前面的教程有一章是讲解如何突破上传的,当被人通过上传功能突破的防线那就杯具了,有点hack知识的人都知道,很多攻击都是优先寻找上传的功能,因为能突破
就会剩下很多的功夫,比如hack上传了一个asp,php或者jsp文件,然后通过抓包路径获取了文件存放地址,然后直接请求就能通过这个可执行的文件获取到数据库的信息,
或者是遍历目录下载文件,寻找文件中的其他漏洞以获得更高的权限,下面我就演示下简单的防范手段,就算被突破了上传也会有下一堵墙在一定程度上防止执行脚本
我主要是使用shiro写了一个filter过滤需要请求信息,如遇到黑名单则记录信息,看下面贴的代码
package com.silvery.security.shiro.filter;
import java.text.SimpleDateFormat;
import java.util.Date;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.silvery.utils.PatternUtils;
import com.silvery.utils.WebUtils;
/**
*
* 黑名单可执行程序请求过滤器
*
* @author shadow
*
*/
public class SimpleExecutiveFilter extends AuthorizationFilter {
protected static final String[] blackUrlPathPattern = new String[] { "*.aspx*", "*.asp*", "*.php*", "*.exe*",
"*.jsp*", "*.pl*", "*.py*", "*.groovy*", "*.sh*", "*.rb*", "*.dll*", "*.bat*", "*.bin*", "*.dat*",
"*.bas*", "*.c*", "*.cmd*", "*.com*", "*.cpp*", "*.jar*", "*.class*", "*.lnk*" };
private static final Logger log = LoggerFactory.getLogger(SimpleExecutiveFilter.class);
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object obj) throws Exception {
HttpServletRequest httpRequest = (HttpServletRequest) request;
String reqUrl = httpRequest.getRequestURI().toLowerCase().trim();
for (String pattern : blackUrlPathPattern) {
if (PatternUtils.simpleMatch(pattern, reqUrl)) {
log.error(new StringBuffer().append("unsafe request >>> ").append(" request time: ").append(
new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(new Date())).append("; request ip: ")
.append(WebUtils.getClientIP()).append("; request url: ").append(httpRequest.getRequestURI())
.toString());
return false;
}
}
return true;
}
}
下一步把刚刚写的过滤器配置到shiro的过滤链中
<!-- 过滤链配置 --> <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean"> <property name="securityManager" ref="securityManager" /> <property name="loginUrl" value="/" /> <property name="successUrl" value="/cms/index.do" /> <property name="unauthorizedUrl" value="/static/unauthorized.html" /> <property name="filters"> <map> <entry key="role"> <bean class="com.silvery.security.shiro.filter.SimpleRoleAuthorizationFilter" /> </entry> <entry key="authc"> <bean class="com.silvery.security.shiro.filter.SimpleFormAuthenticationFilter" /> </entry> <entry key="exec"> <bean class="com.silvery.security.shiro.filter.SimpleExecutiveFilter" /> </entry> </map> </property> </bean>
最后配置下我们需要过滤的请求目录,一般都是全量过滤,但是有些静态资源是不应该过滤的,所以应该注意顺序,让anon权限的放到放到exec的前面
<!-- 权限资源配置 --> <bean id="filterChainDefinitionsService" class="com.silvery.security.shiro.service.impl.SimpleFilterChainDefinitionsService"> <property name="definitions"> <value> /static/** = anon /** = exec </value> </property> </bean>
最后请求下php,jsp等那些文件是返回到无权限的页面,我们的简单防范已经达到目的了,下一章节可能讲如何防范xss和csrf攻击的防范
