前面的教程有一章是讲解如何突破上传的,当被人通过上传功能突破的防线那就杯具了,有点hack知识的人都知道,很多攻击都是优先寻找上传的功能,因为能突破
就会剩下很多的功夫,比如hack上传了一个asp,php或者jsp文件,然后通过抓包路径获取了文件存放地址,然后直接请求就能通过这个可执行的文件获取到数据库的信息,
或者是遍历目录下载文件,寻找文件中的其他漏洞以获得更高的权限,下面我就演示下简单的防范手段,就算被突破了上传也会有下一堵墙在一定程度上防止执行脚本
我主要是使用shiro写了一个filter过滤需要请求信息,如遇到黑名单则记录信息,看下面贴的代码
- package com.silvery.security.shiro.filter;
-
- import java.text.SimpleDateFormat;
- import java.util.Date;
-
- import javax.servlet.ServletRequest;
- import javax.servlet.ServletResponse;
- import javax.servlet.http.HttpServletRequest;
-
- import org.apache.shiro.web.filter.authz.AuthorizationFilter;
- import org.slf4j.Logger;
- import org.slf4j.LoggerFactory;
-
- import com.silvery.utils.PatternUtils;
- import com.silvery.utils.WebUtils;
-
- /**
- *
- * 黑名单可执行程序请求过滤器
- *
- * @author shadow
- *
- */
- public class SimpleExecutiveFilter extends AuthorizationFilter {
-
- protected static final String[] blackUrlPathPattern = new String[] { "*.aspx*", "*.asp*", "*.php*", "*.exe*",
- "*.jsp*", "*.pl*", "*.py*", "*.groovy*", "*.sh*", "*.rb*", "*.dll*", "*.bat*", "*.bin*", "*.dat*",
- "*.bas*", "*.c*", "*.cmd*", "*.com*", "*.cpp*", "*.jar*", "*.class*", "*.lnk*" };
-
- private static final Logger log = LoggerFactory.getLogger(SimpleExecutiveFilter.class);
-
- @Override
- protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object obj) throws Exception {
-
- HttpServletRequest httpRequest = (HttpServletRequest) request;
-
- String reqUrl = httpRequest.getRequestURI().toLowerCase().trim();
-
- for (String pattern : blackUrlPathPattern) {
- if (PatternUtils.simpleMatch(pattern, reqUrl)) {
- log.error(new StringBuffer().append("unsafe request >>> ").append(" request time: ").append(
- new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(new Date())).append("; request ip: ")
- .append(WebUtils.getClientIP()).append("; request url: ").append(httpRequest.getRequestURI())
- .toString());
- return false;
- }
- }
-
- return true;
-
- }
-
- }
下一步把刚刚写的过滤器配置到shiro的过滤链中
- <!-- 过滤链配置 -->
- <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
- <property name="securityManager" ref="securityManager" />
- <property name="loginUrl" value="/" />
- <property name="successUrl" value="/cms/index.do" />
- <property name="unauthorizedUrl" value="/static/unauthorized.html" />
- <property name="filters">
- <map>
- <entry key="role">
- <bean
- class="com.silvery.security.shiro.filter.SimpleRoleAuthorizationFilter" />
- </entry>
- <entry key="authc">
- <bean
- class="com.silvery.security.shiro.filter.SimpleFormAuthenticationFilter" />
- </entry>
- <entry key="exec">
- <bean class="com.silvery.security.shiro.filter.SimpleExecutiveFilter" />
- </entry>
- </map>
- </property>
- </bean>
最后配置下我们需要过滤的请求目录,一般都是全量过滤,但是有些静态资源是不应该过滤的,所以应该注意顺序,让anon权限的放到放到exec的前面
- <!-- 权限资源配置 -->
- <bean id="filterChainDefinitionsService"
- class="com.silvery.security.shiro.service.impl.SimpleFilterChainDefinitionsService">
- <property name="definitions">
- <value>
- /static/** = anon
- /** = exec
- </value>
- </property>
- </bean>
最后请求下php,jsp等那些文件是返回到无权限的页面,我们的简单防范已经达到目的了,下一章节可能讲如何防范xss和csrf攻击的防范
本站仅提供存储服务,所有内容均由用户发布,如发现有害或侵权内容,请
点击举报。
