公司有一php系统,由于该系统是购买的,并且没人懂php,无法通过修改代码过滤sql注入问题
代码如下:
public class Program
{
public static void Main(string[] args)
{
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddReverseProxy()
.LoadFromConfig(builder.Configuration.GetSection("ReverseProxy"))
;
var app = builder.Build();
app.Use(SQLFirewall);
app.MapReverseProxy();
app.Run();
}
public static async Task SQLFirewall(HttpContext context, Func<Task> next)
{
const string regStr1 = "ldap:|rmi:|JDBC4Connection|trax\\.TemplatesImpl|%bf%27";
const string regStr2 = "\\b(select|update|delete|insert|drop|create|call|alter|execute|exec|grant|truncate|master|load_file|outfile)\\b";
context.Request.EnableBuffering();
foreach (var item in context.Request.Query) {
if (Regex.IsMatch(item.Value, regStr1, RegexOptions.IgnoreCase)) { context.Response.StatusCode = 401; return; }
if (Regex.IsMatch(item.Value, regStr2, RegexOptions.IgnoreCase)) { context.Response.StatusCode = 401; return; }
}
if (context.Request.Method == "POST" && context.Request.Form != null) {
foreach (var item in context.Request.Form) {
if (Regex.IsMatch(item.Value, regStr1, RegexOptions.IgnoreCase)) { context.Response.StatusCode = 401; return; }
if (Regex.IsMatch(item.Value, regStr2, RegexOptions.IgnoreCase)) { context.Response.StatusCode = 401; return; }
}
}
await next.Invoke();
}
}
配置文件如下:
{ "Logging": { "LogLevel": { "Default": "Information", "Microsoft.AspNetCore": "Warning" } }, "AllowedHosts": "*", "ReverseProxy": { "Routes": { "route1": { "ClusterId": "cluster1", "Match": { "Path": "{**catch-all}" } } }, "Clusters": { "cluster1": { "Destinations": { "destination1": { "Address": "https://www.baidu.com" } } } } } }
