开发学院WEB开发ASP 强力防SQL注入 阅读

强力防SQL注入

 2009-04-22 10:38:11 来源:WEB开发网   
核心提示:很久之前收集的,非常不错,强力防SQL注入,不然也不会发给大家,呵呵! 程序代码<%'防注入系统dim bqs,berrc,biii,burlbqs=request.servervariables("query_string")If Request.ServerVariables(&q

很久之前收集的,非常不错,不然也不会发给大家,呵呵!

 程序代码
<%
'防注入系统
dim bqs,berrc,biii,burl
bqs=request.servervariables("query_string")

If Request.ServerVariables("HTTPS") = "off" Then bUrl = "http://" Else bUrl = "https://" End If
bUrl = bUrl & Request.ServerVariables("SERVER_NAME")
If Request.ServerVariables("SERVER_PORT") <> 80 Then bUrl = bUrl &":"& Request.ServerVariables("SERVER_PORT") End If
bUrl = bUrl & Request.ServerVariables("URL")
If Request.QueryString <>"" Then bUrl = bUrl & "?" & Request.QueryString End If

'burl=Request.ServerVariables("URL")

dim bnothis(61)
bnothis(0)="net user"
bnothis(1)="@a"
bnothis(2)="/add"
bnothis(3)="exec%20master.dbo.xp_cmdshell"
bnothis(4)="net localgroup administrators"
bnothis(5)="select"
bnothis(6)="count"
bnothis(7)="asc"
bnothis(8)="char"
bnothis(9)="mid"
bnothis(10)="cscript.exe"
bnothis(11)="declare"
bnothis(12)="insert"
bnothis(13)="delete"
bnothis(14)="drop"
bnothis(15)="truncate"
bnothis(16)="wscript.shell"
bnothis(17)="%20"
bnothis(18)=" "
bnothis(19)="script"
bnothis(20)="system32"
bnothis(21)="CmdShell"
bnothis(22)="sysadmin"
bnothis(23)="serveradmin"
bnothis(24)="setupadmin"
bnothis(25)="securityadmin"
bnothis(26)="diskadmin"
bnothis(27)="bulkadmin"
bnothis(28)="exec master.dbo.sp_addlogin"
bnothis(29)="exec master.dbo.sp_passWord"
bnothis(30)="exec master.dbo.sp_addsrvrolemember"
bnothis(31)="create"
bnothis(32)="exec xp_reg"
bnothis(33)="backup"
bnothis(34)="net localgroup administrators"
bnothis(35)="Asc"
bnothis(36)="+dir+"
bnothis(37)="drop table"
bnothis(38)="exec master.dbo.sp_addextendedPRoc"
bnothis(39)="master.dbo.sysobjects"
bnothis(40)="master.dbo.xp_regwrite"
bnothis(41)="master.dbo.sysdatabases"
bnothis(42)="DECLARE"
bnothis(43)="EXEC sp_oacreate"
bnothis(44)="EXEC sp_oamethod"
bnothis(45)="xp_"
bnothis(46)="Sp_"
bnothis(47)="%2B"
bnothis(48)="%5c"
bnothis(49)="@"
bnothis(50)="Sp_OAMethod"
bnothis(51)="Sp_OASetProperty"
bnothis(52)="Sp_OAStop"
bnothis(53)="Xp_regaddmultistring"
bnothis(54)="Xp_regdeletekey"
bnothis(55)="Xp_regdeletevalue"
bnothis(56)="Xp_regenumvalues"
bnothis(57)="Xp_regread"
bnothis(58)="Xp_regremovemultistring"
bnothis(59)="Xp_regwrite"
bnothis(60)="insert into"
bnothis(61)=".txt"
berrc=False
for biii= 0 to ubound(bnothis)
if instr(bqs,bnothis(biii))<>0 or instr(burl,bnothis(biii))<>0 Then
berrc=true
end if
next
if berrc Then

  Dim  ValidEntry  
  ValidEntry  =  True 
  If  not  IsEmpty(session("LogIn"))  Then  ValidEntry  =  False 
  If  ValidEntry  Then  
  Const  ForAppending  =  8 
  Const  Create  =  true 
  Dim  fso 
  DIM  TS 
  DIM  MyFileName 
  'Dim  strLog 
  Dim  strTime,strip,strwords,struser,strport
  
  MyFileName  =  Server.MapPath("/visited_forum.txt") 
  Set  FSO  =  Server.CreateObject("Scripting.FileSystemObject_100502") 
  Set  TS  =  FSO.OpenTextFile(MyFileName,  ForAppending,  Create)
 
  strip=Request.ServerVariables ("REMOTE_ADDR")  &  ""
  if strip="" then
  strip=Request.ServerVariables("HTTP_X_FORWARDED_FOR")  &  ""
  end if

  strport=Request.ServerVariables("REMOTE_PORT")
  strwords=request.servervariables("query_string")
  strtime=now()
  struser=request.servervariables("http_user_agent")
 
  '  Write  current  information  to  Log  Text  File. 
  Ts.writeline  "攻击者详细资料:" 
  Ts.writeline  "攻击者IP地址:"&strip
  Ts.writeline  "攻击者端口:"&strport
  Ts.writeline  "客户端机器的相关环境:"&struser
  Ts.writeline  "攻击时间:"&strtime
  Ts.writeline  "攻击页面:"&burl
  Ts.writeline  "攻击语句:"&strwords
  Ts.writeline  "----------------------------------------" 
  TS.Writeline  "" 
  '  Create  a  session  varialbe  to  check  next  time  for  ValidEntry 
  Session("LogIn")  =  "yes" 
  Set  TS  =  Nothing 
  Set  FSO  =  Nothing 
  End  If

Response.Write "<Script Language=javaScript>alert('系统提示↓\n\n请不要输入非法字符["&bqs&"]尝试注入!\n\n您的IP["&strip&":"&strport&"]将被本站禁止!\n\n如有疑问请联系管理员QQ:xxxxxx');top.location.href='/forum/index.asp';</Script>"
Response.end
end If
%>

Tags:强力 SQL 注入

编辑录入:爽爽 [复制链接] [打 印]
[]
  • 好
  • 好的评价 如果觉得好,就请您
      0%(0)
  • 差
  • 差的评价 如果觉得差,就请您
      0%(0)
赞助商链接