网站安全

goback add

ASP网站如何防止跨站脚本和SQL注入

4052 点击·0 回帖

灯火互联

楼主


	使用方法如下： 1. 代码直接发出来，大家copy之后，保存为ykmaiz_safe.asp，然后放到站点根目录即可。 <% 02 'Code by kna-tech.com 03 On Error Resume Next 04 if request.querystring<>"" then call stophacker(request.querystring,"'\|b(alert\|confirm\|prompt)b\|<[^>]?>\|^+/v(8\|9)\|bonmouse(over\|move)=b\|b(and\|or)b.+?(>\|<\|=\|binb\|blikeb)\|/.+?/\|<sscriptb\|bEXECb\|UNION.+?SELECT\|UPDATE.+?SET\|INSERTs+INTO.+?VALUES\|(SELECT\|DELETE).+?FROM\|(CREATE\|ALTER\|DROP\|TRUNCATE)s+(TABLE\|DATABASE)") 05 if Request.ServerVariables("HTTP_REFERER")<>"" then call test(Request.ServerVariables("HTTP_REFERER"),"'\|b(and\|or)b.+?(>\|<\|=\|binb\|blikeb)\|/.+?/\|<sscriptb\|bEXECb\|UNION.+?SELECT\|UPDATE.+?SET\|INSERTs+INTO.+?VALUES\|(SELECT\|DELETE).+?FROM\|(CREATE\|ALTER\|DROP\|TRUNCATE)s+(TABLE\|DATABASE)") 06 if request.Cookies<>"" then call stophacker(request.Cookies,"b(and\|or)b.{1,6}?(=\|>\|<\|binb\|blikeb)\|/.+?/\|<sscriptb\|bEXECb\|UNION.+?SELECT\|UPDATE.+?SET\|INSERTs+INTO.+?VALUES\|(SELECT\|DELETE).+?FROM\|(CREATE\|ALTER\|DROP\|TRUNCATE)s+(TABLE\|DATABASE)") 07 call stophacker(request.Form,"^+/v(8\|9)\|b(and\|or)b.{1,6}?(=\|>\|<\|binb\|blikeb)\|/.+?/\|<sscriptb\|<simgb\|bEXECb\|UNION.+?SELECT\|UPDATE.+?SET\|INSERTs+INTO.+?VALUES\|(SELECT\|DELETE).+?FROM\|(CREATE\|ALTER\|DROP\|TRUNCATE)s+(TABLE\|DATABASE)") 08 09 function test(values,re) 10 dim regex 11 set regex=new regexp 12 regex.ignorecase = true 13 regex.global = true 14 regex.pattern = re 15 if regex.test(values) then 16 IP=Request.ServerVariables("HTTP_X_FORWARDED_FOR") 17 If IP = "" Then 18 IP=Request.ServerVariables("REMOTE_ADDR") 19 end if 20 'slog(" 操作IP: "&ip&" 操作时间: " & now() & " 操作页面："&Request.ServerVariables("URL")&" 提交方式: "&Request.ServerVariables("Request_Method")&" 提交参数: "&l_get&" 提交数据: "&l_get2) 21 Response.Write("<div style='position:fixed;top:0px;width:100%;height:100%;background-color:white;color:green;font-weight:bold;border-bottom:5px solid #999;'> 您的提交带有不合法参数,谢谢合作! </div>") 22 Response.end 23 end if 24 set regex = nothing 25 end function 26 27 28 function stophacker(values,re) 29 dim l_get, l_get2,n_get,regex,IP 30 for each n_get in values 31 for each l_get in values 32 l_get2 = values(l_get) 33 set regex = new regexp 34 regex.ignorecase = true 35 regex.global = true 36 regex.pattern = re 37 if regex.test(l_get2) then 38 IP=Request.ServerVariables("HTTP_X_FORWARDED_FOR") 39 If IP = "" Then 40 IP=Request.ServerVariables("REMOTE_ADDR") 41 end if 42 'slog(" 操作IP: "&ip&" 操作时间: " & now() & " 操作页面："&Request.ServerVariables("URL")&" 提交方式: "&Request.ServerVariables("Request_Method")&" 提交参数: "&l_get&" 提交数据: "&l_get2) 43 Response.Write("<div style='position:fixed;top:0px;width:100%;height:100%;background-color:white;color:green;font-weight:bold;border-bottom:5px solid #999;'> 您的提交带有不合法参数,谢谢合作! </div>") 44 Response.end 45 end if 46 set regex = nothing 47 next 48 next 49 end function 50 51 sub slog(logs) 52 dim toppath,fs,Ts 53 toppath = Server.Mappath("/log.htm") 54 Set fs = CreateObject("scripting.filesystemobject") 55 If Not Fs.FILEEXISTS(toppath) Then 56 Set Ts = fs.createtextfile(toppath, True) 57 Ts.close 58 end if 59 Set Ts= Fs.OpenTextFile(toppath,8) 60 Ts.writeline (logs) 61 Ts.Close 62 Set Ts=nothing 63 Set fs=nothing 64 end sub 65 66 %> 2.在所需要防护的页面加入代码 <!--#include virtual="/ykmaiz_safe.asp"--> 就可以做到页面防注入、跨站。如果想整站防注，就在网站的一个公用文件中，如数据库链接文件conn.asp中！添加<!--#include virtual="/ykmaiz_safe.asp"-->来调用本代码很容易，赶快去试试吧！

喜欢0 评分0

回复

您需要登录后才可以回帖，登录或者注册