这个是常见的漏洞了,相信大家都不会陌生,直接上解决该漏洞的代码
package com.ifan.soft.filter;
import java.io.IOException;
import java.text.SimpleDateFormat;
import java.util.Date;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.log4j.Logger;
public class LoginFilter implements Filter {
private static SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd HH:mm:ss");
private static final Logger log = Logger.getLogger(LoginFilter.class);
public void doFilter(ServletRequest req, ServletResponse resp, FilterChain chain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest)req;
String url = request.getRequestURI();
log.info("---当前URL:" + url + "--当前时间" + sdf.format(new Date()));
String[] strings = {//根据需要来定义
"from","count","chr","master","truncate","declare","drop","all","all",
"and","AND","MASTER","COUNT","FROM","DROP","order","to","TO","ALL","alter","ALTER",
"OR","or","select","DECLARE","EXEC","ORDER","in","IN","on","ON",
"SELECT","UPDATE","TRUNCATE","exec","GROUP","HAVING","DELETE","like","LIKE",
"delete","update","insert","group","having","<",">","^","*","\'","!"," ","-","@","$","#",
"(",")","_","~","`","{","}","[","]","\"","|","?",",","。","《","》","(",")","!",
"、","——",";","‘","¥","’","【","】",":","&"
};
for (String string : strings) {
String upperCaseURL = url.toUpperCase();
String upperCaseStr = string.toUpperCase();
if (upperCaseURL.indexOf(upperCaseStr) >= 0) {
request.getRequestDispatcher("/uc/error").forward(req, resp);//如有注入的关键字或字符则去到错误的页面,不在往下执行
return ;
}
}
chain.doFilter(req, resp);
}
public void init(FilterConfig filterConfig) throws ServletException {
}
public void destroy() {
}
}
在web.xml中添加