过滤网址的非法字符串

YJGC*B1rl3e0第一种：
2fsvH!H:k_-YH X3J0squery=lcase(Request.ServerVariables("QUERY_STRING"))51Testing软件测试网~Cb)Dlky
sURL=lcase(Request.ServerVariables("HTTP_HOST"))
$URD^#}-j051Testing软件测试网5^X!S2Mb&yD
SQL_injdata =":|;|>|<|--|sp_|xp_|\|dir|cmd|^|(|)|+|$|'|copy|format|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
/~"ly7s y;{B'i0
[ n,sYio"k-Z\Z0SQL_inj = split(SQL_Injdata,"|")
%v
p*r8?MPq}^!j
I051Testing软件测试网3D
e eqaut,X
For SQL_Data=0 To Ubound(SQL_inj)
],v-exP7hPE9p0if instr(squery&sURL,Sql_Inj(Sql_DATA))>0 Then
%XoO/OxQY0J0Response.Write "SQL通用防注入系统"51Testing软件测试网-z#Ls'jG
Response.end51Testing软件测试网 ?x8x5n@&s
end if
Y;n eDR)dA0next
lcz S\J0

第二种：
2r
Ka @j/g0SQL_injdata =":|;|>|<|--|sp_|xp_|\|dir|cmd|^|(|)|+|$|'|copy|format|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
TCrJ e URJt051Testing软件测试网w&v(r8T6p'}9g3k
SQL_inj = split(SQL_Injdata,"|")51Testing软件测试网h)z a1}|s#F

_0n xF%tp'z0If Request.QueryString<>"" Then
"H6oSPi@qw0For Each SQL_Get In Request.QueryString
7sE2^q4r[0For SQL_Data=0 To Ubound(SQL_inj)51Testing软件测试网*h
k d)@0q5nl
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then51Testing软件测试网'zCa_h
Response.Write "SQL通用防注入系统"51Testing软件测试网+O;]zwX'DU]
Response.end51Testing软件测试网)qB v4I$Y.| L|.Eh9S
end if
m#loj6Mkh0next51Testing软件测试网"o:@jq2gC(V1zZ
Next
7w~/Xu*\_S0End If
"\X*f]O-Els0
c)@N uO:kp'C1o0If Request.Form<>"" Then
!M I C%~h7o,A+ej0For Each Sql_Post In Request.Form
^2m8_l}$I0For SQL_Data=0 To Ubound(SQL_inj)51Testing软件测试网.S)ug/E}
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
"M2[-A)D4w!W(\0Response.Write "SQL通用防注入系统"51Testing软件测试网-K4wz){-Y%en
Response.end
+RY.I"JA%{
kd0end if
HMWucB!n0next51Testing软件测试网XAhL-i6BC;Y9P}"pgX
next51Testing软件测试网:} ^:h-rC:^ Q+H
end if51Testing软件测试网#p9O v `0x

3zimDY+k'bJy0第三种
Tus%fC&m0<%51Testing软件测试网`Jxi&K
R ^v Y
'--------定义部分------------------51Testing软件测试网6{AB\5q3Y
Dim Str_Post,Str_Get,Str_In,Str_Inf,Str_Xh,Str_db,Str_dbstr
E*NxZ'JI0'自定义需要过滤的字串,用 "■"分离
3{?4r*_z0Str_In = "'■;■and■exec■insert■select■delete■update■count■*■%■chr■mid■master■truncate■char■declare"
p:O\:^,Ro0'----------------------------------
Ul5L+j;x*{0%>
(Xx,\!]!cUlI(j0
`NH-Z*Q0<%51Testing软件测试网8}-V"Z \;ik}.i
Str_Inf = split(Str_In,"■")51Testing软件测试网 MVr&O$JuC~
'--------POST部份------------------51Testing软件测试网(y$Z hI"bQy
n!z
If Request.Form<>"" Then51Testing软件测试网]q$d-v5e*B-y
For Each Str_Post In Request.Form51Testing软件测试网&c J"n4E[NR LN
51Testing软件测试网/ocM_%M?5eO
For Str_Xh=0 To Ubound(Str_Inf)
/W!Vc#t6~1Ln(A0If Instr(LCase(Request.Form(Str_Post)),Str_Inf(Str_Xh))<>0 Then
0Oh8GM I3XO0'--------写入数据库----------头-----
Qf d:f r7u}0Str_dbstr="DBQ="+server.mappath("SqlIn.mdb")+";DefaultDir=;DRIVER={Microsoft Access Driver (*.mdb)};"
V:VV
F!V~)Q-nIp0Set Str_db=Server.CreateObject("ADODB.CONNECTION")51Testing软件测试网.AL%ofK#td/}M
Str_db.open Str_dbstr51Testing软件测试网8Ysh a"B2{x
Str_db.Execute("insert into SqlIn(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','POST','"&Str_Post&"','"&replace(Request.Form(Str_Post),"'","''")&"')")51Testing软件测试网/Lp B+O'N%["v
Str_db.close
9A;l-v0P1_#`0Set Str_db = Nothing
.C3B{!js0A9Va.v0'--------写入数据库----------尾-----51Testing软件测试网;}\%Y#v*^
Response.Write "<scrīpt Language=Javascrīpt>alert('请不要在参数中包含非法字符尝试注入！');</scrīpt>"51Testing软件测试网2KL%@l6H9P;L2wG)h
Response.Write "非法操作！系统做了如下记录:<br>"
8P@X$O3K`.R4A0Response.Write "操作IP："&Request.ServerVariables("REMOTE_ADDR")&"<br>"51Testing软件测试网KF8j6J#H&~WZz
Response.Write "操作时间："&Now&"<br>"51Testing软件测试网;O&dG7cQ r
Response.Write "操作页面："&Request.ServerVariables("URL")&"<br>"51Testing软件测试网ucq-ut*F8S t8\~,F
Response.Write "提交方式：POST<br>"
S"Sc0Zl(c%vJ0Response.Write "提交参数："&Str_Post&"<br>"51Testing软件测试网Q C8o_.pnp:\
Response.Write "提交数据："&Request.Form(Str_Post)
I
q]~G2y0Response.End
/Q[AA9Q&R!Vj0End If51Testing软件测试网_k*F z5Lp.t]t
Next51Testing软件测试网 O~1Um"P/W
51Testing软件测试网3\T6hy[ZGY
Next
lWW;pa6K*m{0End If51Testing软件测试网;VZS;N|l,Oz
'----------------------------------51Testing软件测试网L{8itYK~
51Testing软件测试网bt6W+s]GH/B.ppq V
'--------GET部份-------------------51Testing软件测试网1o}*J$QZ(_
If Request.QueryString<>"" Then51Testing软件测试网 q x%ms0K,p
For Each Str_Get In Request.QueryString
aO.G z5u&h%uC/a0
w_,\S\h$t0For Str_Xh=0 To Ubound(Str_Inf)51Testing软件测试网$w0saBQ0u!Ry~
If Instr(LCase(Request.QueryString(Str_Get)),Str_Inf(Str_Xh))<>0 Then
Wd|6M\&`0'--------写入数据库----------头-----51Testing软件测试网T
}0EFUi%E
Str_dbstr="DBQ="+server.mappath("SqlIn.mdb")+";DefaultDir=;DRIVER={Microsoft Access Driver (*.mdb)};"51Testing软件测试网-I6IVFt7H0I0B
Set Str_db=Server.CreateObject("ADODB.CONNECTION")
3mZD?$}+spm0Str_db.open Str_dbstr51Testing软件测试网?X7z{Wj3R5\k
Str_db.Execute("insert into SqlIn(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','GET','"&Str_Get&"','"&replace(Request.QueryString(Str_Get),"'","''")&"')")51Testing软件测试网CRw|Ee
Str_db.close
E+G|xQV*?-i{.G0Set Str_db = Nothing51Testing软件测试网y rN%ugM
'--------写入数据库----------尾-----51Testing软件测试网 mi7}{\9lx1b

2c bD*y gq&Da0Response.Write "<scrīpt Language=Javascrīpt>alert('请不要在参数中包含非法字符尝试注入！);</scrīpt>"51Testing软件测试网:T'T}(b}#G!ld
Response.Write "非法操作！系统做了如下记录:<br>"51Testing软件测试网'E;wM4_"d1O#n8W
Response.Write "操作IP："&Request.ServerVariables("REMOTE_ADDR")&"<br>"
']Y#BfC0Response.Write "操作时间："&Now&"<br>"51Testing软件测试网2X!{Hn,uT
Response.Write "操作页面："&Request.ServerVariables("URL")&"<br>"51Testing软件测试网/@.D/LT y
Response.Write "提交方式：GET<br>"
A o$AmS U.v+Mb(FS0Response.Write "提交参数："&Str_Get&"<br>"
,x(n!m1^6X&[Fg ?wi0Response.Write "提交数据："&Request.QueryString(Str_Get)51Testing软件测试网M%NNd3Fi VG.Z
Response.End
i)r'}J5l JQ$@ UF0End If
*Q$i3}`]0Next
_4|9F,c}%x'R!`5w0Next
w+H7p&Lc4kU)[0End If
q:d^)@T@ \)H0%>51Testing软件测试网^+gZ@2aNmHZ
第3中方法需要你自己建个数据库表51Testing软件测试网lRwC5WW
\