilterDef;
import org.apache.tomcat.util.descriptor.web.FilterMap;
import org.springframework.stereotype.Controller;
import org.springframework.ui.Model;
import org.springframework.ui.ModelMap;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestMethod;
import org.springframework.web.bind.annotation.ResponseBody;
import org.springframework.web.context.ContextLoader;
import org.springframework.web.servlet.ModelAndView;


@Controller
public class MainController {
    @RequestMapping(value = "loginUser", method = RequestMethod.POST)
    public String loginUser(String userName, String passwd, Model model) {
        Subject subject = SecurityUtils.getSubject();
        UsernamePasswordToken token = new UsernamePasswordToken(userName, passwd);
        try {
            subject.login(token);
            return "redirect:/index";
        } catch (UnknownAccountException e) {
            e.printStackTrace();
            model.addAttribute("message", "用戶名錯誤！");
            return "login";
        } catch (IncorrectCredentialsException e) {
            e.printStackTrace();
            model.addAttribute("message", "密碼錯誤");
            return "login";
        }
    }
}

org\apache\shiro\subject\support\DelegatingSubject#login
=>
org.apache.shiro.mgt.SecurityManager#login