sql注入漏洞

ZY

2024-10-28 2c97ee5f2c4be45621d1c466f2172b6144e214f1

sql注入漏洞

 pom.xml

@@ -17,8 +17,7 @@
        <java.version>1.8</java.version>
        <cool.version>3.2.0</cool.version>
        <mysql-driver.version>5.1.47</mysql-driver.version>
<!--        <mybatis-plus.version>2.3.2</mybatis-plus.version>-->
        <mybatis-plus.version> 3.5.9</mybatis-plus.version>
        <mybatis-plus.version>2.3.2</mybatis-plus.version>
        <fastjson.version>1.2.58</fastjson.version>
        <springfox.version>2.7.0</springfox.version>
    </properties>

 src/main/java/com/zy/common/config/AdminInterceptor.java

@@ -8,6 +8,7 @@
import com.core.common.Cools;
import com.zy.common.properties.SystemProperties;
import com.zy.common.utils.Http;
import com.zy.common.utils.SqlInjectionUtils;
import com.zy.system.entity.*;
import com.zy.system.service.*;
import org.springframework.beans.factory.annotation.Autowired;
@@ -22,6 +23,7 @@
import javax.servlet.http.HttpServletResponse;
import java.lang.reflect.Method;
import java.util.Date;
import java.util.Map;

/**
 * Created by vincent on 2019-06-13
@@ -50,17 +52,22 @@
        }
        // super账号
        String token = request.getHeader("token");
        if (token!=null) {
        if (token != null) {
            String deToken = Cools.deTokn(token, superPwd);
            if (deToken!=null){
            if (deToken != null) {
                long timestamp = Long.parseLong(deToken.substring(0, 13));
                // 1天后过期
                if (System.currentTimeMillis() - timestamp > 86400000){
                if (System.currentTimeMillis() - timestamp > 86400000) {
                    Http.response(response, BaseRes.DENIED);
                    return false;
                }
                if ("super".equals(deToken.substring(13))) {
                    request.setAttribute("userId", 9527);
                    Map<String, String[]> parameterMap = request.getParameterMap();
                    if (!Cools.isEmpty(parameterMap) && SqlInjectionUtils.check(JSON.toJSONString(parameterMap))) {
                        Http.response(response, "sql注入，请正规访问");
                        return false;
                    }
                    return true;
                }
            }
@@ -74,15 +81,15 @@
        // response.setHeader("Access-Control-Allow-Origin", "*");
        HandlerMethod handlerMethod = (HandlerMethod) handler;
        Method method = handlerMethod.getMethod();
        if (method.isAnnotationPresent(AppAuth.class)){
        if (method.isAnnotationPresent(AppAuth.class)) {
            AppAuth annotation = method.getAnnotation(AppAuth.class);
            if (annotation.value().equals(AppAuth.Auth.CHECK)){
            if (annotation.value().equals(AppAuth.Auth.CHECK)) {
                request.setAttribute("appAuth", annotation.memo());
            }
        }
        if (method.isAnnotationPresent(ManagerAuth.class)){
        if (method.isAnnotationPresent(ManagerAuth.class)) {
            ManagerAuth annotation = method.getAnnotation(ManagerAuth.class);
            if (annotation.value().equals(ManagerAuth.Auth.CHECK)){
            if (annotation.value().equals(ManagerAuth.Auth.CHECK)) {
                return check(request, response, annotation.memo());
            }
        }
@@ -108,7 +115,7 @@
        try {
            String token = request.getHeader("token");
            UserLogin userLogin = userLoginService.selectOne(new EntityWrapper<UserLogin>().eq("token", token));
            if (null == userLogin){
            if (null == userLogin) {
                Http.response(response, BaseRes.DENIED);
                return false;
            }
@@ -116,7 +123,7 @@
//            String deToken = Cools.deTokn(token, user.getPassword());
//            long timestamp = Long.parseLong(deToken.substring(0, 13));
            // 15分钟后过期  一天
            if (System.currentTimeMillis() - userLogin.getCreateTime().getTime() > 86400000){
            if (System.currentTimeMillis() - userLogin.getCreateTime().getTime() > 86400000) {
                Http.response(response, BaseRes.DENIED);
                return false;
            }
@@ -125,6 +132,12 @@
                Http.response(response, BaseRes.LIMIT);
                return false;
            }
            Map<String, String[]> parameterMap = request.getParameterMap();
            if (!Cools.isEmpty(parameterMap) && SqlInjectionUtils.check(JSON.toJSONString(parameterMap))) {
                Http.response(response, "sql注入，请正规访问");
                return false;
            }

            // 请求缓存
            request.setAttribute("userId", user.getId());
            // 更新 token 有效期
@@ -139,14 +152,14 @@
                }
                // 记录操作日志
                OperateLog operateLog = new OperateLog();
                operateLog.setAction(Cools.isEmpty(memo)?request.getRequestURI():memo);
                operateLog.setAction(Cools.isEmpty(memo) ? request.getRequestURI() : memo);
                operateLog.setIp(request.getRemoteAddr());
                operateLog.setUserId(user.getId());
                operateLog.setRequest(JSON.toJSONString(request.getParameterMap()));
                request.setAttribute("operateLog", operateLog);
            }
            return true;
        } catch (Exception e){
        } catch (Exception e) {
            Http.response(response, BaseRes.DENIED);
            return false;
        }
@@ -155,6 +168,7 @@

    /**
     * 权限拦截
     *
     * @return false:无权限;   true:认证通过
     */
    private boolean limit(String action, User user) {
@@ -172,7 +186,7 @@
    /**
     * 跨域
     */
    public static void cors(HttpServletResponse response){
    public static void cors(HttpServletResponse response) {
        // 跨域设置
        response.setHeader("Access-Control-Allow-Origin", "*");
        response.setHeader("Access-Control-Allow-Credentials", "true");

 src/main/java/com/zy/common/utils/SqlInjectionUtils.java

New file
@@ -0,0 +1,22 @@
package com.zy.common.utils;

import java.util.Objects;
import java.util.regex.Pattern;

public class SqlInjectionUtils {
    private static final Pattern SQL_SYNTAX_PATTERN = Pattern.compile("(insert|delete|update|select|create|drop|truncate|grant|alter|deny|revoke|call|execute|exec|declare|show|rename|set)\\s+.*(into|from|set|where|table|database|view|index|on|cursor|procedure|trigger|for|password|union|and|or)|(select\\s*\\*\\s*from\\s+)|if\\s*\\(.*\\)|select\\s*\\(.*\\)|substr\\s*\\(.*\\)|substring\\s*\\(.*\\)|char\\s*\\(.*\\)|concat\\s*\\(.*\\)|benchmark\\s*\\(.*\\)|sleep\\s*\\(.*\\)|(and|or)\\s+.*", 2);
    private static final Pattern SQL_COMMENT_PATTERN = Pattern.compile("'.*(or|union|--|#|/\\*|;)", 2);

    public SqlInjectionUtils() {
    }

    public static boolean check(String value) {
        Objects.requireNonNull(value);
        return SQL_COMMENT_PATTERN.matcher(value).find() || SQL_SYNTAX_PATTERN.matcher(value).find();
    }

    public static String removeEscapeCharacter(String text) {
        Objects.nonNull(text);
        return text.replaceAll("\"", "").replaceAll("'", "");
    }
}