toolgood

  博客园 :: 首页 :: 博问 :: 闪存 :: 新随笔 :: 联系 :: 订阅 订阅 :: 管理 ::

公司有一php系统,由于该系统是购买的,并且没人懂php,无法通过修改代码过滤sql注入问题

 

代码如下:

    public class Program
    {
        public static void Main(string[] args)
        {
            var builder = WebApplication.CreateBuilder(args);
            builder.Services.AddReverseProxy()
                .LoadFromConfig(builder.Configuration.GetSection("ReverseProxy"))
                ;

            var app = builder.Build();

            app.Use(SQLFirewall);

            app.MapReverseProxy();
            app.Run();
        }

        public static async Task SQLFirewall(HttpContext context, Func<Task> next)
        {
            const string regStr1 = "ldap:|rmi:|JDBC4Connection|trax\\.TemplatesImpl|%bf%27";
            const string regStr2 = "\\b(select|update|delete|insert|drop|create|call|alter|execute|exec|grant|truncate|master|load_file|outfile)\\b";
            context.Request.EnableBuffering();

            foreach (var item in context.Request.Query) {
                if (Regex.IsMatch(item.Value, regStr1, RegexOptions.IgnoreCase)) { context.Response.StatusCode = 401; return; }
                if (Regex.IsMatch(item.Value, regStr2, RegexOptions.IgnoreCase)) { context.Response.StatusCode = 401; return; }
            }
            if (context.Request.Method == "POST" && context.Request.Form != null) {
                foreach (var item in context.Request.Form) {
                    if (Regex.IsMatch(item.Value, regStr1, RegexOptions.IgnoreCase)) { context.Response.StatusCode = 401; return; }
                    if (Regex.IsMatch(item.Value, regStr2, RegexOptions.IgnoreCase)) { context.Response.StatusCode = 401; return; }
                }
            }
            await next.Invoke();
        }

    }

配置文件如下:

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "AllowedHosts": "*",
  "ReverseProxy": {
    "Routes": {
      "route1": {
        "ClusterId": "cluster1",
        "Match": {
          "Path": "{**catch-all}"
        }
      }
    },
    "Clusters": {
      "cluster1": {
        "Destinations": {
          "destination1": {
            "Address": "https://www.baidu.com"
          }
        }
      }
    }
  }
}

 

posted on 2024-06-18 15:53  ToolGood  阅读(26)  评论(0编辑  收藏  举报