zoukankan      html  css  js  c++  java
  • 检测SQL注入式攻击代码

    (页面数据校验类)PageValidate.cs 基本通用。

    using System;
    using System.Text;
    using System.Web;
    using System.Web.UI.WebControls;
    using System.Text.RegularExpressions;
    
    namespace Common
    {
    	/// <summary>
    	/// 页面数据校验类
    	/// </summary>
    	public class PageValidate
    	{
    		private static Regex RegNumber = new Regex("^[0-9]+$");
    		private static Regex RegNumberSign = new Regex("^[+-]?[0-9]+$");
    		private static Regex RegDecimal = new Regex("^[0-9]+[.]?[0-9]+$");
    		private static Regex RegDecimalSign = new Regex("^[+-]?[0-9]+[.]?[0-9]+$"); //等价于^[+-]?\d+[.]?\d+$
    		private static Regex RegEmail = new Regex("^[\\w-]+@[\\w-]+\\.(com|net|org|edu|mil|tv|biz|info)$");//w 英文字母或数字的字符串,和 [a-zA-Z0-9] 语法一样 
    		private static Regex RegCHZN = new Regex("[\u4e00-\u9fa5]");
    
    		public PageValidate()
    		{
    		}
    
    
    		#region 数字字符串检查		
    		
    		/// <summary>
    		/// 检查Request查询字符串的键值,是否是数字,最大长度限制
    		/// </summary>
    		/// <param name="req">Request</param>
    		/// <param name="inputKey">Request的键值</param>
    		/// <param name="maxLen">最大长度</param>
    		/// <returns>返回Request查询字符串</returns>
    		public static string FetchInputDigit(HttpRequest req, string inputKey, int maxLen)
    		{
    			string retVal = string.Empty;
    			if(inputKey != null && inputKey != string.Empty)
    			{
    				retVal = req.QueryString[inputKey];
    				if(null == retVal)
    					retVal = req.Form[inputKey];
    				if(null != retVal)
    				{
    					retVal = SqlText(retVal, maxLen);
    					if(!IsNumber(retVal))
    						retVal = string.Empty;
    				}
    			}
    			if(retVal == null)
    				retVal = string.Empty;
    			return retVal;
    		}		
    		/// <summary>
    		/// 是否数字字符串
    		/// </summary>
    		/// <param name="inputData">输入字符串</param>
    		/// <returns></returns>
    		public static bool IsNumber(string inputData)
    		{
    			Match m = RegNumber.Match(inputData);
    			return m.Success;
    		}		
    		/// <summary>
    		/// 是否数字字符串 可带正负号
    		/// </summary>
    		/// <param name="inputData">输入字符串</param>
    		/// <returns></returns>
    		public static bool IsNumberSign(string inputData)
    		{
    			Match m = RegNumberSign.Match(inputData);
    			return m.Success;
    		}		
    		/// <summary>
    		/// 是否是浮点数
    		/// </summary>
    		/// <param name="inputData">输入字符串</param>
    		/// <returns></returns>
    		public static bool IsDecimal(string inputData)
    		{
    			Match m = RegDecimal.Match(inputData);
    			return m.Success;
    		}		
    		/// <summary>
    		/// 是否是浮点数 可带正负号
    		/// </summary>
    		/// <param name="inputData">输入字符串</param>
    		/// <returns></returns>
    		public static bool IsDecimalSign(string inputData)
    		{
    			Match m = RegDecimalSign.Match(inputData);
    			return m.Success;
    		}		
    
    		#endregion
    
    		#region 中文检测
    
    		/// <summary>
    		/// 检测是否有中文字符
    		/// </summary>
    		/// <param name="inputData"></param>
    		/// <returns></returns>
    		public static bool IsHasCHZN(string inputData)
    		{
    			Match m = RegCHZN.Match(inputData);
    			return m.Success;
    		}	
    
    		#endregion
    
    		#region 邮件地址
    		/// <summary>
    		/// 是否是浮点数 可带正负号
    		/// </summary>
    		/// <param name="inputData">输入字符串</param>
    		/// <returns></returns>
    		public static bool IsEmail(string inputData)
    		{
    			Match m = RegEmail.Match(inputData);
    			return m.Success;
    		}		
    
    		#endregion
    
    		#region 其他
    
    		/// <summary>
    		/// 检查字符串最大长度,返回指定长度的串
    		/// </summary>
    		/// <param name="sqlInput">输入字符串</param>
    		/// <param name="maxLength">最大长度</param>
    		/// <returns></returns>			
    		public static string SqlText(string sqlInput, int maxLength)
    		{			
    			if(sqlInput != null && sqlInput != string.Empty)
    			{
    				sqlInput = sqlInput.Trim();							
    				if(sqlInput.Length > maxLength)//按最大长度截取字符串
    					sqlInput = sqlInput.Substring(0, maxLength);
    			}
    			return sqlInput;
    		}		
    		/// <summary>
    		/// 字符串编码
    		/// </summary>
    		/// <param name="inputData"></param>
    		/// <returns></returns>
    		public static string HtmlEncode(string inputData)
    		{
    			return HttpUtility.HtmlEncode(inputData);
    		}
    		/// <summary>
    		/// 设置Label显示Encode的字符串
    		/// </summary>
    		/// <param name="lbl"></param>
    		/// <param name="txtInput"></param>
    		public static void SetLabel(Label lbl, string txtInput)
    		{
    			lbl.Text = HtmlEncode(txtInput);
    		}
    		public static void SetLabel(Label lbl, object inputObj)
    		{
    			SetLabel(lbl, inputObj.ToString());
    		}		
    		//字符串清理
    		public static string InputText(string inputString, int maxLength) 
    		{			
    			StringBuilder retVal = new StringBuilder();
    
    			// 检查是否为空
    			if ((inputString != null) && (inputString != String.Empty)) 
    			{
    				inputString = inputString.Trim();
    				
    				//检查长度
    				if (inputString.Length > maxLength)
    					inputString = inputString.Substring(0, maxLength);
    				
    				//替换危险字符
    				for (int i = 0; i < inputString.Length; i++) 
    				{
    					switch (inputString[i]) 
    					{
    						case '"':
    							retVal.Append(""");
    							break;
    						case '<':
    							retVal.Append("<");
    							break;
    						case '>':
    							retVal.Append(">");
    							break;
    						default:
    							retVal.Append(inputString[i]);
    							break;
    					}
    				}				
    				retVal.Replace("'", " ");// 替换单引号
    			}
    			return retVal.ToString();
    			
    		}
    		/// <summary>
    		/// 转换成 HTML code
    		/// </summary>
    		/// <param name="str">string</param>
    		/// <returns>string</returns>
    		public static string Encode(string str)
    		{			
    			str = str.Replace("&","&");
    			str = str.Replace("'","''");
    			str = str.Replace("\"",""");
    			str = str.Replace(" ","&nbsp;");
    			str = str.Replace("<","<");
    			str = str.Replace(">",">");
    			str = str.Replace("\n","<br>");
    			return str;
    		}
    		/// <summary>
    		///解析html成 普通文本
    		/// </summary>
    		/// <param name="str">string</param>
    		/// <returns>string</returns>
    		public static string Decode(string str)
    		{			
    			str = str.Replace("<br>","\n");
    			str = str.Replace(">",">");
    			str = str.Replace("<","<");
    			str = str.Replace("&nbsp;"," ");
    			str = str.Replace(""","\"");
    			return str;
    		}
    
    		#endregion
    
    
    	}
    }
     
     
     
    通用文件(Global.asax),保存为Global.asax文件名 放到网站根木马下即可。
     
     
    <mce:script language="C#" runat="server"><!--
    	protected void Application_BeginRequest(Object sender, EventArgs e)
    		{  
    			StartProcessRequest(); 
        		}   
    
          
        ///    <summary>   
        /// 处理用户提交的请求   
        ///    </summary>   
        private void StartProcessRequest()   
        {   
            try   
            {   
                string getkeys = "";   
                
                if (System.Web.HttpContext.Current.Request.QueryString != null)   
                {   
    
                    for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)   
                    {   
                        getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];   
                        if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))   
                        {   
                            System.Web.HttpContext.Current.Response.Write("Get,出现错误,包含非法字符串");   
                            System.Web.HttpContext.Current.Response.End();   
                        }   
                    }   
                }   
                if (System.Web.HttpContext.Current.Request.Form != null)   
                {   
                    for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)   
                    {   
                        getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];   
                        if (getkeys == "__VIEWSTATE") continue;   
                        if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))   
                        {   
                            System.Web.HttpContext.Current.Response.Write("Post,出现错误,包含非法字符串");   
                            System.Web.HttpContext.Current.Response.End();   
                        }   
                    }   
                } 
    			if(System.Web.HttpContext.Current.Request.Cookies!=null) 
    			{
    			    for (int i = 0; i < System.Web.HttpContext.Current.Request.Cookies.Count; i++)   
                    {   
                        getkeys = System.Web.HttpContext.Current.Request.Cookies.Keys[i];   
                        if (getkeys == "__VIEWSTATE") continue;   
                        if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Cookies[getkeys].Value))   
                        {   
                            System.Web.HttpContext.Current.Response.Write("Cookies,出现错误,包含非法字符串");   
                            System.Web.HttpContext.Current.Response.End();   
                        }   
                    }   
    			} 
    	
            }   
            catch   
            {   
                // 错误处理: 处理用户提交信息!   
            }   
        }   
        ///    <summary>   
        /// 分析用户请求是否正常   
        ///    </summary>   
        ///    <param name="Str">传入用户提交数据   </param>   
        ///    <returns>返回是否含有SQL注入式攻击代码   </returns>   
        private bool ProcessSqlStr(string Str)   
        {   
            bool ReturnValue = true;   
            try   
            {   
                if (Str.Trim() != "")   
                {   
    				string SqlStr = "select|insert|delete|update|declare|sysobjects|syscolumns|cast|truncate|master|mid|exec";   
    
    				string[] anySqlStr = SqlStr.Split('|');    
                    foreach (string ss in anySqlStr)   
                    {   
                        if (Str.ToLower().IndexOf(ss) >= 0)   
                        {   
                            ReturnValue = false;   
                            break;   
                        }   
                    }   
                }   
            }   
            catch   
            {   
                ReturnValue = false;   
            }   
            return ReturnValue;   
        }   
      // --></mce:script>
     
  • 相关阅读:
    ring0 ShadowSSDTHook
    ring0 恢复SSDTHook
    Go的CSP并发模型
    [转]An overview of Openvswitch implementation
    堆排序
    集群 分布式
    云介绍
    云分层
    happens-before
    Java异常
  • 原文地址:https://www.cnblogs.com/zengxiangzhan/p/1590685.html
Copyright © 2011-2022 走看看