公司有一php系统,由于该系统是购买的,并且没人懂php,无法通过修改代码过滤sql注入问题
代码如下:
public class Program { public static void Main(string[] args) { var builder = WebApplication.CreateBuilder(args); builder.Services.AddReverseProxy() .LoadFromConfig(builder.Configuration.GetSection("ReverseProxy")) ; var app = builder.Build(); app.Use(SQLFirewall); app.MapReverseProxy(); app.Run(); } public static async Task SQLFirewall(HttpContext context, Func<Task> next) { const string regStr1 = "ldap:|rmi:|JDBC4Connection|trax\\.TemplatesImpl|%bf%27"; const string regStr2 = "\\b(select|update|delete|insert|drop|create|call|alter|execute|exec|grant|truncate|master|load_file|outfile)\\b"; context.Request.EnableBuffering(); foreach (var item in context.Request.Query) { if (Regex.IsMatch(item.Value, regStr1, RegexOptions.IgnoreCase)) { context.Response.StatusCode = 401; return; } if (Regex.IsMatch(item.Value, regStr2, RegexOptions.IgnoreCase)) { context.Response.StatusCode = 401; return; } } if (context.Request.Method == "POST" && context.Request.Form != null) { foreach (var item in context.Request.Form) { if (Regex.IsMatch(item.Value, regStr1, RegexOptions.IgnoreCase)) { context.Response.StatusCode = 401; return; } if (Regex.IsMatch(item.Value, regStr2, RegexOptions.IgnoreCase)) { context.Response.StatusCode = 401; return; } } } await next.Invoke(); } }
配置文件如下:
{ "Logging": { "LogLevel": { "Default": "Information", "Microsoft.AspNetCore": "Warning" } }, "AllowedHosts": "*", "ReverseProxy": { "Routes": { "route1": { "ClusterId": "cluster1", "Match": { "Path": "{**catch-all}" } } }, "Clusters": { "cluster1": { "Destinations": { "destination1": { "Address": "https://www.baidu.com" } } } } } }