1,代码冗余以及注释不详,代码有待进一步完善 (轻)
(1) 注释不详处添加注释
(2) 删除冗余代码
2,源码存在多出无用文件 (轻)
(1) 删除“粮油机械html”文件夹
(2) 删除“复件index.aspx”文件
3,editor过滤不严密,可使黑客上传恶意程序(高危漏洞)
漏洞地址:~/web/editor/fckeditor.html
解决方案:(1)<!--
启用角色管理
-->
<roleManager enabled ="true">
</roleManager>
(2)//启用forms认证
<authentication mode ="Forms">
<forms loginUrl ="Manage/Admin_login.aspx" name =".ASPXFORMSAUTH" defaultUrl ="Manage/admin_index.aspx">
</forms>
</authentication>
(3)在editor文件夹下新建web.config文件,拒绝匿名用户登录
<system.web>
<authorization >
<deny users ="?"/>
</authorization>
</system.web>
(4) 在登录事件中
string userRoles = "admin";
//创建一个身份验证票
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, name, DateTime.Now, DateTime.Now.AddMinutes(30), false, userRoles);
//将身份验证票加密
string EncrTicket = FormsAuthentication.Encrypt(ticket);
//创建一个Cookie
HttpCookie myCookie = new HttpCookie(FormsAuthentication.FormsCookieName, EncrTicket);
//将Cookie写入客户端
Response.Cookies.Add(myCookie);
4,后台万能密码可登录 (高危漏洞)
利用'or'='or' 可绕过验证
漏洞地址:(DAL——>ManagerService.cs)
源文件:
/// <summary>
/// 根据用户名和密码判断管理员是否存在
/// </summary>
/// <param name="adminname">用户名</param>
/// <param name="password">密码</param>
/// <returns>存在返回true,否则返回false</returns>
public bool Exists(string adminname, string password)
{
StringBuilder sql = new StringBuilder();
sql.Append("Select count(*) from J_admin where ");
sql.Append("[j_name]='"+ adminname +"' ");
sql.Append("and [j_pass]='"+ password +"'");
int i = Convert.ToInt32(SqlHelper.ExecuteScalar(CommandType.Text,sql.ToString(),new OleDbParameter[0]));
if (i > 0)
{
return true;
}
else
{
return false;
}
}
解决方案:因为查询语句为Select count (*) from J_admin where [j_name]=”+adminname+” and [j_pass]=”+password+”
采取sql语句拼接,因此存在验证注入漏洞。
(1) 在登录页面cs代码中定义一个方法用来检测用户输入是否包含恶意程序,若包含则替换为空。public static string InputText(string text, int maxlength)
{
text = text.ToLower().Trim();
if (string.IsNullOrEmpty(text))
return string.Empty;
if (text.Length > maxlength)
text = text.Substring(0, maxlength);
text = Regex.Replace(text, "[\\s]{2,{", " ");
text = Regex.Replace(text, "(<[b|B][r|R]/*>)+|(<[p|P](.|\\n)*?>)", "\n"); //<br>
text = Regex.Replace(text, "(\\s*&[n|N][b|B][s|S][p|P];\\s*)+", " "); //
text = Regex.Replace(text, "<(.|\\n)*?>", string.Empty); //any other tags
text = Regex.Replace(text, "=", "");
text = Regex.Replace(text, "%", "");
text = Regex.Replace(text, "'", "");
text = Regex.Replace(text, "select", "");
text = Regex.Replace(text, "insert", "");
text = Regex.Replace(text, "delete", "");
text = Regex.Replace(text, "or", "");
text = Regex.Replace(text, "exec", "");
text = Regex.Replace(text, "--", "");
text = Regex.Replace(text, "and", "");
text = Regex.Replace(text, "where", "");
text = Regex.Replace(text, "update", "");
text = Regex.Replace(text, "script", "");
text = Regex.Replace(text, "iframe", "");
text = Regex.Replace(text, "master", "");
text = Regex.Replace(text, "exec", "");
text = Regex.Replace(text, "<", "");
text = Regex.Replace(text, ">", "");
text = Regex.Replace(text, "\r\n", "");
return text;
}
(2) 若用户输入恶意代码则提示错误。
//检查用户输入
string name = InputText(LoginName.Text.Trim(), 50);
string pass = InputText(LoginPassword.Text, 100);
if (name==""||pass=="")
{
Response.Write("<script>alert('用户名或密码错误 ');history.go(-1);</script>");
Response.Redirect("./Admin_login.aspx"); }
5,sql语句过滤不严,存在sql注入漏洞 (高危漏洞)
漏洞地址:sql查询语句过滤不严,可使黑客直接操作access数据库,添加帐号,删除产品等。
解决方案:在 Global.asax 中过滤出现在地址栏中的 SQL 敏感字符
#region 防注入代码
/// <summary>
/// 处理用户提交的请求
/// </summary>
private void StartSqlinjionCheck()
{
try
{
string getkeys = "";
if (System.Web.HttpContext.Current.Request.QueryString != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
{
System.Web.HttpContext.Current.Response.Write("<h3>不能包含执行语句</h3>");
System.Web.HttpContext.Current.Response.End();
}
}
}
if (System.Web.HttpContext.Current.Request.Form != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
if (getkeys == "__VIEWSTATE") continue;
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
{
System.Web.HttpContext.Current.Response.Write("<h3>不能包含执行语句</h3>");
System.Web.HttpContext.Current.Response.End();
}
}
}
}
catch
{
}
}
/// <summary>
/// 分析用户请求是否正常
/// </summary>
/// <param name="Str">传入用户提交数据 </param>
/// <returns>返回是否含有SQL注入式攻击代码</returns>
private bool ProcessSqlStr(string Str)
{
bool ReturnValue = true;
try
{
if (Str.Trim() != "")
{
//string SqlStr = "and |exec |insert |select |delete |update |count |* |chr |mid |master |truncate |char |declare";
string SqlStr = "exec |insert |select |delete |update |mid |master |truncate |declare";
string[] anySqlStr = SqlStr.Split('|');
foreach (string ss in anySqlStr)
{
if (Str.ToLower().IndexOf(ss) >= 0)
{
ReturnValue = false;
break;
}
}
}
}
catch
{
ReturnValue = false;
}
return ReturnValue;
}
#endregion
技术部 Mxi4oyu