kk Blog —— 通用基础


date [-d @int|str] [+%s|"+%F %T"]
netstat -ltunp
sar -n DEV 1

nginx解决sql注入

https://blog.csdn.net/A_Apprentice/article/details/125861741

  1. get请求好处理

  2. post请求 由于需要拿到请求体,需要安装lua插件支持

errlog

1
2
3

ngx.log(ngx.ERR, "error: ", body)

tail -f /var/log/nginx/error.log

当前方案 :

get在server级别处理

post在lication级别处理

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102

	# 文件上传的限制
	client_max_body_size 100m;

	if ($query_string ~* ".*('|--|union|insert|drop|truncate|update|(%20)from|grant|(%20)where|(%20)select|(%20)and|(%20)chr|(%20)mid|like|(%20)iframe|(%20)script|alert|webscan|dbappsecurity|style|WAITFOR|confirm|innerhtml|innertext|class).*") { return 403; }
        #if ($uri ~* (.*)(insert|select|delete|update|count|master|truncate|declare|\*|%|\')(.*)$ ) { return 403; }
        if ($http_user_agent ~ ApacheBench|WebBench|Jmeter|JoeDog|Havij|GetRight|TurnitinBot|GrabNet|masscan|mail2000|github|wget|curl) { return 444; }
        if ($http_user_agent ~ "Go-Ahead-Got-It") { return 444; }
        if ($http_user_agent ~ "GetWeb!") { return 444; }
        if ($http_user_agent ~ "Go!Zilla") { return 444; }
        if ($http_user_agent ~ "Download Demon") { return 444; }
        if ($http_user_agent ~ "Indy Library") { return 444; }
        if ($http_user_agent ~ "libwww-perl") { return 444; }
        if ($http_user_agent ~ "Nmap Scripting Engine") { return 444; }
        if ($http_user_agent ~ "Load Impact") { return 444; }
        if ($http_user_agent ~ "~17ce.com") { return 444; }
        if ($http_user_agent ~ "WebBench*") { return 444; }
        if ($http_referer ~* 17ce.com) { return 444; }
        if ($http_user_agent ~* qiyunce) { return 444; }
        if ($http_user_agent ~* YunGuanCe) { return 403; }
        if ($http_referer ~* WebBench*") { return 444; }
        if ($http_user_agent ~ "BLEXBot") { return 403; }
        if ($http_user_agent ~ "MJ12bot") { return 403; }
        if ($http_user_agent ~ "semalt.com") { return 403; }
        if ($http_user_agent ~ "sqlmap") { return 403; }

        #自动防护
	if ($request_uri ~* \.(htm|do)\?(.*)$) {
            set $req $2;
        }
        if ($req ~* "(cost\()|(concat\()") {
            return 503;
        }
        if ($req ~* "union[+|(%20)]") {
            return 503;
        }
        if ($req ~* "and[+|(%20)]") {
            return 503;
        }
        if ($req ~* "select[+|(%20)]") {
            return 503;
        }


        #溢出过滤
        if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { return 403; }
        if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { return 403; }
        if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { return 403; }
        if ($query_string ~ "proc/self/environ") { return 403; }
        if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { return 403; }
        if ($query_string ~ "base64_(en|de)code\(.*\)") { return 403; }

        #文件注入禁止
        if ($query_string ~ "[a-zA-Z0-9_]=http://") { return 403; }
        if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { return 403; }
        if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { return 403; }

        location / {

            lua_need_request_body on;
            access_by_lua_block {
                local body = ngx.var.request_body
                if ngx.var.request_method == "POST" and body ~= nil then
                    local regex0 = "(.*?((sqlwhere)|(c0-param0)).*?){1,}"
                    local m0 = ngx.re.match(body, regex0, "i")
                    local regex1 = "(.*?((insert)|(drop)|(truncate)|(update)|(grant)|(chr)|(webscan)|(dbappsecurity)|(WAITFOR)).*?){1,}"
                    local m1 = ngx.re.match(body, regex1, "i")
                    local regex2 = "(.*?((union)|(insert)|(drop)|(truncate)|(grant)|(chr)|(iframe)|(alert)|(webscan)|(dbappsecurity)|(style)|(WAITFOR)|(confirm)|(innerhtml)|(innertext)|(class)).*?){1,}"
                    local m2 = ngx.re.match(body, regex2, "i")
                    if (m0 and m1) or (not m0 and m2) then
                        ngx.log(ngx.ERR, "error: ", body)
                        ngx.status = 403
                        ngx.say('{"code": 403, "msg": "非法参数","ok": false,"runningTime": "0ms"}')
                    end
                end

                ngx.req.read_body()
                local args, err = ngx.req.get_post_args()
                if args then
                    for k, v in pairs(args) do
                       if k == "j_username" or k == "j_password" then
                           local regex = "(.*?((union)|(insert)|(drop)|(truncate)|(update)|(from)|(grant)|(where)|(select)|(chr)|(mid)|(like)|(iframe)|(script)|(alert)|(webscan)|(dbappsecurity)|(style)|(WAITFOR)|(confirm)|(innerhtml)|(innertext)|(class)).*?){1,}"
                           local m = ngx.re.match(v, regex, "i")
                           if m then
                              ngx.log(ngx.ERR, "error: ", v)
                              ngx.status = 403
                              ngx.say('{"code": 403, "msg": "非法参数","ok": false,"runningTime": "0ms"}')
                           end
                       end
                   end
                end
            }


            proxy_http_version 1.1;
            proxy_set_header Connection "";

            proxy_next_upstream http_502 error timeout invalid_header;
            proxy_pass http://192.168.100.199:8888;
            proxy_set_header Host $http_host;

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

        #自动防护
	if ($request_uri ~* \.(htm|do)\?(.*)$) {
            set $req $2;
        }
        if ($req ~* "(cost\()|(concat\()") {
            return 503;
        }
        if ($req ~* "union[+|(%20)]") {
            return 503;
        }
        if ($req ~* "and[+|(%20)]") {
            return 503;
        }
        if ($req ~* "select[+|(%20)]") {
            return 503;
        }

1、这里之所以使用$request_uri而未使用$query_string变量,因为通过$request_uri进行rewrite分割更精准。

2、%20代表的是空格,同上文不的是,我这里把上面的空格匹配进行了取消。这样像www.361way.com/aaa.do?select * from test之样的也可以进行匹配。

3、上面的htm是伪静态,实际上同.do一样,也是动态文件。为了便于和静态文件进行区分,这里选择了htm而不是html。

4、注意,最上面的url里面的\? ,这个也分重要。如果没有的话,www.361way.com/aaa.htm select * from test不会被过滤,而www.361way.com/aaa.htm?select * from test会被过滤。如果想将前面的也过滤,只需要把\? 取消即可。

https://blog.csdn.net/remotesupport/article/details/11967851

https://blog.csdn.net/qq_34777982/article/details/125390989

http://www.3qphp.com/linux/centos/2581.html