shiro安全框架扩展教程--如何防止可执行文件的入侵攻击

前面的教程有一章是讲解如何突破上传的,当被人通过上传功能突破的防线那就杯具了,有点hack知识的人都知道,很多攻击都是优先寻找上传的功能,因为能突破

就会剩下很多的功夫,比如hack上传了一个asp,php或者jsp文件,然后通过抓包路径获取了文件存放地址,然后直接请求就能通过这个可执行的文件获取到数据库的信息,

或者是遍历目录下载文件,寻找文件中的其他漏洞以获得更高的权限,下面我就演示下简单的防范手段,就算被突破了上传也会有下一堵墙在一定程度上防止执行脚本

我主要是使用shiro写了一个filter过滤需要请求信息,如遇到黑名单则记录信息,看下面贴的代码

package com.silvery.security.shiro.filter;

import java.text.SimpleDateFormat;
import java.util.Date;

import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;

import org.apache.shiro.web.filter.authz.AuthorizationFilter;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

import com.silvery.utils.PatternUtils;
import com.silvery.utils.WebUtils;

/**
 * 
 * 黑名单可执行程序请求过滤器
 * 
 * @author shadow
 * 
 */
public class SimpleExecutiveFilter extends AuthorizationFilter {

	protected static final String[] blackUrlPathPattern = new String[] { "*.aspx*", "*.asp*", "*.php*", "*.exe*",
			"*.jsp*", "*.pl*", "*.py*", "*.groovy*", "*.sh*", "*.rb*", "*.dll*", "*.bat*", "*.bin*", "*.dat*",
			"*.bas*", "*.c*", "*.cmd*", "*.com*", "*.cpp*", "*.jar*", "*.class*", "*.lnk*" };

	private static final Logger log = LoggerFactory.getLogger(SimpleExecutiveFilter.class);

	@Override
	protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object obj) throws Exception {

		HttpServletRequest httpRequest = (HttpServletRequest) request;

		String reqUrl = httpRequest.getRequestURI().toLowerCase().trim();

		for (String pattern : blackUrlPathPattern) {
			if (PatternUtils.simpleMatch(pattern, reqUrl)) {
				log.error(new StringBuffer().append("unsafe request >>> ").append(" request time: ").append(
						new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(new Date())).append("; request ip: ")
						.append(WebUtils.getClientIP()).append("; request url: ").append(httpRequest.getRequestURI())
						.toString());
				return false;
			}
		}

		return true;

	}

}

下一步把刚刚写的过滤器配置到shiro的过滤链中

<!-- 过滤链配置 -->
	<bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">
		<property name="securityManager" ref="securityManager" />
		<property name="loginUrl" value="/" />
		<property name="successUrl" value="/cms/index.do" />
		<property name="unauthorizedUrl" value="/static/unauthorized.html" />
		<property name="filters">
			<map>
				<entry key="role">
					<bean
						class="com.silvery.security.shiro.filter.SimpleRoleAuthorizationFilter" />
				</entry>
				<entry key="authc">
					<bean
						class="com.silvery.security.shiro.filter.SimpleFormAuthenticationFilter" />
				</entry>
				<entry key="exec">
					<bean class="com.silvery.security.shiro.filter.SimpleExecutiveFilter" />
				</entry>
			</map>
		</property>
	</bean>

最后配置下我们需要过滤的请求目录,一般都是全量过滤,但是有些静态资源是不应该过滤的,所以应该注意顺序,让anon权限的放到放到exec的前面

<!-- 权限资源配置 -->
	<bean id="filterChainDefinitionsService"
		class="com.silvery.security.shiro.service.impl.SimpleFilterChainDefinitionsService">
		<property name="definitions">
			<value>
				/static/** = anon
				/** = exec
			</value>
		</property>
	</bean>

最后请求下php,jsp等那些文件是返回到无权限的页面,我们的简单防范已经达到目的了,下一章节可能讲如何防范xss和csrf攻击的防范

shiro安全框架扩展教程--如何防止可执行文件的入侵攻击

猜你喜欢