nginx访问日志中发现了一些sql 注入的痕迹,写个拦截器过滤一下。
-
/**
-
* url sql 注入拦截器
-
*
-
*/
-
public class SqlInjectIntercepter extends HandlerInterceptorAdapter{
-
-
private static final Logger log = Logger.getLogger(SqlInjectIntercepter.class);
-
-
@Override
-
public boolean preHandle(HttpServletRequest request, HttpServletResponse response, Object handler) throws Exception {
-
Enumeration<String> names = request.getParameterNames();
-
while (names.hasMoreElements()) {
-
String name = names.nextElement();
-
String values = request.getParameter(name).toLowerCase();
-
String badStr = "'|exec|execute|insert|select|delete|update|count|drop|*|master|truncate|" +
-
"declare|sitename|net user|xp_cmdshell|;|+|like'|exec|execute|insert|create|drop|" +
-
"table|from|grant|use|group_concat|column_name|" +
-
"information_schema.columns|table_schema|union|where|select|delete|update|order|count|*|" +
-
"master|truncate|declare|;|+|like|//|/|#";//过滤掉的sql关键字,可以手动添加
-
String[] badStrs = badStr.split("\\|");
-
for (int j = 0; j < badStrs.length; j++) {
-
if (values.indexOf(badStrs[j]) >= 0) {
-
log.info("URL-SQLInject-api:{"+request.getRequestURL()+request.getQueryString()+"}"+"---"+badStrs[j]);
-
response.setContentType("application/json; charset=UTF-8");
-
UnifiedResponse res = new UnifiedResponse();
-
res.setStatus(UnifiedResponseCode.RC_FAIL);
-
res.setMessage("You are a bad boy!");
-
response.getWriter().print(new Gson().toJson(res));
-
return false;
-
}
-
}
-
}
-
return true;
-
}
-
-
}
阅读(4193) | 评论(0) | 转发(0) |