前面的教程有一章是讲解如何突破上传的,当被人通过上传功能突破的防线那就杯具了,有点hack知识的人都知道,很多攻击都是优先寻找上传的功能,因为能突破
就会剩下很多的功夫,比如hack上传了一个asp,php或者jsp文件,然后通过抓包路径获取了文件存放地址,然后直接请求就能通过这个可执行的文件获取到数据库的信息,
或者是遍历目录下载文件,寻找文件中的其他漏洞以获得更高的权限,下面我就演示下简单的防范手段,就算被突破了上传也会有下一堵墙在一定程度上防止执行脚本
我主要是使用shiro写了一个filter过滤需要请求信息,如遇到黑名单则记录信息,看下面贴的代码
package com.silvery.security.shiro.filter;
import java.text.SimpleDateFormat;
import java.util.Date;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import org.apache.shiro.web.filter.authz.AuthorizationFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import com.silvery.utils.PatternUtils;
import com.silvery.utils.WebUtils;
/**
*
* 黑名单可执行程序请求过滤器
*
* @author shadow
*
*/
public class SimpleExecutiveFilter extends AuthorizationFilter {
protected static final String[] blackUrlPathPattern = new String[] { "*.aspx*", "*.asp*", "*.php*", "*.exe*",
"*.jsp*", "*.pl*", "*.py*", "*.groovy*", "*.sh*", "*.rb*", "*.dll*", "*.bat*", "*.bin*", "*.dat*",
"*.bas*", "*.c*", "*.cmd*", "*.com*", "*.cpp*", "*.jar*", "*.class*", "*.lnk*" };
private static final Logger log = LoggerFactory.getLogger(SimpleExecutiveFilter.class);
@Override
protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object obj) throws Exception {
HttpServletRequest httpRequest = (HttpServletRequest) request;
String reqUrl = httpRequest.getRequestURI().toLowerCase().trim();
for (String pattern : blackUrlPathPattern) {
if (PatternUtils.simpleMatch(pattern, reqUrl)) {
log.error(new StringBuffer().append("unsafe request >>> ").append(" request time: ").append(
new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(new Date())).append("; request ip: ")
.append(WebUtils.getClientIP()).append("; request url: ").append(httpRequest.getRequestURI())
.toString());
return false;
}
}
return true;
}
}
下一步把刚刚写的过滤器配置到shiro的过滤链中
<!-- 过滤链配置 -->
<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
<property name="securityManager" ref="securityManager" />
<property name="loginUrl" value="/" />
<property name="successUrl" value="/cms/index.do" />
<property name="unauthorizedUrl" value="/static/unauthorized.html" />
<property name="filters">
<map>
<entry key="role">
<bean
class="com.silvery.security.shiro.filter.SimpleRoleAuthorizationFilter" />
</entry>
<entry key="authc">
<bean
class="com.silvery.security.shiro.filter.SimpleFormAuthenticationFilter" />
</entry>
<entry key="exec">
<bean class="com.silvery.security.shiro.filter.SimpleExecutiveFilter" />
</entry>
</map>
</property>
</bean>
最后配置下我们需要过滤的请求目录,一般都是全量过滤,但是有些静态资源是不应该过滤的,所以应该注意顺序,让anon权限的放到放到exec的前面
<!-- 权限资源配置 -->
<bean id="filterChainDefinitionsService"
class="com.silvery.security.shiro.service.impl.SimpleFilterChainDefinitionsService">
<property name="definitions">
<value>
/static/** = anon
/** = exec
</value>
</property>
</bean>
最后请求下php,jsp等那些文件是返回到无权限的页面,我们的简单防范已经达到目的了,下一章节可能讲如何防范xss和csrf攻击的防范
版权声明:本文为博主原创文章,未经博主允许不得转载。
分享到:
相关推荐
赠送jar包:shiro-config-core-1.4.0.jar; 赠送原API文档:shiro-config-core-1.4.0-javadoc.jar; 赠送源代码:shiro-config-core-1.4.0-sources.jar; 赠送Maven依赖信息文件:shiro-config-core-1.4.0.pom; ...
赠送jar包:shiro-config-core-1.4.0.jar; 赠送原API文档:shiro-config-core-1.4.0-javadoc.jar; 赠送源代码:shiro-config-core-1.4.0-sources.jar; 赠送Maven依赖信息文件:shiro-config-core-1.4.0.pom; ...
shiro_attack-4.7.0-SNAPSHOT-all.zip 序列化验证工具
赠送jar包:shiro-event-1.4.0.jar; 赠送原API文档:shiro-event-1.4.0-javadoc.jar; 赠送源代码:shiro-event-1.4.0-sources.jar; 赠送Maven依赖信息文件:shiro-event-1.4.0.pom; 包含翻译后的API文档:shiro-...
给广大开发爱好者一个开发框架:shiro-root-1.4.1-source-release.zip
赠送jar包:shiro-cas-1.2.3.jar; 赠送原API文档:shiro-cas-1.2.3-javadoc.jar; 赠送源代码:shiro-cas-1.2.3-sources.jar; 赠送Maven依赖信息文件:shiro-cas-1.2.3.pom; 包含翻译后的API文档:shiro-cas-...
赠送jar包:shiro-crypto-core-1.4.0.jar; 赠送原API文档:shiro-crypto-core-1.4.0-javadoc.jar; 赠送源代码:shiro-crypto-core-1.4.0-sources.jar; 赠送Maven依赖信息文件:shiro-crypto-core-1.4.0.pom; ...
赠送jar包:shiro-crypto-cipher-1.4.0.jar; 赠送原API文档:shiro-crypto-cipher-1.4.0-javadoc.jar; 赠送源代码:shiro-crypto-cipher-1.4.0-sources.jar; 赠送Maven依赖信息文件:shiro-crypto-cipher-1.4.0....
赠送jar包:shiro-core-1.4.0.jar; 赠送原API文档:shiro-core-1.4.0-javadoc.jar; 赠送源代码:shiro-core-1.4.0-sources.jar; 赠送Maven依赖信息文件:shiro-core-1.4.0.pom; 包含翻译后的API文档:shiro-core...
赠送jar包:shiro-crypto-core-1.4.0.jar; 赠送原API文档:shiro-crypto-core-1.4.0-javadoc.jar; 赠送源代码:shiro-crypto-core-1.4.0-sources.jar; 赠送Maven依赖信息文件:shiro-crypto-core-1.4.0.pom; ...
shiro 安全框架--最好的中文配置文档,讲了shiro的配置步骤
赠送jar包:shiro-config-ogdl-1.4.0.jar; 赠送原API文档:shiro-config-ogdl-1.4.0-javadoc.jar; 赠送源代码:shiro-config-ogdl-1.4.0-sources.jar; 赠送Maven依赖信息文件:shiro-config-ogdl-1.4.0.pom; ...
赠送jar包:shiro-spring-1.3.2.jar; 赠送原API文档:shiro-spring-1.3.2-javadoc.jar; 赠送源代码:shiro-spring-1.3.2-sources.jar; 包含翻译后的API文档:shiro-spring-1.3.2-javadoc-API文档-中文(简体)版...
赠送jar包:shiro-crypto-cipher-1.4.0.jar; 赠送原API文档:shiro-crypto-cipher-1.4.0-javadoc.jar; 赠送源代码:shiro-crypto-cipher-1.4.0-sources.jar; 赠送Maven依赖信息文件:shiro-crypto-cipher-1.4.0....
shiro-root-1.2.4-source-release shiro-root-1.2.3-source-release shiro-all-1.2.4.jar shiro-all-1.2.4.jar shiro-all-1.2.4.jar shiro-all-1.2.4.jar
shiro(shiro-all-1.8.0.jar)
shiro使用依赖的所有jar包,以及shiro-root-1.2.3-source-release的zip包
赠送jar包:shiro-ehcache-1.4.0.jar; 赠送原API文档:shiro-ehcache-1.4.0-javadoc.jar; 赠送源代码:shiro-ehcache-1.4.0-sources.jar; 赠送Maven依赖信息文件:shiro-ehcache-1.4.0.pom; 包含翻译后的API文档...
基于SpringMVC Mybatis Shiro Redis 的权限管理系统,该系统已经部署到线上,线上访问地址:http://shiro.itboy.net,登录账号:admin 密码:sojson,,详细教程参考sojson.com/shiro
赠送jar包:shiro-crypto-hash-1.4.0.jar; 赠送原API文档:shiro-crypto-hash-1.4.0-javadoc.jar; 赠送源代码:shiro-crypto-hash-1.4.0-sources.jar; 赠送Maven依赖信息文件:shiro-crypto-hash-1.4.0.pom; ...