SQL盲注的解决方案

引起SQL盲注的原因:[url]http://www-01.ibm.com/support/docview.wss?uid=swg21674465[/url]
WEB安全实战(一)SQL盲注 :[url]http://blog.csdn.net/happylee6688/article/details/40615575[/url]
上面这篇文章用的是Mybaits的防注入策略,下面我们看一下,如何在进入mybatis之前,就提前处理,
如何处理呢?
HttpServletRequest在获取参数时会调用两个方法,getParameter(String name) 和
getParameterValues(String name),我是不是可以继承HttpServletRequest,重写这两个方法,来解决SQL盲注呢?答案是可以的。具体请看下文:

HttpServletRequest包装类:
public class XssHttpServletRequestWrapper extends HttpServletRequestWrapper {
private String[]filterChars;
private String[]replaceChars;
public XssHttpServletRequestWrapper(HttpServletRequest request,String filterChar,String replaceChar,String splitChar) {
super(request);
if(filterChar!=null&&filterChar.length()>0){
filterChars=filterChar.split(splitChar);
}
if(replaceChar!=null&&replaceChar.length()>0){
replaceChars=replaceChar.split(splitChar);
}
}
public String getQueryString() {
String value = super.getQueryString();
if (value != null) {
value = xssEncode(value);
value = value.replaceAll("&", "&").replaceAll("=", "=");
}
return value;
}

/**
* 覆盖getParameter方法,将参数名和参数值都做xss过滤。

* 如果需要获得原始的值,则通过super.getParameterValues(name)来获取

* getParameterNames,getParameterValues和getParameterMap也可能需要覆盖
*/
public String getParameter(String name) {
String value = super.getParameter(xssEncode(name));
if (value != null) {
//关键处理
value = xssEncode(value);
}
return value;
}

public String[] getParameterValues(String name) {
String[]parameters=super.getParameterValues(name);
if (parameters==null||parameters.length == 0) {
return null;
}
for (int i = 0; i < parameters.length; i++) {
//关键处理
parameters[i] = xssEncode(parameters[i]);
}
return parameters;
}

/**
* 覆盖getHeader方法,将参数名和参数值都做xss过滤。

* 如果需要获得原始的值,则通过super.getHeaders(name)来获取
getHeaderNames 也可能需要覆盖
*/
public String getHeader(String name) {

String value = super.getHeader(xssEncode(name));
if (value != null) {
//关键处理
value = xssEncode(value);
}
return value;
}

/**
* 将容易引起xss漏洞的半角字符直接替换成全角字符
*
* @param s
* @return
*/
private String xssEncode(String s) {
if (s == null || s.equals("")) {
return s;
}
try {
// 前端如果提交的内容中包含%会出异常,先将非URL编码的%替换成全角
s = s.replaceAll("%(?![0-9a-fA-F][0-9a-fA-F])", "%");
s = URLDecoder.decode(s, UTF8);
} catch (UnsupportedEncodingException e) {
e.printStackTrace();
}
for (int i = 0; i < filterChars.length; i++) {
if(s.contains(filterChars[i])){
s=s.replace(filterChars[i], replaceChars[i]);
}
}
return s;
}

public static void main(String[] args){
String s = "%预期%AG收益20%年%20化%E利%EA率%";
s = s.replaceAll("%(?![0-9a-fA-F][0-9a-fA-F])", "%");
System.out.println(s);
}
}

//SQL过滤器
public class XssFilter implements Filter {
private String filterChar;//需要过滤的字符串
private String replaceChar;//替代需要过滤的字符串对应的字符串
private String splitChar;//分隔符
private String excludeUrls;//不需要过滤的连接
FilterConfig filterConfig = null;
public void init(FilterConfig filterConfig) throws ServletException {
this.filterChar=filterConfig.getInitParameter("FilterChar");
this.replaceChar=filterConfig.getInitParameter("ReplaceChar");
this.splitChar=filterConfig.getInitParameter("SplitChar");
this.excludeUrls=filterConfig.getInitParameter("excludeUrls");
this.filterConfig = filterConfig;
}
public void destroy() {
this.filterConfig = null;
}

public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException {
//如果是不需要的过滤的url,直接到下一个filter
if(isExcludeUrl(request)){
chain.doFilter(request, response);
}else{
//否则包装HttpServletRequest,替换参数
chain.doFilter(new XssHttpServletRequestWrapper((HttpServletRequest) request,filterChar,replaceChar,splitChar), response);
}
}
private boolean isExcludeUrl(ServletRequest request){
boolean exclude=false;
if(StringUtils.isNotBlank(excludeUrls)){
String[]excludeUrl=excludeUrls.split(splitChar);
if(excludeUrl!=null&&excludeUrl.length>0){
for(String url:excludeUrl){
if(URLHelper.getURI((HttpServletRequest)request).startsWith(url)){
exclude=true;
}
}
}
}
return exclude;
}

}


配置filter


XssFilter
com.web.XssFilter


excludeUrls
/test@/group/add@/find



SplitChar
@



FilterChar
;@&@<@'@"@\@#@%@select @delete @update @insert @or @and @>



ReplaceChar
;@&@<@‘@“@\@#@%@select @delete @update @insert @or@and@>



总结:
解决的办法,重写Requets的获取参数方法,并在过滤器中,根据是否需要过滤URL,来确定是否需要包装Request。

你可能感兴趣的:(Tomcat)