-
sql攻击 简单小记
control层
/**
* 测试样例
* @param username
* @param password
* @return
*/
@PostMapping(“/test”)
@PassLogin
public HttpResult- test(String username, String password, HttpSession session){
try {
return userService.test(username,password,session);
} catch (Exception e) {
e.printStackTrace();
return HttpResult.failure(ResultCodeEnum.HTTP_REQUEST_FAILED);
}
}public HttpResult
- test(String username, String password, HttpSession session) {
return HttpResult.success(userMapper.test(username)); }- 1
- 2
dao层
@Select("select * from user t where t.login_name=${username} ") Listtest(String username); - 1
- 2
sql一定要是这个样
postman请求
把全部表查询出来了
下面就是springboot防止sql攻击
fiter层
package com.funshion.pomme.exception;
import org.springframework.stereotype.Component;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;/**
-
ClassName: XssFilter
-
Description:
-
-
Reason:
-
Date: 2022/11/8 19:28
-
Modification History:
-
-
Date Author Version Description
-
-------------------------------------------------------------------------------
-
2022/11/8 LiuFei 1.0
*/
@Component
public class XssFilter implements Filter {// Logger log = LoggerFactory.getLogger(this.getClass());
// 忽略权限检查的url地址
private final String[] excludeUrls = new String[]{
“null”
};@Override
public void doFilter(ServletRequest arg0, ServletResponse arg1, FilterChain arg2)
throws IOException, ServletException {HttpServletRequest req = (HttpServletRequest) arg0; HttpServletResponse response = (HttpServletResponse) arg1; //String pathInfo = req.getPathInfo() == null ? "" : req.getPathInfo(); //获取请求url的后两层 // String url = req.getServletPath() + pathInfo; //获取请求你ip后的全部路径 //String uri = req.getRequestURI(); //注入xss过滤器实例 XssHttpServletRequestWraper reqW = new XssHttpServletRequestWraper(req); //过滤掉不需要的Xss校验的地址- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
/* for (String str : excludeUrls) {
if (uri.indexOf(str) >= 0) {
arg2.doFilter(arg0, response);
return;
}
}*/
//过滤
arg2.doFilter(reqW, response);
}@Override
public void destroy() {
}@Override
public void init(FilterConfig filterconfig1) throws ServletException {
}
}
控制入参的
package com.funshion.pomme.exception;
import lombok.extern.slf4j.Slf4j;
import javax.servlet.ReadListener;
import javax.servlet.ServletInputStream;
import javax.servlet.ServletOutputStream;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletRequestWrapper;
import javax.servlet.http.HttpServletResponse;
import java.io.BufferedReader;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.nio.charset.Charset;
import java.util.regex.Matcher;
import java.util.regex.Pattern;/**
-
ClassName: XssHttpServletRequestWraper
-
Description:
-
-
Reason:
-
Date: 2022/11/8 19:26
-
Modification History:
-
-
Date Author Version Description
-
-------------------------------------------------------------------------------
-
2022/11/8 LiuFei 1.0
*/
@Slf4j
public class XssHttpServletRequestWraper extends HttpServletRequestWrapper {// Logger log = LoggerFactory.getLogger(this.getClass());
public XssHttpServletRequestWraper() {
super(null);
}public XssHttpServletRequestWraper(HttpServletRequest httpservletrequest) {
super(httpservletrequest);
}//过滤springmvc中的 @RequestParam 注解中的参数
@Override
public String[] getParameterValues(String s) {String str[] = super.getParameterValues(s); if (str == null) { return null; } int i = str.length; String as1[] = new String[i]; for (int j = 0; j < i; j++) { //System.out.println("getParameterValues:"+str[j]); as1[j] = cleanXSS(cleanSQLInject(str[j])); } // log.info("XssHttpServletRequestWraper净化后的请求为:==========" + as1); return as1;- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
}
//过滤request.getParameter的参数
@Override
public String getParameter(String s) {
String s1 = super.getParameter(s);
if (s1 == null) {
return null;
} else {
String s2 = cleanXSS(cleanSQLInject(s1));
// log.info(“XssHttpServletRequestWraper净化后的请求为:==========” + s2);
return s2;
}
}//过滤请求体 json 格式的
@Override
public ServletInputStream getInputStream() throws IOException {
final ByteArrayInputStream bais = new ByteArrayInputStream(inputHandlers(super.getInputStream ()).getBytes ());return new ServletInputStream() { @Override public int read() throws IOException { return bais.read(); } @Override public boolean isFinished() { return false; } @Override public boolean isReady() { return false; } @Override public void setReadListener(ReadListener readListener) { } };- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
}
public String inputHandlers(ServletInputStream servletInputStream){
StringBuilder sb = new StringBuilder();
BufferedReader reader = null;
try {
reader = new BufferedReader(new InputStreamReader(servletInputStream, Charset.forName(“UTF-8”)));
String line = “”;
while ((line = reader.readLine()) != null) {
sb.append(line);
}
} catch (IOException e) {
e.printStackTrace();
} finally {
if (servletInputStream != null) {
try {
servletInputStream.close();
} catch (IOException e) {
e.printStackTrace();
}
}
if (reader != null) {
try {
reader.close();
} catch (IOException e) {
e.printStackTrace();
}
}
}
return cleanXSS(sb.toString ());
}public String cleanXSS(String src) {
String temp = src;src = src.replaceAll("<", "<").replaceAll(">", ">"); src = src.replaceAll("\\(", "(").replaceAll("\\)", ")"); src = src.replaceAll("'", "'"); src = src.replaceAll(";", ";"); //bgh 2018/05/30 新增 /**-----------------------start--------------------------*/ src = src.replaceAll("<", "& lt;").replaceAll(">", "& gt;"); src = src.replaceAll("\\(", "& #40;").replaceAll("\\)", "& #41"); src = src.replaceAll("eval\\((.*)\\)", ""); src = src.replaceAll("[\\\"\\\'][\\s]*javascript:(.*)[\\\"\\\']", "\"\""); src = src.replaceAll("script", ""); src = src.replaceAll("link", ""); src = src.replaceAll("frame", ""); /**-----------------------end--------------------------*/ Pattern pattern = Pattern.compile("(eval\\((.*)\\)|script)", Pattern.CASE_INSENSITIVE); Matcher matcher = pattern.matcher(src); src = matcher.replaceAll(""); pattern = Pattern.compile("[\\\"\\'][\\s]*javascript:(.*)[\\\"\\']", Pattern.CASE_INSENSITIVE); matcher = pattern.matcher(src); src = matcher.replaceAll("\"\""); // 增加脚本 src = src.replaceAll("script", "").replaceAll(";", "") /*.replaceAll("\"", "").replaceAll("@", "")*/ .replaceAll("0x0d", "").replaceAll("0x0a", ""); if (!temp.equals(src)) { // System.out.println("输入信息存在xss攻击!"); // System.out.println("原始输入信息-->" + temp); // System.out.println("处理后信息-->" + src); log.error("xss攻击检查:参数含有非法攻击字符,已禁止继续访问!!"); log.error("原始输入信息-->" + temp); throw new RuntimeException("xss攻击检查:参数含有非法攻击字符,已禁止继续访问!!"); } return src;- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
}
//输出
public void outputMsgByOutputStream(HttpServletResponse response, String msg) throws IOException {
ServletOutputStream outputStream = response.getOutputStream(); //获取输出流
response.setHeader(“content-type”, “text/html;charset=UTF-8”); //通过设置响应头控制浏览器以UTF-8的编码显示数据,如果不加这句话,那么浏览器显示的将是乱码
byte[] dataByteArr = msg.getBytes(“UTF-8”);// 将字符转换成字节数组,指定以UTF-8编码进行转换
outputStream.write(dataByteArr);// 使用OutputStream流向客户端输出字节数组
}// 需要增加通配,过滤大小写组合
public String cleanSQLInject(String src) {
String lowSrc = src.toLowerCase();
String temp = src;
String lowSrcAfter = lowSrc.replaceAll(“insert”, “forbidI”)
.replaceAll(“select”, “forbidS”)
.replaceAll(“update”, “forbidU”)
.replaceAll(“delete”, “forbidD”).replaceAll(“and”, “forbidA”)
.replaceAll(“or”, “forbidO”);if (!lowSrcAfter.equals(lowSrc)) { log.error("sql注入检查:输入信息存在SQL攻击!"); log.error("原始输入信息-->" + temp); log.error("处理后信息-->" + lowSrc); throw new RuntimeException("sql注入检查:参数含有非法攻击字符,已禁止继续访问!!"); } return src;- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
}
}
-
相关阅读:
Jenkins自动化测试
力扣-python-两数相加
Pyinstaller生成的exe程序,运行时找不到自定义模块
ACmix 论文精读,并解析其模型结构
vue2实现字节流byte[]数组的图片预览
信号与系统 --- 傅里叶变换时/频对照表(个人学习笔记)
Redis 提示“Couldn‘t determine DBSIZE!”
Linux——Bash脚本基本用法总结
吃透这份“腾讯限量版”Java架构笔记,要个40k不过分吧
[随笔]Integer.parseInt转换二进制数为int整数异常
- 原文地址:https://blog.csdn.net/qq_43077857/article/details/127786194
