一、 漏洞描述
1. 检测到目标URL存在SQL注入漏洞
很多WEB应用中都存在SQL注入漏洞。SQL注入是一种攻击者利用代码缺陷进行攻击的方式,可在任何能够影响数据库查询的应用程序参数中利用。例如url本身的参数、post数据或cookie值。
2.检测到目标URL存在跨站漏洞
跨站脚本攻击(也称为XSS)指利用网站漏洞从用户那里恶意盗取信息。用户在浏览网站、使用即时通讯软件、甚至在阅读电子邮件时,通常会点击其中的链接。攻击者通过在链接中插入恶意代码,就能够盗取用户信息或在终端用户系统上执行恶意代码。
3.检测到目标URL存在框架注入漏洞
攻击者有可能注入含有恶意内容的 frame 或 iframe 标记。如果用户不够谨慎,就有可能浏览该标记,却意识不到自己会离开原始站点而进入恶意的站点。之后,攻击者便可以诱导用户再次登录,然后获取其登录凭证。
4.检测到目标URL存在链接注入漏洞
“链接注入”是修改站点内容的行为,其方式为将外部站点的 URL 嵌入其中,或将有易受攻击的站点中的脚本 的 URL 嵌入其中。将 URL 嵌入易受攻击的站点中,攻击者便能够以它为平台来启动对其他站点的攻击,以及攻击这个易受攻击的站点本身。
二、 漏洞描述
1. URL过滤器SessionFilter.java
package cn.sh.steven.filter;
import org.apache.commons.lang.StringUtils;
import org.apache.log4j.Logger;
import javax.servlet.*;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.io.*;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.Map;
public class SessionFilter implements Filter {
private static Logger log = Logger.getLogger(SessionFilter.class);
public void destroy() { }
public void doFilter(ServletRequest servletRequest,
ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException {
HttpServletRequest request = (HttpServletRequest) servletRequest;
HttpServletResponse response = (HttpServletResponse) servletResponse;
String requestStr = getRequestString(request);
System.out.println("requestStr: ======================== " + requestStr);
System.out.println("完整的地址是====" + request.getRequestURL().toString());
System.out.println("提交的方式是========" + request.getMethod());
log.info("requestStr: ======================== " + requestStr);
log.info("完整的地址是====" + request.getRequestURL().toString());
log.info("提交的方式是========" + request.getMethod());
if ("bingo".equals(guolv2(requestStr)) || "bingo".equals(guolv2(request.getRequestURL().toString()))) {
System.out.println("======访问地址发现非法字符,已拦截======");
log.info("======访问地址发现非法字符,已拦截======其非法地址为:"+guolv2(request.getRequestURL().toString()));
response.setStatus(403);
//response.sendRedirect(request.getContextPath() + "/login.jsp");
return;
}
// 主机ip和端口 或 域名和端口
String myhosts = request.getHeader("host");
String path=request.getSession().getServletContext().getRealPath("/WEB-INF/classes/csrfWhite.txt") ;
ArrayList<String> hosts = readFromTextFile(path);
if(!hosts.contains(myhosts)){
System.out.println("======访问host非法,已拦截======其非法host为:"+myhosts);
log.info("======访问host非法,已拦截======其非法host为:"+myhosts);
response.setStatus(403);
return;
}
String currentURL = request.getRequestURI();
// add by wangsk 过滤请求特殊字符,扫描跨站式漏洞
Map parameters = request.getParameterMap();
if (parameters != null && parameters.size() > 0) {
for (Iterator iter = parameters.keySet().iterator(); iter.hasNext();) {
String key = (String) iter.next();
String[] values = (String[]) parameters.get(key);
for (int i = 0; i < values.length; i++) {
values[i] = guolv(values[i]);
System.out.println(values[i]);
}
}
}
filterChain.doFilter(servletRequest, servletResponse);return;
}
public void init(FilterConfig filterConfig) throws ServletException {
}
public static String guolv(String a) {
a = a.replaceAll("%22", "");
a = a.replaceAll("%27", "");
a = a.replaceAll("%3E", "");
a = a.replaceAll("%3e", "");
a = a.replaceAll("%3C", "");
a = a.replaceAll("%3c", "");
a = a.replaceAll("<", "");
a = a.replaceAll(">", "");
a = a.replaceAll("\"", "");
a = a.replaceAll("'", "");
a = a.replaceAll("\\+", "");
a = a.replaceAll("\\(", "");
a = a.replaceAll("\\)", "");
a = a.replaceAll(" and ", "");
a = a.replaceAll(" or ", "");
a = a.replaceAll(" 1=1 ", "");
return a;
}
private String getRequestString(HttpServletRequest req) {
String requestPath = req.getServletPath().toString();
String queryString = req.getQueryString();
if (queryString != null)
return requestPath + "?" + queryString;
else
return requestPath;
}
public String guolv2(String a) {
if (StringUtils.isNotEmpty(a)) {
if (a.contains("%22") || a.contains("%3E") || a.contains("%3e")
|| a.contains("%3C") || a.contains("%3c")
|| a.contains("<") || a.contains(">") || a.contains("\"")
|| a.contains("'") || a.contains("+") ||
a.contains(" and ") || a.contains(" or ")
|| a.contains("1=1") || a.contains("(") || a.contains(")")) {
return "bingo";
}
}
return a;
}
public static ArrayList<String> readFromTextFile(String pathname) throws IOException{
ArrayList<String> strArray = new ArrayList<String>();
File filename = new File(pathname);
InputStreamReader reader = new InputStreamReader(new FileInputStream(filename));
BufferedReader br = new BufferedReader(reader);
String line = "";
line = br.readLine();
while(line != null) {
strArray.add(line);
line = br.readLine();
}
return strArray;
}
}
2. URL过滤器CookieHttpOnlyFilter.java
package cn.sh.steven.filter;
import javax.servlet.*;
import javax.servlet.http.Cookie;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import java.io.IOException;
/**
* 功能描述:
* <p>
* 1.Cookie 设置 httpOnly属性 Cookie
* 2.设置 httpOnly属性防止js读取cookie
* </p>
*
* @author steven
*/
public class CookieHttpOnlyFilter implements Filter {
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain)
throws IOException, ServletException {
if (!(request instanceof HttpServletRequest)) {
chain.doFilter(request, response);
return;
}
HttpServletRequest httpReq = (HttpServletRequest) request;
HttpServletResponse httpResp = (HttpServletResponse) response;
Cookie[] cookies = httpReq.getCookies();
if (cookies != null) {
Cookie cookie = cookies[0];
if (cookie != null) {
HttpSession session = httpReq.getSession();
if (session != null) {
String sessionId = session.getId();
// http设置
httpResp.addHeader("Set-Cookie", "JSESSIONID=" + sessionId + "; Path=/fis; HttpOnly");
httpResp.addHeader("x-frame-options","SAMEORIGIN");
// https设置
// httpResp.addHeader("Set-Cookie", "JSESSIONID=" + sessionId
// + "; Path=/admin;Secure; HttpOnly");
}
}
}
chain.doFilter(httpReq, httpResp);
}
public void destroy() {
}
public void init(FilterConfig filterConfig) throws ServletException {
}
}
2. URL过滤器web.xml
<filter>
<filter-name>XssSqlFilter</filter-name>
<filter-class>cn.sh.steven.filter.SessionFilter</filter-class>
</filter>
<filter-mapping>
<filter-name>XssSqlFilter</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>
<filter>
<filter-name> CookieHttpOnly</filter-name>
<filter-class>cn.sh.steven.filter.CookieHttpOnlyFilter</filter-class>
</filter>
<filter-mapping>
<filter-name> CookieHttpOnly</filter-name>
<url-pattern>/*</url-pattern>
</filter-mapping>