过滤网址的非法字符串
上一篇 / 下一篇 2007-08-21 12:04:13 / 个人分类:ASP
YJGC*B1rl3e0第一种:
2fsvH!H:k_-YH X3J0squery=lcase(Request.ServerVariables("QUERY_STRING"))51Testing软件测试网~Cb)Dlky
sURL=lcase(Request.ServerVariables("HTTP_HOST"))
$URD^#}-j051Testing软件测试网5^X!S2Mb&yD
SQL_injdata =":|;|>|<|--|sp_|xp_|\|dir|cmd|^|(|)|+|$|'|copy|format|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
/~"ly7s
y;{B'i0
[ n,sYio"k-Z\Z0SQL_inj = split(SQL_Injdata,"|")
%vp*r8?MPq}^!jI051Testing软件测试网3De
eqaut,X
For SQL_Data=0 To Ubound(SQL_inj)
],v-exP7hPE9p0if instr(squery&sURL,Sql_Inj(Sql_DATA))>0 Then
%XoO/OxQ Y0J0Response.Write "SQL通用防注入系统"51Testing软件测试网-z#Ls'jG
Response.end51Testing软件测试网 ?x8x5n@&s
end if
Y;n
eDR)dA0next
lcz S\J0
第二种:
2rKa
@j/g0SQL_injdata =":|;|>|<|--|sp_|xp_|\|dir|cmd|^|(|)|+|$|'|copy|format|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
T CrJ
e
URJt051Testing软件测试网w&v(r8T6p'}9g3k
SQL_inj = split(SQL_Injdata,"|")51Testing软件测试网h)z a1}|s#F
_0n xF%tp'z0If Request.QueryString<>"" Then
"H6oSPi@qw0For Each SQL_Get In Request.QueryString
7sE2^q4r[0For SQL_Data=0 To Ubound(SQL_inj)51Testing软件测试网*hk d)@0q5nl
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then51Testing软件测试网'zCa_h
Response.Write "SQL通用防注入系统"51Testing软件测试网+O;]zwX'DU]
Response.end51Testing软件测试网)qB
v4I$Y.|
L|.Eh9S
end if
m#loj6Mkh0next51Testing软件测试网"o:@jq2gC(V1zZ
Next
7w~/Xu*\ _S0End If
"\X*f]O-Els0
c)@N uO:kp'C1o0If Request.Form<>"" Then
!M I C%~h7o,A+ej0For Each Sql_Post In Request.Form
^2m8_l}$I0For SQL_Data=0 To Ubound(SQL_inj)51Testing软件测试网.S)ug/E}
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
"M2[-A)D4w!W(\0Response.Write "SQL通用防注入系统"51Testing软件测试网-K4wz){-Y%en
Response.end
+RY.I"JA%{kd0end if
HMW ucB!n0next51Testing软件测试网XAhL-i6BC;Y9P}"pgX
next51Testing软件测试网:}
^:h-rC:^ Q+H
end if51Testing软件测试网#p9O v `0x
3z imDY+k'bJy0第三种
Tus%fC&m0<%51Testing软件测试网`Jxi&KR ^v
Y
'--------定义部分------------------51Testing软件测试网6{AB\5q3Y
Dim Str_Post,Str_Get,Str_In,Str_Inf,Str_Xh,Str_db,Str_dbstr
E*NxZ'JI0'自定义需要过滤的字串,用 "■"分离
3{?4r*_z0Str_In = "'■;■and■exec■insert■select■delete■update■count■*■%■chr■mid■master■truncate■char■declare"
p:O\:^,Ro0'----------------------------------
Ul5L+j;x*{0%>
(Xx,\!]!cUlI(j0
`NH-Z*Q0<%51Testing软件测试网8}-V"Z
\;ik}.i
Str_Inf = split(Str_In,"■")51Testing软件测试网
MVr&O$JuC~
'--------POST部份------------------51Testing软件测试网(y$Z hI"bQyn!z
If Request.Form<>"" Then51Testing软件测试网 ]q$d-v5e*B-y
For Each Str_Post In Request.Form51Testing软件测试网&c J"n4E[NR
LN
51Testing软件测试网/ocM_%M?5eO
For Str_Xh=0 To Ubound(Str_Inf)
/W!Vc#t6~1L n(A0If Instr(LCase(Request.Form(Str_Post)),Str_Inf(Str_Xh))<>0 Then
0Oh8GM
I3XO0'--------写入数据库----------头-----
Qf d:f r7u}0Str_dbstr="DBQ="+server.mappath("SqlIn.mdb")+";DefaultDir=;DRIVER={Microsoft Access Driver (*.mdb)};"
V:VVF!V~)Q-n Ip0Set Str_db=Server.CreateObject("ADODB.CONNECTION")51Testing软件测试网.AL%ofK#td/}M
Str_db.open Str_dbstr51Testing软件测试网8Ysh
a"B2{x
Str_db.Execute("insert into SqlIn(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','POST','"&Str_Post&"','"&replace(Request.Form(Str_Post),"'","''")&"')")51Testing软件测试网/Lp
B+O'N%["v
Str_db.close
9A;l-v0P1_#`0Set Str_db = Nothing
.C3B{!js0A9Va.v0'--------写入数据库----------尾-----51Testing软件测试网;}\%Y#v*^
Response.Write "<scrīpt Language=Javascrīpt>alert('请不要在参数中包含非法字符尝试注入!');</scrīpt>"51Testing软件测试网2KL%@l6H9P;L2w G)h
Response.Write "非法操作!系统做了如下记录:<br>"
8P@ X$O3K`.R4A0Response.Write "操作IP:"&Request.ServerVariables("REMOTE_ADDR")&"<br>"51Testing软件测试网KF8j6J#H&~WZz
Response.Write "操作时间:"&Now&"<br>"51Testing软件测试网;O&dG7cQ r
Response.Write "操作页面:"&Request.ServerVariables("URL")&"<br>"51Testing软件测试网ucq-ut*F8S t8\~,F
Response.Write "提交方式:POST<br>"
S"Sc0Zl(c%vJ0Response.Write "提交参数:"&Str_Post&"<br>"51Testing软件测试网Q
C8o_.pn p:\
Response.Write "提交数据:"&Request.Form(Str_Post)
Iq]~G2y0Response.End
/Q[AA9Q&R!Vj0End If51Testing软件测试网_k*F z5Lp.t]t
Next51Testing软件测试网
O ~1Um"P/W
51Testing软件测试网3\T6hy[Z GY
Next
lWW;pa6K*m{0End If51Testing软件测试网;V ZS;N|l,Oz
'----------------------------------51Testing软件测试网L{8i tYK~
51Testing软件测试网 bt6W+s]GH/B.pp q V
'--------GET部份-------------------51Testing软件测试网1o}*J$QZ(_
If Request.QueryString<>"" Then51Testing软件测试网
q
x%m s0K,p
For Each Str_Get In Request.QueryString