nginx解决sql注入的方案

最新推荐文章于 2024-01-11 08:48:39 发布

梦游的老李

最新推荐文章于 2024-01-11 08:48:39 发布

阅读量1.4k

点赞数

分类专栏：安全问题文章标签： nginx sql lua

本文链接：https://blog.csdn.net/a_apprentice/article/details/125861741

版权

安全问题专栏收录该内容

1 篇文章 0 订阅

订阅专栏

1.get请求好处理
2 .post请求由于需要拿到请求体，需要安装lua插件支持
当前方案：

get在server级别处理

post在lication级别处理

if ($query_string ~* ".*('|--|union|insert|drop|truncate|update|from|grant|exec|where|select|and|chr|mid|like|iframe|script|alert|webscan|dbappsecurity|style|WAIT
FOR|confirm|innerhtml|innertext|class).*")
        { return 403; }
        #if ($uri ~* (.*)(insert|select|delete|update|count|master|truncate|declare|exec|\*|%|\')(.*)$ ) { return 403; }
        if ($http_user_agent ~ ApacheBench|WebBench|Jmeter|JoeDog|Havij|GetRight|TurnitinBot|GrabNet|masscan|mail2000|github|wget|curl) { return 444; }
        if ($http_user_agent ~ "Go-Ahead-Got-It") { return 444; }
        if ($http_user_agent ~ "GetWeb!") { return 444; }
        if ($http_user_agent ~ "Go!Zilla") { return 444; }
        if ($http_user_agent ~ "Download Demon") { return 444; }
        if ($http_user_agent ~ "Indy Library") { return 444; }
        if ($http_user_agent ~ "libwww-perl") { return 444; }
        if ($http_user_agent ~ "Nmap Scripting Engine") { return 444; }
        if ($http_user_agent ~ "Load Impact") { return 444; }
        if ($http_user_agent ~ "~17ce.com") { return 444; }
        if ($http_user_agent ~ "WebBench*") { return 444; }
        if ($http_referer ~* 17ce.com) { return 444; }
        if ($http_user_agent ~* qiyunce) { return 444; }
        if ($http_user_agent ~* YunGuanCe) { return 403; }
        if ($http_referer ~* WebBench*") { return 444; }
        if ($http_user_agent ~ "BLEXBot") { return 403; }
        if ($http_user_agent ~ "MJ12bot") { return 403; }
         if ($http_user_agent ~ "semalt.com") { return 403; }

		#自动防护
		if ($request_uri ~* .(htm|do)?(.*)$) {
           set $req $2;
        }
        if ($req ~* "(cost()|(concat()") {
                return 503;
        }
        if ($req ~* "union[+|(%20)]") {
                return 503;
        }
        if ($req ~* "and[+|(%20)]") {
                return 503;
        }
        if ($req ~* "select[+|(%20)]") {
                return 503;
        }
        #溢出过滤
        if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { return 403; }
		if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { return 403; }
		if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { return 403; }
		if ($query_string ~ "proc/self/environ") { return 403; }
		if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { return 403; }
		if ($query_string ~ "base64_(en|de)code\(.*\)") { return 403; }

		#文件注入禁止
		if ($query_string ~ "[a-zA-Z0-9_]=http://") { return 403; }
		if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { return 403; }
		if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { return 403; }


        location / {


         lua_need_request_body on;
         access_by_lua_block {
                        local body = ngx.var.request_body
                        if ngx.var.request_method == "POST" and body ~= nil then
                        local regex = "(.*?((union)|(insert)|(drop)|(truncate)|(update)|(from)|(grant)|(exec)|(where)|(select)|(chr)|(mid)|(like)|(iframe)|(script)|(alert)|(websc
an)|(dbappsecurity)|(style)|(WAITFOR)|(confirm)|(innerhtml)|(innertext)|(class)).*?){1,}"
                        local m = ngx.re.match(body, regex)
                        if m then
                                ngx.say('{"code": 999,"msg": "非法参数","ok": false,"runningTime": "0ms"}') 
                                 end
                        end
                }


                proxy_http_version 1.1;
                proxy_set_header Connection "";

                proxy_next_upstream http_502 error timeout invalid_header;
                proxy_pass http://10.32.0.207/;
                proxy_set_header Host $host;

                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }