标签:xxx java String contains xx 漏洞 host replaceAll import
import java.io.IOException;
import java.util.Iterator;
import java.util.Map;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
import org.apache.commons.lang.StringUtils;
/**
* 进入拦截器(所有请求都会进入)
*/
public class SessionFilter implements Filter {
public void destroy() {
}
public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse, FilterChain filterChain)
throws IOException, ServletException
{
HttpServletRequest request = (HttpServletRequest)servletRequest;
HttpServletResponse response = (HttpServletResponse)servletResponse;
String requestStr = getRequestString(request);
System.out.println("requestStr: ======================== " + requestStr);
// 请求地址
System.out.println("完整的地址是===="+request.getRequestURL().toString());
//请求方法
System.out.println("提交的方式是========"+request.getMethod());
if("bingo".equals(guolv2(requestStr))||"bingo".equals(guolv2(request.getRequestURL().toString()))){
System.out.println("======访问地址发现非法字符,已拦截======");
response.sendRedirect(request.getContextPath() + "/login.jsp");
return;
}
//主机ip和端口 或 域名和端口
String myhosts = request.getHeader("host");
if(!StringUtils.equals(myhosts, "xx.xx.xxx.xxx:xxxx") && !StringUtils.equals(myhosts, "xx.xx.xxx.xxx:xxxx")
&& !StringUtils.equals(myhosts, "xx.xx.xxx.xxx:xxxx")&&!StringUtils.equals(myhosts, "xx.xx.xxx.xxx")
&& !StringUtils.equals(myhosts, "xx.xx.xxx.xxx") && !StringUtils.equals(myhosts, "xx.xx.xxx.xxx") ){
System.out.println("======访问host非法,已拦截======");
response.sendRedirect(request.getContextPath() + "/login.jsp");
return;
}
String currentURL = request.getRequestURI();
//过滤请求特殊字符,扫描跨站式漏洞
Map parameters = request.getParameterMap(); //获取所有请求参数
if (parameters != null && parameters.size() > 0) {
for (Iterator iter = parameters.keySet().iterator(); iter.hasNext();) {
String key = (String) iter.next();
String[] values = (String[]) parameters.get(key);
for (int i = 0; i < values.length; i++) {
values[i]=guolv(values[i]); //对参数关键字进行替换
System.out.println(values[i]);
}
}
}
// 初始化
public void init(FilterConfig filterConfig) throws ServletException {
}
// 对所有关键字替换为空(特别是文本域)
public static String guolv(String a) {
a = a.replaceAll("%22", "");
a = a.replaceAll("%27", "");
a = a.replaceAll("%3E", "");
a = a.replaceAll("%3e", "");
a = a.replaceAll("%3C", "");
a = a.replaceAll("%3c", "");
a = a.replaceAll("<", "");
a = a.replaceAll(">", "");
a = a.replaceAll("\"", "");
a = a.replaceAll("'", "");
a = a.replaceAll("\\+", "");
a = a.replaceAll("\\(", "");
a = a.replaceAll("\\)", "");
a = a.replaceAll(" and ", "");
a = a.replaceAll(" or ", "");
a = a.replaceAll(" 1=1 ", "");
return a;
}
private String getRequestString(HttpServletRequest req) {
String requestPath = req.getServletPath().toString();
String queryString = req.getQueryString();
if (queryString != null)
return requestPath + "?" + queryString;
else
return requestPath;
}
// 对所有关键字替换为空(防止sql注入)
public String guolv2(String a) {
if (StringUtils.isNotEmpty(a)) {
if (a.contains("%22") || a.contains("%3E") || a.contains("%3e")
|| a.contains("%3C") || a.contains("%3c")
|| a.contains("<") || a.contains(">") || a.contains("\"")
|| a.contains("'") || a.contains("+") || /*
* a.contains("%27")
* ||
*/
a.contains(" and ") || a.contains(" or ")
|| a.contains("1=1") || a.contains("(") || a.contains(")")) {
return "bingo";
}
}
return a;
}
}
标签:xxx,java,String,contains,xx,漏洞,host,replaceAll,import 来源: https://blog.csdn.net/qq_33594101/article/details/78253489
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。