zoukankan      html  css  js  c++  java
  • ASP防注入

    因为在改进公司的一套ASP代码,所以考虑了一下防注入的问题。

    参考了网上的几处代码,进行了修改和整合,都转换成小写再处理。

    还考虑了script注入。

    代码如下:

    'Asp防注入代码 
    SQL_injdata =lcase(":|;|>|<|--|sp_|xp_||dir|cmd|^|(|)|+|$|'")
    SQL_injdata =SQL_injdata&lcase("|copy|format|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|script")
    SQL_inj = split(SQL_Injdata,"|")
    
    if Request.QueryString<>"" then
        For Each SQL_Get In Request.QueryString
            For SQL_Data=0 To Ubound(SQL_inj)
                if not IsNumeric(Request.QueryString(SQL_Get)) then
                    if instr(lcase(Request.QueryString(SQL_Get)),Sql_Inj(Sql_DATA))>0 Then
                        Response.Write "对不起,非法URL地址请求!"
                        Response.end
                    end if
                end if
            next
        next
    end if
    
    if Request.Form<>"" then
        For Each Sql_Post In Request.Form
            For SQL_Data=0 To Ubound(SQL_inj)
                if instr(lcase(Request.Form(Sql_Post)),Sql_Inj(Sql_DATA))>0 Then
                    Response.Write "对不起,非法数据提交!"
                    Response.end
                end if
            next
        next
    end if
    
    if Request.Cookies<>"" then
        For Each Sql_Post In Request.Cookies
            For SQL_Data=0 To Ubound(SQL_inj)
                if instr(lcase(Request.Cookies(Sql_Post)),Sql_Inj(Sql_DATA))>0 Then
                    Response.Write "对不起,非法URL地址请求!"
                    Response.end
                end if
            next
        next
    end if
    
    
    'post过滤sql注入代防范及HTML防护开始
    function nosql(str)
        if not isnull(str) then
            str=trim(str)
            str=replace(str,";","&#59;") '分号
            str=replace(str,"'","&#39;") '单引号
            str=replace(str,"""","&quot;") '双引号
            str=replace(str,"chr(9)","&nbsp;") '空格
            str=replace(str,"chr(10)","<br>") '回车
            str=replace(str,"chr(13)","<br>") '回车
            str=replace(str,"chr(32)","&nbsp;") '空格
            str=replace(str,"chr(34)","&quot;") '双引号
            str=replace(str,"chr(39)","&#39;") '单引号
            str=Replace(str, "script", "&#115cript")'jscript
            str=replace(str,"<","&lt;") '左<
            str=replace(str,">","&gt;") '右>
            str=replace(str,"(","&#40;") '左(
            str=replace(str,")","&#41;") '右)
            str=replace(str,"--","&#45;&#45;") 'SQL注释符
    
            str=replace(str,"net user","")
            str=replace(str,"xp_cmdshell","")
            str=replace(str,"/add","")
            str=replace(str,"exec%20master.dbo.xp_cmdshell","")
            str=replace(str,"net localgroup administrators","")
            str=replace(str,"select","")
            str=replace(str,"count","")
            str=replace(str,"asc","")
            str=replace(str,"char","")
            str=replace(str,"mid","")
            str=replace(str,":","")
            str=replace(str,"insert","")
            str=replace(str,"delete","")
            str=replace(str,"drop","")
            str=replace(str,"truncate","")
            str=replace(str,"from","")
            str=replace(str,"%","")
            nosql=str
        end if
    end function

    参考:

    http://itlobo.com/articles/1123.html

    http://www.aisenan.com/hack/aspfzrdm_fcookiezrdm_13.html

    http://www.mkshy.com/networkTechnology/preventInjection.shtml

  • 相关阅读:
    关于hql执行带有case when 的语句问题,另:数据表的倒置
    xslt 转换 xml
    xsd校验xml
    java 调用存储过程
    js return无效,表单自动提交
    bat 启动java程序
    Delphi 窗体拖动,无边框,透明的设置
    installshield实例(三)发布,补丁,升级
    Installshield实例(二)创建自定义界面
    InstallShield 实例(一)检测JDK,MYSQL,创建数据库
  • 原文地址:https://www.cnblogs.com/xuezhizhang/p/3238041.html
Copyright © 2011-2022 走看看