美国VPS的ssh如何防止sql注入

已关闭留言

美国VPS的ssh防止sql注入的方法:

1.在对应的web文件中添加以下代码:

<filter>

<filter-name>httpHeaderSecurity</filter-name>

<!– filter2 <filter-class>com.wisdombud.cqupt.edu.web.filter.HttpHeaderSecurityFilter</filter-class> –>

<filter-class>com.wisdombud.cqupt.edu.web.vpn.filter.HttpHeaderSecurityFilter</filter-class>

<async-supported>true</async-supported>

</filter>

<filter-mapping>

<filter-name>httpHeaderSecurity</filter-name>

<url-pattern>*</url-pattern>

</filter-mapping>

2.过滤类,代码:

/*

* Licensed to the Apache Software Foundation (ASF) under one or more

* contributor license agreements. See the NOTICE file distributed with

* this work for additional information regarding copyright ownership.

* The ASF licenses this file to You under the Apache License, Version 2.0

* (the “License”); you may not use this file except in compliance with

* the License. You may obtain a copy of the License at

*

* http://www.apache.org/licenses/LICENSE-2.0

*

* Unless required by applicable law or agreed to in writing, software

* distributed under the License is distributed on an “AS IS” BASIS,

* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

* See the License for the specific language governing permissions and

* limitations under the License.

*/

package com.wisdombud.cqupt.edu.web.vpn.filter;

import java.io.IOException;

import java.util.Iterator;

import java.util.Map;

import java.util.Map.Entry;

import java.util.regex.Matcher;

import java.util.regex.Pattern;

import javax.servlet.FilterChain;

import javax.servlet.RequestDispatcher;

import javax.servlet.ServletException;

import javax.servlet.ServletRequest;

import javax.servlet.ServletResponse;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletResponse;

import org.apache.commons.lang3.StringUtils;

import org.apache.struts2.dispatcher.filter.StrutsPrepareAndExecuteFilter;

import org.slf4j.LoggerFactory;

import com.wisdombud.cqupt.edu.web.filter.MutableHttpServletRequest;

import com.wisdombud.cqupt.edu.web.filter.XssHttpServletRequestWrapperNew;

/**

* Provides a single configuration point for security measures that required the

* addition of one or more HTTP headers to the response.

*/

public class HttpHeaderSecurityFilter extends StrutsPrepareAndExecuteFilter {

private static final org.slf4j.Logger LOGGER = LoggerFactory.getLogger(HttpHeaderSecurityFilter.class);

@Override

public void doFilter(final ServletRequest req, final ServletResponse res, final FilterChain chain)

throws IOException, ServletException {

final HttpServletRequest request = (HttpServletRequest) req;

final HttpServletResponse response = (HttpServletResponse) res;

final MutableHttpServletRequest mutableHttpServletRequest = new MutableHttpServletRequest(request);

mutableHttpServletRequest.putHeader(“X-Frame-Options”, “SAMEORIGIN”);

response.setHeader(“X-Frame-Options”, “SAMEORIGIN”);

response.setHeader(“X-Content-Type-Options”, “nosniff”);

final boolean isTrue = sqlInjection(request);

if (isTrue) {

final RequestDispatcher dispatcher = request.getRequestDispatcher(“/400.jsp”);

dispatcher.forward(request, response);

return;

}

super.doFilter(new XssHttpServletRequestWrapperNew(request), response, chain);

}

private Boolean sqlInjection(final HttpServletRequest httpRequest) {

boolean isIngect = false;

// 获取上下文的请求参数

final Map valueTreeMap = httpRequest.getParameterMap();

// 获得请求参数集合的迭代器

final Iterator iterator = valueTreeMap.entrySet().iterator();

// 遍历组装请求参数

while (iterator.hasNext()) {

// 获得迭代的键值对

final Entry entry = (Entry) iterator.next();

// 获得键值对中的键值

final String key = (String) entry.getKey();

if(“title”.equals(key)){

System.err.println(key);

}

// 原请求参数,因为有可能一键对多值所以这里用的String[]

String[] oldValues = null;

// 对参数值转换成String类型的

if (entry.getValue() instanceof String) {

oldValues = new String[] {entry.getValue().toString()};

} else {

oldValues = (String[]) entry.getValue();

}

for (int i = 0; i < oldValues.length; i++) {

if (StringUtils.isNotBlank(oldValues[i])) {

if (HasInjectionData(oldValues[i])) {

isIngect = true;

break;

}

}

}

if (isIngect) {

return isIngect;

}

}

return isIngect;

}

/// <summary>

/// 验证是否存在注入代码(条件语句)

/// </summary>

/// <param name=”inputData”></param>

public boolean HasInjectionData(final String inputData) {

// 里面定义恶意字符集合

// 验证inputData是否包含恶意集合

if(StringUtils.isBlank(inputData)){

return false;

}

final Pattern pattern = Pattern.compile(GetRegexString());

final Matcher matcher = pattern.matcher(inputData.trim().toLowerCase());

final boolean b = matcher.matches();

if (b) {

LOGGER.info(String.format(“检测出SQL注入的恶意数据, {0}”, inputData));

return true;

} else {

return false;

}

}

/// <summary>

/// 获取正则表达式

/// </summary>

/// <returns></returns>

private String GetRegexString() {

// 构造SQL的注入关键字符

final String[] strBadChar =

{“select\\s”, “from\\s”, “or\\s”, “insert\\s”, “delete\\s”, “update\\s”, “drop\\s”, “truncate\\s”,

“exec\\s”, “count\\(“, “declare\\s”, “asc\\(“, “mid\\(“, “char\\(“, “net user”, “xp_cmdshell”, “/add\\s”,

“exec master.dbo.xp_cmdshell”, “net localgroup administrators”,”and\\s”,”=\\s” ,”where\\s”,”<“,”>”};

// 构造正则表达式

String str_Regex = “.*(“;

for (int i = 0; i < strBadChar.length – 1; i++) {

str_Regex += strBadChar[i] + “|”;

}

str_Regex += strBadChar[strBadChar.length – 1] + “).*”;

return str_Regex;

}

}

3.调用类,代码:

package com.wisdombud.cqupt.edu.web.filter;

import javax.servlet.http.HttpServletRequest;

import javax.servlet.http.HttpServletRequestWrapper;

import java.util.Collections;

import java.util.Enumeration;

import java.util.HashMap;

import java.util.HashSet;

import java.util.Map;

import java.util.Set;

public final class MutableHttpServletRequest extends HttpServletRequestWrapper {

// holds custom header and value mapping

private final Map<String, String> customHeaders;

public MutableHttpServletRequest(HttpServletRequest request) {

super(request);

this.customHeaders = new HashMap<String, String>();

}

public void putHeader(String name, String value) {

this.customHeaders.put(name, value);

}

public String getHeader(String name) {

// check the custom headers first

String headerValue = customHeaders.get(name);

if (headerValue != null) {

return headerValue;

}

// else return from into the original wrapped object

return ((HttpServletRequest) getRequest()).getHeader(name);

}

public Enumeration<String> getHeaderNames() {

// create a set of the custom header names

Set<String> set = new HashSet<String>(customHeaders.keySet());

// now add the headers from the wrapped request object

@SuppressWarnings(“unchecked”)

Enumeration<String> e = ((HttpServletRequest) getRequest()).getHeaderNames();

while (e.hasMoreElements()) {

// add the names of the request headers into the list

String n = e.nextElement();

set.add(n);

}

// create an enumeration from the set and return

return Collections.enumeration(set);

}

}