nginx拦截sql注入解决方案

Posted 大唐荣华

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了nginx拦截sql注入解决方案相关的知识,希望对你有一定的参考价值。

1.get请求好处理

2 .post请求 由于需要拿到请求体,需要安装lua插件支持

当前方案 :

  • get在server级别处理

  • post在lication级别处理


if ($query_string ~* ".*('|--|union|insert|drop|truncate|update|from|grant|exec|where|select|and|chr|mid|like|iframe|script|alert|webscan|dbappsecurity|style|WAIT
FOR|confirm|innerhtml|innertext|class).*")
         return 403; 
        #if ($uri ~* (.*)(insert|select|delete|update|count|master|truncate|declare|exec|\\*|%|\\')(.*)$ )  return 403; 
        if ($http_user_agent ~ ApacheBench|WebBench|Jmeter|JoeDog|Havij|GetRight|TurnitinBot|GrabNet|masscan|mail2000|github|wget|curl)  return 444; 
        if ($http_user_agent ~ "Go-Ahead-Got-It")  return 444; 
        if ($http_user_agent ~ "GetWeb!")  return 444; 
        if ($http_user_agent ~ "Go!Zilla")  return 444; 
        if ($http_user_agent ~ "Download Demon")  return 444; 
        if ($http_user_agent ~ "Indy Library")  return 444; 
        if ($http_user_agent ~ "libwww-perl")  return 444; 
        if ($http_user_agent ~ "Nmap Scripting Engine")  return 444; 
        if ($http_user_agent ~ "Load Impact")  return 444; 
        if ($http_user_agent ~ "~17ce.com")  return 444; 
        if ($http_user_agent ~ "WebBench*")  return 444; 
        if ($http_referer ~* 17ce.com)  return 444; 
        if ($http_user_agent ~* qiyunce)  return 444; 
        if ($http_user_agent ~* YunGuanCe)  return 403; 
        if ($http_referer ~* WebBench*")  return 444; 
        if ($http_user_agent ~ "BLEXBot")  return 403; 
        if ($http_user_agent ~ "MJ12bot")  return 403; 
         if ($http_user_agent ~ "semalt.com")  return 403; 


        location / 


         lua_need_request_body on;
         access_by_lua_block 
                        local body = ngx.var.request_body
                        if ngx.var.request_method == "POST" and body ~= nil then
                        local regex = "(.*?((union)|(insert)|(drop)|(truncate)|(update)|(from)|(grant)|(exec)|(where)|(select)|(chr)|(mid)|(like)|(iframe)|(script)|(alert)|(websc
an)|(dbappsecurity)|(style)|(WAITFOR)|(confirm)|(innerhtml)|(innertext)|(class)).*?)1,"
                        local m = ngx.re.match(body, regex)
                        if m then
                                ngx.say('"code": 999,"msg": "非法参数","ok": false,"runningTime": "0ms"') 
                                 end
                        end
                


                proxy_http_version 1.1;
                proxy_set_header Connection "";

                proxy_next_upstream http_502 error timeout invalid_header;
                proxy_pass http://10.32.0.207/;
                proxy_set_header Host $host;

                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

以上是关于nginx拦截sql注入解决方案的主要内容,如果未能解决你的问题,请参考以下文章

Java 防SQL注入过滤器(拦截器)代码

Mybatis的sql注入拦截

一次实战sql注入绕狗

Java防止SQL注入2(通过filter过滤器功能进行拦截)

一条SQL注入引出的惊天大案

Spring MVC通过拦截器处理sql注入跨站XSS攻击风险