【填坑、解决方案】Apache Shiro历史高危反序列化漏洞预警 (shiro-550、shiro-721)

华为这个【Apache Shiro历史高危反序列化漏洞预警 (shiro-550、shiro-721)】漏洞预警,网上两类方案,无非是:①改代码改默认shiro密码(几十个版本测下来,改不了^o^ 哈哈哈,生无可恋... 一度以为成功了,实际上是爆破工具目标地址,不认ip开头,空欢喜,哈哈);②cookie拦截,去掉rememberMe,这个对于“非技术人”来说,解释不清...  佛系...

 

于是,换一个思路,在nginx上做文章,对请求方式限制,亲测有效,完美,哈哈哈~~

 location = /[你的路径] {
      #关键就是这段
        if ($request_method !~* POST) {
            return 403;
        }

        add_header Access-Control-Allow-Origin $cors_orixxx always;
        
        add_header Set-Cookie "HttpOnly" always;
        add_header Access-Control-Allow-Methods 'POST' always;
        add_header Access-Control-Allow-Credentials 'true' always;
        add_header Access-Control-Allow-Headers 'Accept, Authorization,Keep-Alive,User-Agent,Cache-Control,Content-Type,jwtToken' always;
        proxy_pass http://ip:port/[你的路径];   #这里有坑,ip没走网关,不需要前缀  /xxxx
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header X-Forwarded-Proto  $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Real-Port $remote_port;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_redirect default;

}

成本最低的方式,成功!

哈哈!

posted @ 2023-09-15 17:10  大姚^o^  阅读(139)  评论(0编辑  收藏  举报