ASP防注入

时间:2024-05-21 15:04:08

因为在改进公司的一套ASP代码,所以考虑了一下防注入的问题。

参考了网上的几处代码,进行了修改和整合,都转换成小写再处理。

还考虑了script注入。

代码如下:

'Asp防注入代码
SQL_injdata =lcase(":|;|>|<|--|sp_|xp_|\|dir|cmd|^|(|)|+|$|'")
SQL_injdata =SQL_injdata&lcase("|copy|format|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|script")
SQL_inj = split(SQL_Injdata,"|") if Request.QueryString<>"" then
For Each SQL_Get In Request.QueryString
For SQL_Data= To Ubound(SQL_inj)
if not IsNumeric(Request.QueryString(SQL_Get)) then
if instr(lcase(Request.QueryString(SQL_Get)),Sql_Inj(Sql_DATA))> Then
Response.Write "对不起,非法URL地址请求!"
Response.end
end if
end if
next
next
end if if Request.Form<>"" then
For Each Sql_Post In Request.Form
For SQL_Data= To Ubound(SQL_inj)
if instr(lcase(Request.Form(Sql_Post)),Sql_Inj(Sql_DATA))> Then
Response.Write "对不起,非法数据提交!"
Response.end
end if
next
next
end if if Request.Cookies<>"" then
For Each Sql_Post In Request.Cookies
For SQL_Data= To Ubound(SQL_inj)
if instr(lcase(Request.Cookies(Sql_Post)),Sql_Inj(Sql_DATA))> Then
Response.Write "对不起,非法URL地址请求!"
Response.end
end if
next
next
end if 'post过滤sql注入代防范及HTML防护开始
function nosql(str)
if not isnull(str) then
str=trim(str)
str=replace(str,";",";") '分号
str=replace(str,"'","'") '单引号
str=replace(str,"""","&quot;") '双引号
str=replace(str,"chr(9)","&nbsp;") '空格
str=replace(str,"chr(10)","<br>") '回车
str=replace(str,"chr(13)","<br>") '回车
str=replace(str,"chr(32)","&nbsp;") '空格
str=replace(str,"chr(34)","&quot;") '双引号
str=replace(str,"chr(39)","'") '单引号
str=Replace(str, "script", "&#115cript")'jscript
str=replace(str,"<","&lt;") '左<
str=replace(str,">","&gt;") '右>
str=replace(str,"(","(") '左(
str=replace(str,")",")") '右)
str=replace(str,"--","--") 'SQL注释符 str=replace(str,"net user","")
str=replace(str,"xp_cmdshell","")
str=replace(str,"/add","")
str=replace(str,"exec%20master.dbo.xp_cmdshell","")
str=replace(str,"net localgroup administrators","")
str=replace(str,"select","")
str=replace(str,"count","")
str=replace(str,"asc","")
str=replace(str,"char","")
str=replace(str,"mid","")
str=replace(str,":","")
str=replace(str,"insert","")
str=replace(str,"delete","")
str=replace(str,"drop","")
str=replace(str,"truncate","")
str=replace(str,"from","")
str=replace(str,"%","")
nosql=str
end if
end function

参考:

http://itlobo.com/articles/1123.html

http://www.aisenan.com/hack/aspfzrdm_fcookiezrdm_13.html

http://www.mkshy.com/networkTechnology/preventInjection.shtml