shiro安全框架扩展教程--如何防止可执行文件的入侵攻击【转】

前面的教程有一章是讲解如何突破上传的,当被人通过上传功能突破的防线那就杯具了,有点hack知识的人都知道,很多攻击都是优先寻找上传的功能,因为能突破

就会剩下很多的功夫,比如hack上传了一个asp,php或者jsp文件,然后通过抓包路径获取了文件存放地址,然后直接请求就能通过这个可执行的文件获取到数据库的信息,

或者是遍历目录下载文件,寻找文件中的其他漏洞以获得更高的权限,下面我就演示下简单的防范手段,就算被突破了上传也会有下一堵墙在一定程度上防止执行脚本

我主要是使用shiro写了一个filter过滤需要请求信息,如遇到黑名单则记录信息,看下面贴的代码

package com.silvery.security.shiro.filter;  

import java.text.SimpleDateFormat;  
import java.util.Date;  

import javax.servlet.ServletRequest;  
import javax.servlet.ServletResponse;  
import javax.servlet.http.HttpServletRequest;  

import org.apache.shiro.web.filter.authz.AuthorizationFilter;  
import org.slf4j.Logger;  
import org.slf4j.LoggerFactory;  

import com.silvery.utils.PatternUtils;  
import com.silvery.utils.WebUtils;  

/**  
 *   
 * 黑名单可执行程序请求过滤器  
 *   
 * @author shadow  
 *   
 */  
public class SimpleExecutiveFilter extends AuthorizationFilter {  

    protected static final String[] blackUrlPathPattern = new String[] { "*.aspx*", "*.asp*", "*.php*", "*.exe*",  
            "*.jsp*", "*.pl*", "*.py*", "*.groovy*", "*.sh*", "*.rb*", "*.dll*", "*.bat*", "*.bin*", "*.dat*",  
            "*.bas*", "*.c*", "*.cmd*", "*.com*", "*.cpp*", "*.jar*", "*.class*", "*.lnk*" };  

    private static final Logger log = LoggerFactory.getLogger(SimpleExecutiveFilter.class);  

    @Override  
    protected boolean isAccessAllowed(ServletRequest request, ServletResponse response, Object obj) throws Exception {  

        HttpServletRequest httpRequest = (HttpServletRequest) request;  

        String reqUrl = httpRequest.getRequestURI().toLowerCase().trim();  

        for (String pattern : blackUrlPathPattern) {  
            if (PatternUtils.simpleMatch(pattern, reqUrl)) {  
                log.error(new StringBuffer().append("unsafe request >>> ").append(" request time: ").append(  
                        new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(new Date())).append("; request ip: ")  
                        .append(WebUtils.getClientIP()).append("; request url: ").append(httpRequest.getRequestURI())  
                        .toString());  
                return false;  
            }  
        }  

        return true;  

    }  

}  

下一步把刚刚写的过滤器配置到shiro的过滤链中

<!-- 过滤链配置 -->  
    <bean id="shiroFilter" class="org.apache.shiro.spring.web.ShiroFilterFactoryBean">  
        <property name="securityManager" ref="securityManager" />  
        <property name="loginUrl" value="/" />  
        <property name="successUrl" value="/cms/index.do" />  
        <property name="unauthorizedUrl" value="/static/unauthorized.html" />  
        <property name="filters">  
            <map>  
                <entry key="role">  
                    <bean  
                        class="com.silvery.security.shiro.filter.SimpleRoleAuthorizationFilter" />  
                </entry>  
                <entry key="authc">  
                    <bean  
                        class="com.silvery.security.shiro.filter.SimpleFormAuthenticationFilter" />  
                </entry>  
                <entry key="exec">  
                    <bean class="com.silvery.security.shiro.filter.SimpleExecutiveFilter" />  
                </entry>  
            </map>  
        </property>  
    </bean>  

最后配置下我们需要过滤的请求目录,一般都是全量过滤,但是有些静态资源是不应该过滤的,所以应该注意顺序,让anon权限的放到放到exec的前面

<!-- 权限资源配置 -->  
    <bean id="filterChainDefinitionsService"  
        class="com.silvery.security.shiro.service.impl.SimpleFilterChainDefinitionsService">  
        <property name="definitions">  
            <value>  
                /static/** = anon  
                /** = exec  
            </value>  
        </property>  
    </bean>  

最后请求下php,jsp等那些文件是返回到无权限的页面,我们的简单防范已经达到目的了,下一章节可能讲如何防范xss和csrf攻击的防范。