{"id":515,"date":"2022-03-08T10:12:27","date_gmt":"2022-03-08T02:12:27","guid":{"rendered":"http:\/\/blog.nonot.cn\/?p=515"},"modified":"2024-07-08T12:52:24","modified_gmt":"2024-07-08T04:52:24","slug":"java-%e8%bf%87%e6%bb%a4%e5%99%a8%e8%a7%a3%e5%86%b3urlsql%e6%b3%a8%e5%85%a5%e6%bc%8f%e6%b4%9e%e3%80%81%e8%b7%a8%e7%ab%99%e6%bc%8f%e6%b4%9e%e3%80%81%e6%a1%86%e6%9e%b6%e6%b3%a8%e5%85%a5%e6%bc%8f%e6%b4%9e","status":"publish","type":"post","link":"https:\/\/blog.nonot.cn\/index.php\/2022\/03\/08\/java-%e8%bf%87%e6%bb%a4%e5%99%a8%e8%a7%a3%e5%86%b3urlsql%e6%b3%a8%e5%85%a5%e6%bc%8f%e6%b4%9e%e3%80%81%e8%b7%a8%e7%ab%99%e6%bc%8f%e6%b4%9e%e3%80%81%e6%a1%86%e6%9e%b6%e6%b3%a8%e5%85%a5%e6%bc%8f%e6%b4%9e\/","title":{"rendered":"Java \u8fc7\u6ee4\u5668\u89e3\u51b3URLSQL\u6ce8\u5165\u6f0f\u6d1e\u3001\u8de8\u7ad9\u6f0f\u6d1e\u3001\u6846\u67b6\u6ce8\u5165\u6f0f\u6d1e\u3001\u94fe\u63a5\u6ce8\u5165\u6f0f\u6d1e"},"content":{"rendered":"<p>\u4e00\u3001 \u6f0f\u6d1e\u63cf\u8ff0<br \/>\n1. \u68c0\u6d4b\u5230\u76ee\u6807URL\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e<br \/>\n\u5f88\u591aWEB\u5e94\u7528\u4e2d\u90fd\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\u3002SQL\u6ce8\u5165\u662f\u4e00\u79cd\u653b\u51fb\u8005\u5229\u7528\u4ee3\u7801\u7f3a\u9677\u8fdb\u884c\u653b\u51fb\u7684\u65b9\u5f0f\uff0c\u53ef\u5728\u4efb\u4f55\u80fd\u591f\u5f71\u54cd\u6570\u636e\u5e93\u67e5\u8be2\u7684\u5e94\u7528\u7a0b\u5e8f\u53c2\u6570\u4e2d\u5229\u7528\u3002\u4f8b\u5982url\u672c\u8eab\u7684\u53c2\u6570\u3001post\u6570\u636e\u6216cookie\u503c\u3002<\/p>\n<p>2.\u68c0\u6d4b\u5230\u76ee\u6807URL\u5b58\u5728\u8de8\u7ad9\u6f0f\u6d1e<br \/>\n\u8de8\u7ad9\u811a\u672c\u653b\u51fb\uff08\u4e5f\u79f0\u4e3aXSS\uff09\u6307\u5229\u7528\u7f51\u7ad9\u6f0f\u6d1e\u4ece\u7528\u6237\u90a3\u91cc\u6076\u610f\u76d7\u53d6\u4fe1\u606f\u3002\u7528\u6237\u5728\u6d4f\u89c8\u7f51\u7ad9\u3001\u4f7f\u7528\u5373\u65f6\u901a\u8baf\u8f6f\u4ef6\u3001\u751a\u81f3\u5728\u9605\u8bfb\u7535\u5b50\u90ae\u4ef6\u65f6\uff0c\u901a\u5e38\u4f1a\u70b9\u51fb\u5176\u4e2d\u7684\u94fe\u63a5\u3002\u653b\u51fb\u8005\u901a\u8fc7\u5728\u94fe\u63a5\u4e2d\u63d2\u5165\u6076\u610f\u4ee3\u7801\uff0c\u5c31\u80fd\u591f\u76d7\u53d6\u7528\u6237\u4fe1\u606f\u6216\u5728\u7ec8\u7aef\u7528\u6237\u7cfb\u7edf\u4e0a\u6267\u884c\u6076\u610f\u4ee3\u7801\u3002<\/p>\n<p>3.\u68c0\u6d4b\u5230\u76ee\u6807URL\u5b58\u5728\u6846\u67b6\u6ce8\u5165\u6f0f\u6d1e<br \/>\n\u653b\u51fb\u8005\u6709\u53ef\u80fd\u6ce8\u5165\u542b\u6709\u6076\u610f\u5185\u5bb9\u7684 frame \u6216 iframe \u6807\u8bb0\u3002\u5982\u679c\u7528\u6237\u4e0d\u591f\u8c28\u614e\uff0c\u5c31\u6709\u53ef\u80fd\u6d4f\u89c8\u8be5\u6807\u8bb0\uff0c\u5374\u610f\u8bc6\u4e0d\u5230\u81ea\u5df1\u4f1a\u79bb\u5f00\u539f\u59cb\u7ad9\u70b9\u800c\u8fdb\u5165\u6076\u610f\u7684\u7ad9\u70b9\u3002\u4e4b\u540e\uff0c\u653b\u51fb\u8005\u4fbf\u53ef\u4ee5\u8bf1\u5bfc\u7528\u6237\u518d\u6b21\u767b\u5f55\uff0c\u7136\u540e\u83b7\u53d6\u5176\u767b\u5f55\u51ed\u8bc1\u3002<\/p>\n<p>4.\u68c0\u6d4b\u5230\u76ee\u6807URL\u5b58\u5728\u94fe\u63a5\u6ce8\u5165\u6f0f\u6d1e<br \/>\n\u201c\u94fe\u63a5\u6ce8\u5165\u201d\u662f\u4fee\u6539\u7ad9\u70b9\u5185\u5bb9\u7684\u884c\u4e3a\uff0c\u5176\u65b9\u5f0f\u4e3a\u5c06\u5916\u90e8\u7ad9\u70b9\u7684 URL \u5d4c\u5165\u5176\u4e2d\uff0c\u6216\u5c06\u6709\u6613\u53d7\u653b\u51fb\u7684\u7ad9\u70b9\u4e2d\u7684\u811a\u672c \u7684 URL \u5d4c\u5165\u5176\u4e2d\u3002\u5c06 URL \u5d4c\u5165\u6613\u53d7\u653b\u51fb\u7684\u7ad9\u70b9\u4e2d\uff0c\u653b\u51fb\u8005\u4fbf\u80fd\u591f\u4ee5\u5b83\u4e3a\u5e73\u53f0\u6765\u542f\u52a8\u5bf9\u5176\u4ed6\u7ad9\u70b9\u7684\u653b\u51fb\uff0c\u4ee5\u53ca\u653b\u51fb\u8fd9\u4e2a\u6613\u53d7\u653b\u51fb\u7684\u7ad9\u70b9\u672c\u8eab\u3002<\/p>\n<p>\u4e8c\u3001 \u6f0f\u6d1e\u63cf\u8ff0<br \/>\n1. URL\u8fc7\u6ee4\u5668SessionFilter.java<br \/>\npackage cn.sh.steven.filter;<\/p>\n<p>import org.apache.commons.lang.StringUtils;<br \/>\nimport org.apache.log4j.Logger;<\/p>\n<p>import javax.servlet.*;<br \/>\nimport javax.servlet.http.HttpServletRequest;<br \/>\nimport javax.servlet.http.HttpServletResponse;<br \/>\nimport java.io.*;<br \/>\nimport java.util.ArrayList;<br \/>\nimport java.util.Iterator;<br \/>\nimport java.util.Map;<\/p>\n<p>public class SessionFilter implements Filter {<br \/>\nprivate static Logger log = Logger.getLogger(SessionFilter.class);<\/p>\n<p>public void destroy() { }<\/p>\n<p>public void doFilter(ServletRequest servletRequest,<br \/>\nServletResponse servletResponse, FilterChain filterChain)<br \/>\nthrows IOException, ServletException {<br \/>\nHttpServletRequest request = (HttpServletRequest) servletRequest;<br \/>\nHttpServletResponse response = (HttpServletResponse) servletResponse;<br \/>\nString requestStr = getRequestString(request);<br \/>\nSystem.out.println(&#8220;requestStr\uff1a ======================== &#8221; + requestStr);<br \/>\nSystem.out.println(&#8220;\u5b8c\u6574\u7684\u5730\u5740\u662f====&#8221; + request.getRequestURL().toString());<br \/>\nSystem.out.println(&#8220;\u63d0\u4ea4\u7684\u65b9\u5f0f\u662f========&#8221; + request.getMethod());<br \/>\nlog.info(&#8220;requestStr\uff1a ======================== &#8221; + requestStr);<br \/>\nlog.info(&#8220;\u5b8c\u6574\u7684\u5730\u5740\u662f====&#8221; + request.getRequestURL().toString());<br \/>\nlog.info(&#8220;\u63d0\u4ea4\u7684\u65b9\u5f0f\u662f========&#8221; + request.getMethod());<\/p>\n<p>if (&#8220;bingo&#8221;.equals(guolv2(requestStr)) || &#8220;bingo&#8221;.equals(guolv2(request.getRequestURL().toString()))) {<br \/>\nSystem.out.println(&#8220;======\u8bbf\u95ee\u5730\u5740\u53d1\u73b0\u975e\u6cd5\u5b57\u7b26\uff0c\u5df2\u62e6\u622a======&#8221;);<br \/>\nlog.info(&#8220;======\u8bbf\u95ee\u5730\u5740\u53d1\u73b0\u975e\u6cd5\u5b57\u7b26\uff0c\u5df2\u62e6\u622a======\u5176\u975e\u6cd5\u5730\u5740\u4e3a\uff1a&#8221;+guolv2(request.getRequestURL().toString()));<br \/>\nresponse.setStatus(403);<br \/>\n\/\/response.sendRedirect(request.getContextPath() + &#8220;\/login.jsp&#8221;);<br \/>\nreturn;<br \/>\n}<br \/>\n\/\/ \u4e3b\u673aip\u548c\u7aef\u53e3 \u6216 \u57df\u540d\u548c\u7aef\u53e3<br \/>\nString myhosts = request.getHeader(&#8220;host&#8221;);<br \/>\nString path=request.getSession().getServletContext().getRealPath(&#8220;\/WEB-INF\/classes\/csrfWhite.txt&#8221;) ;<br \/>\nArrayList&lt;String&gt; hosts = readFromTextFile(path);<br \/>\nif(!hosts.contains(myhosts)){<br \/>\nSystem.out.println(&#8220;======\u8bbf\u95eehost\u975e\u6cd5\uff0c\u5df2\u62e6\u622a======\u5176\u975e\u6cd5host\u4e3a:&#8221;+myhosts);<br \/>\nlog.info(&#8220;======\u8bbf\u95eehost\u975e\u6cd5\uff0c\u5df2\u62e6\u622a======\u5176\u975e\u6cd5host\u4e3a:&#8221;+myhosts);<br \/>\nresponse.setStatus(403);<br \/>\nreturn;<br \/>\n}<\/p>\n<p>String currentURL = request.getRequestURI();<br \/>\n\/\/ add by wangsk \u8fc7\u6ee4\u8bf7\u6c42\u7279\u6b8a\u5b57\u7b26\uff0c\u626b\u63cf\u8de8\u7ad9\u5f0f\u6f0f\u6d1e<br \/>\nMap parameters = request.getParameterMap();<br \/>\nif (parameters != null &amp;&amp; parameters.size() &gt; 0) {<br \/>\nfor (Iterator iter = parameters.keySet().iterator(); iter.hasNext();) {<br \/>\nString key = (String) iter.next();<br \/>\nString[] values = (String[]) parameters.get(key);<br \/>\nfor (int i = 0; i &lt; values.length; i++) {<br \/>\nvalues[i] = guolv(values[i]);<br \/>\nSystem.out.println(values[i]);<br \/>\n}<br \/>\n}<br \/>\n}<br \/>\nfilterChain.doFilter(servletRequest, servletResponse);return;<br \/>\n}<\/p>\n<p>public void init(FilterConfig filterConfig) throws ServletException {<\/p>\n<p>}<\/p>\n<p>public static String guolv(String a) {<br \/>\na = a.replaceAll(&#8220;%22&#8221;, &#8220;&#8221;);<br \/>\na = a.replaceAll(&#8220;%27&#8221;, &#8220;&#8221;);<br \/>\na = a.replaceAll(&#8220;%3E&#8221;, &#8220;&#8221;);<br \/>\na = a.replaceAll(&#8220;%3e&#8221;, &#8220;&#8221;);<br \/>\na = a.replaceAll(&#8220;%3C&#8221;, &#8220;&#8221;);<br \/>\na = a.replaceAll(&#8220;%3c&#8221;, &#8220;&#8221;);<br \/>\na = a.replaceAll(&#8220;&lt;&#8220;, &#8220;&#8221;);<br \/>\na = a.replaceAll(&#8220;&gt;&#8221;, &#8220;&#8221;);<br \/>\na = a.replaceAll(&#8220;\\&#8221;&#8221;, &#8220;&#8221;);<br \/>\na = a.replaceAll(&#8220;&#8216;&#8221;, &#8220;&#8221;);<br \/>\na = a.replaceAll(&#8220;\\\\+&#8221;, &#8220;&#8221;);<br \/>\na = a.replaceAll(&#8220;\\\\(&#8220;, &#8220;&#8221;);<br \/>\na = a.replaceAll(&#8220;\\\\)&#8221;, &#8220;&#8221;);<br \/>\na = a.replaceAll(&#8221; and &#8220;, &#8220;&#8221;);<br \/>\na = a.replaceAll(&#8221; or &#8220;, &#8220;&#8221;);<br \/>\na = a.replaceAll(&#8221; 1=1 &#8220;, &#8220;&#8221;);<br \/>\nreturn a;<br \/>\n}<\/p>\n<p>private String getRequestString(HttpServletRequest req) {<br \/>\nString requestPath = req.getServletPath().toString();<br \/>\nString queryString = req.getQueryString();<br \/>\nif (queryString != null)<br \/>\nreturn requestPath + &#8220;?&#8221; + queryString;<br \/>\nelse<br \/>\nreturn requestPath;<br \/>\n}<\/p>\n<p>public String guolv2(String a) {<br \/>\nif (StringUtils.isNotEmpty(a)) {<br \/>\nif (a.contains(&#8220;%22&#8221;) || a.contains(&#8220;%3E&#8221;) || a.contains(&#8220;%3e&#8221;)<br \/>\n|| a.contains(&#8220;%3C&#8221;) || a.contains(&#8220;%3c&#8221;)<br \/>\n|| a.contains(&#8220;&lt;&#8220;) || a.contains(&#8220;&gt;&#8221;) || a.contains(&#8220;\\&#8221;&#8221;)<br \/>\n|| a.contains(&#8220;&#8216;&#8221;) || a.contains(&#8220;+&#8221;) ||<br \/>\na.contains(&#8221; and &#8220;) || a.contains(&#8221; or &#8220;)<br \/>\n|| a.contains(&#8220;1=1&#8221;) || a.contains(&#8220;(&#8220;) || a.contains(&#8220;)&#8221;)) {<br \/>\nreturn &#8220;bingo&#8221;;<br \/>\n}<br \/>\n}<br \/>\nreturn a;<br \/>\n}<\/p>\n<p>public static ArrayList&lt;String&gt; readFromTextFile(String pathname) throws IOException{<br \/>\nArrayList&lt;String&gt; strArray = new ArrayList&lt;String&gt;();<br \/>\nFile filename = new File(pathname);<br \/>\nInputStreamReader reader = new InputStreamReader(new FileInputStream(filename));<br \/>\nBufferedReader br = new BufferedReader(reader);<br \/>\nString line = &#8220;&#8221;;<br \/>\nline = br.readLine();<br \/>\nwhile(line != null) {<br \/>\nstrArray.add(line);<br \/>\nline = br.readLine();<br \/>\n}<br \/>\nreturn strArray;<br \/>\n}<\/p>\n<p>}<\/p>\n<p>2. URL\u8fc7\u6ee4\u5668CookieHttpOnlyFilter.java<br \/>\npackage cn.sh.steven.filter;<\/p>\n<p>import javax.servlet.*;<br \/>\nimport javax.servlet.http.Cookie;<br \/>\nimport javax.servlet.http.HttpServletRequest;<br \/>\nimport javax.servlet.http.HttpServletResponse;<br \/>\nimport javax.servlet.http.HttpSession;<br \/>\nimport java.io.IOException;<\/p>\n<p>\/**<br \/>\n* \u529f\u80fd\u63cf\u8ff0:<br \/>\n* &lt;p&gt;<br \/>\n* 1.Cookie \u8bbe\u7f6e httpOnly\u5c5e\u6027 Cookie<br \/>\n* 2.\u8bbe\u7f6e httpOnly\u5c5e\u6027\u9632\u6b62js\u8bfb\u53d6cookie<br \/>\n* &lt;\/p&gt;<br \/>\n*<br \/>\n* @author steven<br \/>\n*\/<br \/>\npublic class CookieHttpOnlyFilter implements Filter {<\/p>\n<p>public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)<br \/>\nthrows IOException, ServletException {<br \/>\nif (!(request instanceof HttpServletRequest)) {<br \/>\nchain.doFilter(request, response);<br \/>\nreturn;<br \/>\n}<br \/>\nHttpServletRequest httpReq = (HttpServletRequest) request;<br \/>\nHttpServletResponse httpResp = (HttpServletResponse) response;<br \/>\nCookie[] cookies = httpReq.getCookies();<br \/>\nif (cookies != null) {<br \/>\nCookie cookie = cookies[0];<br \/>\nif (cookie != null) {<br \/>\nHttpSession session = httpReq.getSession();<br \/>\nif (session != null) {<br \/>\nString sessionId = session.getId();<br \/>\n\/\/ http\u8bbe\u7f6e<br \/>\nhttpResp.addHeader(&#8220;Set-Cookie&#8221;, &#8220;JSESSIONID=&#8221; + sessionId + &#8220;; Path=\/fis; HttpOnly&#8221;);<br \/>\nhttpResp.addHeader(&#8220;x-frame-options&#8221;,&#8221;SAMEORIGIN&#8221;);<br \/>\n\/\/ https\u8bbe\u7f6e<br \/>\n\/\/ httpResp.addHeader(&#8220;Set-Cookie&#8221;, &#8220;JSESSIONID=&#8221; + sessionId<br \/>\n\/\/ + &#8220;; Path=\/admin;Secure; HttpOnly&#8221;);<br \/>\n}<br \/>\n}<br \/>\n}<br \/>\nchain.doFilter(httpReq, httpResp);<\/p>\n<p>}<\/p>\n<p>public void destroy() {<br \/>\n}<\/p>\n<p>public void init(FilterConfig filterConfig) throws ServletException {<br \/>\n}<\/p>\n<p>}<\/p>\n<p>2. URL\u8fc7\u6ee4\u5668web.xml<br \/>\n&lt;filter&gt;<br \/>\n&lt;filter-name&gt;XssSqlFilter&lt;\/filter-name&gt;<br \/>\n&lt;filter-class&gt;cn.sh.steven.filter.SessionFilter&lt;\/filter-class&gt;<br \/>\n&lt;\/filter&gt;<br \/>\n&lt;filter-mapping&gt;<br \/>\n&lt;filter-name&gt;XssSqlFilter&lt;\/filter-name&gt;<br \/>\n&lt;url-pattern&gt;\/*&lt;\/url-pattern&gt;<br \/>\n&lt;\/filter-mapping&gt;<br \/>\n&lt;filter&gt;<br \/>\n&lt;filter-name&gt; CookieHttpOnly&lt;\/filter-name&gt;<br \/>\n&lt;filter-class&gt;cn.sh.steven.filter.CookieHttpOnlyFilter&lt;\/filter-class&gt;<br \/>\n&lt;\/filter&gt;<br \/>\n&lt;filter-mapping&gt;<br \/>\n&lt;filter-name&gt; CookieHttpOnly&lt;\/filter-name&gt;<br \/>\n&lt;url-pattern&gt;\/*&lt;\/url-pattern&gt;<br \/>\n&lt;\/filter-mapping&gt;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u4e00\u3001 \u6f0f\u6d1e\u63cf\u8ff0 1. \u68c0\u6d4b\u5230\u76ee\u6807URL\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e \u5f88&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[],"class_list":["post-515","post","type-post","status-publish","format-standard","hentry","category-java"],"_links":{"self":[{"href":"https:\/\/blog.nonot.cn\/index.php\/wp-json\/wp\/v2\/posts\/515","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.nonot.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.nonot.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.nonot.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.nonot.cn\/index.php\/wp-json\/wp\/v2\/comments?post=515"}],"version-history":[{"count":1,"href":"https:\/\/blog.nonot.cn\/index.php\/wp-json\/wp\/v2\/posts\/515\/revisions"}],"predecessor-version":[{"id":1210,"href":"https:\/\/blog.nonot.cn\/index.php\/wp-json\/wp\/v2\/posts\/515\/revisions\/1210"}],"wp:attachment":[{"href":"https:\/\/blog.nonot.cn\/index.php\/wp-json\/wp\/v2\/media?parent=515"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.nonot.cn\/index.php\/wp-json\/wp\/v2\/categories?post=515"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.nonot.cn\/index.php\/wp-json\/wp\/v2\/tags?post=515"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}