.Net 全局过滤,防止SQL注入

问题背景:由于公司需要整改的老系统的漏洞检查,而系统就是没有使用参数化SQL即拼接查询语句开发的程序,导致漏洞扫描出现大量SQL注入问题。

解决方法:最好的办法就是不写拼接SQL,改用参数化SQL,推荐新项目使用,老项目改起来比较麻烦,花费的时间也多,最后选择用全局SQL过滤器过滤前端发送的请求内容。

代码:

cs 复制代码
/// <summary>
    /// 防止输入参数sql注入:Post Get Cookies
    /// </summary>
    public class SqlFilter : ActionFilterAttribute
    {
        private const string FilterSql = "execute,exec,select,insert,update,delete,create,drop,alter,exists,table,sysobjects,truncate,union,and,order,xor,or,mid,cast,where,asc,desc,xp_cmdshell,join,declare,nvarchar,varchar,char,sp_oacreate,wscript.shell,xp_regwrite,',%,;,--";

        public override void OnActionExecuting(ActionExecutingContext filterContext)
        {
            // -----------------------防 Post 注入-----------------------
            if (filterContext.HttpContext.Request.Form != null)
            {
                var isReadonly = typeof(System.Collections.Specialized.NameValueCollection).GetProperty("IsReadOnly", BindingFlags.Instance | BindingFlags.NonPublic);
                //把 Form 属性改为可读写
                isReadonly?.SetValue(filterContext.HttpContext.Request.Form, false, null);

                for (var k = 0; k < filterContext.HttpContext.Request.Form.Count; k++)
                {
                    var inputKey = filterContext.HttpContext.Request.Form.Keys[k];
                    var inputValue = filterContext.HttpContext.Request.Form[inputKey];
                    var filters = FilterSql.Split(',');
                    inputValue = filters.Aggregate(inputValue, (current, filterSql) => Regex.Replace(current, filterSql, "", RegexOptions.IgnoreCase));
                    filterContext.HttpContext.Request.Form[inputKey] = inputValue;
                }
            }


            // -----------------------防 GET 注入-----------------------
            if (filterContext.HttpContext.Request.QueryString != null)
            {
                var isReadonly = typeof(System.Collections.Specialized.NameValueCollection).GetProperty("IsReadOnly", BindingFlags.Instance | BindingFlags.NonPublic);
                //把 QueryString 属性改为可读写
                isReadonly?.SetValue(filterContext.HttpContext.Request.QueryString, false, null);

                for (var k = 0; k < filterContext.HttpContext.Request.QueryString.Count; k++)
                {
                    var inputKey = filterContext.HttpContext.Request.QueryString.Keys[k];
                    var inputValue = filterContext.HttpContext.Request.QueryString[inputKey];
                    var filters = FilterSql.Split(',');
                    inputValue = filters.Aggregate(inputValue, (current, filterSql) => Regex.Replace(current, filterSql, "", RegexOptions.IgnoreCase));
                    filterContext.HttpContext.Request.QueryString[inputKey] = inputValue;
                }
            }


            // -----------------------防 Cookies 注入-----------------------
            if (filterContext.HttpContext.Request.Cookies.Count > 0)
            {
                var isReadonly = typeof(System.Collections.Specialized.NameValueCollection).GetProperty("IsReadOnly", BindingFlags.Instance | BindingFlags.NonPublic);
                //把 Cookies 属性改为可读写
                isReadonly?.SetValue(filterContext.HttpContext.Request.Cookies, false, null);

                for (var k = 0; k < filterContext.HttpContext.Request.Cookies.Count; k++)
                {
                    var inputKey = filterContext.HttpContext.Request.Cookies.Keys[k];
                    var inputValue = filterContext.HttpContext.Request.Cookies[inputKey]?.Value;
                    var filters = FilterSql.Split(',');
                    inputValue = filters.Aggregate(inputValue, (current, filterSql) => Regex.Replace(current, filterSql, "", RegexOptions.IgnoreCase));
                    if (!(filterContext.HttpContext.Request.Cookies[inputKey] is null))
                    {
                        filterContext.HttpContext.Request.Cookies[inputKey].Value = inputValue;
                    }
                }
            }
            base.OnActionExecuting(filterContext);
        }
    }
相关推荐
SEO-狼术35 分钟前
Aqua Data Studio 25.5
.net
瀚高PG实验室18 小时前
执行select * from a where rownum<1;,数据库子进程崩溃,业务中断。
数据库·sql·瀚高数据库
KING BOB!!!19 小时前
Leetcode高频 SQL 50 题(基础版)题目记录
sql·mysql·算法·leetcode
MasterNeverDown20 小时前
.net 微服务jeager链路跟踪
微服务·架构·.net
川石课堂软件测试20 小时前
Oracle 数据库如何查询列
linux·数据库·sql·功能测试·oracle·grafana·prometheus
皆过客,揽星河1 天前
mysql初学者练习题(从基础到进阶,相关数据sql脚本在最后)
数据库·sql·mysql·oracle·mysql基础练习·mysql基础语法·数据库练习题
威风的虫1 天前
SQLite3 操作指南:SQL 语句与 ORM 方法对比解析
数据库·sql
深栈1 天前
SQL:连续登录类型问题的解题思路
数据库·sql·数据分析·连续登录
XYiFfang1 天前
【mysql】SQL自连接实战:查询温度升高的日期
数据库·sql·mysql
喵叔哟1 天前
51.【.NET8 实战--孢子记账--从单体到微服务--转向微服务】--新增功能--登录注册扩展
数据库·微服务·.net