filter修改post参数
前景:公司项目web渗透测试中提出管理登录时,传输密码不能为明文,需要加密传输,但是迫于系统架构,后端代码不能修改,只能在filter中解密参数。
1.前端加密处理:
1 <script type="text/javascript"> 2 $(function() { 3 $("#loginBtn").click(function() { 4 //对数据加密 5 var password = encode64($("#pwdInput").val()); 6 $("#pwdInput").val(password); 7 document.login.submit(); //login为form表单name 8 }) 9 }) 10 // base64加密开始 11 var keyStr = "ABCDEFGHIJKLMNOP" + "QRSTUVWXYZabcdef" + "ghijklmnopqrstuv" + "wxyz0123456789+/" + "="; 12 function encode64(input) { 13 var output = ""; 14 var chr1, chr2, chr3 = ""; 15 var enc1, enc2, enc3, enc4 = ""; 16 var i = 0; 17 do { 18 chr1 = input.charCodeAt(i++); 19 chr2 = input.charCodeAt(i++); 20 chr3 = input.charCodeAt(i++); 21 enc1 = chr1 >> 2; 22 enc2 = ((chr1 & 3) << 4) | (chr2 >> 4); 23 enc3 = ((chr2 & 15) << 2) | (chr3 >> 6); 24 enc4 = chr3 & 63; 25 if (isNaN(chr2)) { 26 enc3 = enc4 = 64; 27 } else if (isNaN(chr3)) { 28 enc4 = 64; 29 } 30 output = output + keyStr.charAt(enc1) + keyStr.charAt(enc2) + keyStr.charAt(enc3) + keyStr.charAt(enc4); 31 chr1 = chr2 = chr3 = ""; 32 enc1 = enc2 = enc3 = enc4 = ""; 33 } while (i < input.length); 34 return output; 35 } // base64加密结束 36 </script>
2.后端解密:
1 private static byte[] base64DecodeChars = new byte[] { -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 2 -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, 3 -1, 62, -1, -1, -1, 63, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, -1, -1, -1, -1, -1, -1, -1, 0, 1, 2, 3, 4, 4 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, -1, -1, -1, -1, -1, -1, 26, 5 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, -1, -1, 6 -1, -1, -1 }; 7 8 /** * 解密 * @param str * @return */ 9 public static byte[] decode(String str) { 10 byte[] data = str.getBytes(); 11 int len = data.length; 12 ByteArrayOutputStream buf = new ByteArrayOutputStream(len); 13 int i = 0; 14 int b1, b2, b3, b4; 15 while (i < len) { 16 do { 17 b1 = base64DecodeChars[data[i++]]; 18 } while (i < len && b1 == -1); 19 if (b1 == -1) { 20 break; 21 } 22 do { 23 b2 = base64DecodeChars[data[i++]]; 24 } while (i < len && b2 == -1); 25 if (b2 == -1) { 26 break; 27 } 28 buf.write((int) ((b1 << 2) | ((b2 & 0x30) >>> 4))); 29 do { 30 b3 = data[i++]; 31 if (b3 == 61) { 32 return buf.toByteArray(); 33 } 34 b3 = base64DecodeChars[b3]; 35 } while (i < len && b3 == -1); 36 if (b3 == -1) { 37 break; 38 } 39 buf.write((int) (((b2 & 0x0f) << 4) | ((b3 & 0x3c) >>> 2))); 40 do { 41 b4 = data[i++]; 42 if (b4 == 61) { 43 return buf.toByteArray(); 44 } 45 b4 = base64DecodeChars[b4]; 46 } while (i < len && b4 == -1); 47 if (b4 == -1) { 48 break; 49 } 50 buf.write((int) (((b3 & 0x03) << 6) | b4)); 51 } 52 return buf.toByteArray(); 53 }
3.filter修改post参数值
3.1修改filter
1 MyHttpServletRequestWrapper requestWrapper = new MyHttpServletRequestWrapper(request); 2 String captcha = (String) requestWrapper.getParameter("captcha"); 3 log.debug("filter get captcha:" + captcha); 4 if (StringUtil.isNotNull(captcha) 5 && captcha.equalsIgnoreCase("" + request.getSession().getAttribute("captcha"))) { 6 captcha = QueryCaptchaUtil.QueryCaptcha(); 7 session.removeAttribute("captcha"); // 验证码登录后销毁 8 session.setAttribute("captcha", captcha); 9 certService.setCertProperty(request); 10 // 1.获取需要处理的参数 11 String userPassword = requestWrapper.getParameter("userPassword");13 // 2.把处理后的参数放回去 14 requestWrapper.setParameter("userPassword", new String(decode(userPassword))); 15 // 3.放行,把我们的requestWrapper放到方法当中 16 chain.doFilter(requestWrapper, response); 17 return; 18 }
3.2 MyHttpServletRequestWrapper.java
1 import java.io.BufferedReader; 2 import java.io.ByteArrayInputStream; 3 import java.io.IOException; 4 import java.io.InputStreamReader; 5 import java.util.HashMap; 6 import java.util.Iterator; 7 import java.util.Map; 8 import java.util.Set; 9 10 import javax.servlet.ReadListener; 11 import javax.servlet.ServletInputStream; 12 import javax.servlet.http.HttpServletRequest; 13 import javax.servlet.http.HttpServletRequestWrapper; 14 15 /** 16 * 重写 HttpServletRequestWrapper 处理表单、ajax请求 17 * 18 * @author dongzhihao 19 * 20 */ 21 public class MyHttpServletRequestWrapper extends HttpServletRequestWrapper { 22 23 //private final byte[] body; 24 25 // 用于存储请求参数 26 private Map<String, Object> params = new HashMap<String, Object>(); 27 28 // 构造方法 29 public MyHttpServletRequestWrapper(HttpServletRequest request) throws IOException { 30 super(request); 31 //body = parseBodyToBytes(request); 32 // 把请求参数添加到我们自己的map当中 33 this.params.putAll(request.getParameterMap()); 34 } 35 36 @Override 37 public String getQueryString() { 38 StringBuffer buffer = new StringBuffer(); 39 Set<String> keySet = params.keySet(); 40 int i = 0; 41 for (Iterator<String> iterator = keySet.iterator(); iterator.hasNext();) { 42 if (i != 0) { 43 buffer.append("&"); 44 } 45 String key = (String) iterator.next(); 46 Object obj = params.get(key); 47 if (obj instanceof String[]) { 48 String[] new_name = (String[]) obj; 49 obj=new_name[0]; 50 } 51 buffer.append(key + "=").append(obj); 52 i++; 53 } 54 System.out.println(buffer.toString()); 55 return buffer.toString(); 56 } 57 58 /** 59 * 添加参数到map中 60 * 61 * @param name 62 * @param value 63 */ 64 public void setParameter(String name, Object value) { 65 if (value != null) { 66 System.out.println(value); 67 if (value instanceof String[]) { 68 params.put(name, (String[]) value); 69 } else if (value instanceof String) { 70 params.put(name, value); 71 } else { 72 params.put(name, new String[] { String.valueOf(value) }); 73 } 74 } 75 } 76 77 78 79 80 @Override 81 public BufferedReader getReader() throws IOException { 82 return new BufferedReader(new InputStreamReader(getInputStream())); 83 } 84 85 @Override 86 public ServletInputStream getInputStream() throws IOException { 87 final ByteArrayInputStream bais = new ByteArrayInputStream(getQueryString().getBytes()); 88 return new ServletInputStream() { 89 @Override 90 public int read() throws IOException { 91 return bais.read(); 92 } 93 94 @Override 95 public boolean isFinished() { 96 return false; 97 } 98 99 @Override 100 public boolean isReady() { 101 return false; 102 } 103 104 @Override 105 public void setReadListener(ReadListener arg0) { 106 } 107 }; 108 } 109 110 }
版权声明:本文为D-ZH原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。