標籤:
public static class CheckChar { #region SQL注入式攻擊程式碼分析 /// <summary> /// 處理使用者提交的請求 /// </summary> public static void StartProcessRequest() { try { string getkeys = ""; //防止GET注入 if (System.Web.HttpContext.Current.Request.QueryString != null) { if (System.Web.HttpContext.Current.Request.QueryString.Count == 0) { string url = ""; if (System.Web.HttpContext.Current.Request.UrlReferrer != null) { url = System.Web.HttpContext.Current.Request.UrlReferrer.ToString(); } if (url.Length > 0) { url = url.Substring(url.IndexOf(‘?‘) + 1, url.Length - url.IndexOf(‘?‘) - 1); } if (!ProcessSqlStr(url,"get")) { // System.Web.HttpContext.Current.Response.Write("<h3>不能包含執行語句</h3>"); // System.Web.HttpContext.Current.Response.End(); System.Web.HttpContext.Current.Response.Redirect("~/Error.aspx?path=" + System.Web.HttpContext.Current.Request.Url.PathAndQuery); } } else { for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++) { getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i]; if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys],"get")) { System.Web.HttpContext.Current.Response.Redirect("~/Error.aspx?path=" + System.Web.HttpContext.Current.Request.Url.PathAndQuery); } } } } //防止POST注入 if (System.Web.HttpContext.Current.Request.Form != null) { for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++) { getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i]; if (getkeys == "__VIEWSTATE" || getkeys == "__EVENTVALIDATION") continue; if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys],"post")) { System.Web.HttpContext.Current.Response.Redirect("~/Error.aspx?path=" + System.Web.HttpContext.Current.Request.Url.PathAndQuery); } } } //防止COOKITS注入 if (System.Web.HttpContext.Current.Request.Cookies != null) { for (int i = 0; i < System.Web.HttpContext.Current.Request.Cookies.Count; i++) { getkeys = System.Web.HttpContext.Current.Request.Cookies.Keys[i]; if (getkeys == "__VIEWSTATE") continue; if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Cookies[getkeys].Value,"cookie")) { System.Web.HttpContext.Current.Response.Redirect("~/Error.aspx?path=" + System.Web.HttpContext.Current.Request.Url.PathAndQuery); } } } } catch { } } /// <summary> /// 分析使用者請求是否正常 /// </summary> /// <param name="Str">傳入使用者提交資料 </param> /// <returns>返回是否含有SQL注入式攻擊代碼 </returns> public static bool ProcessSqlStr(string Str,string type) { bool ReturnValue = true; try { if (Str.Trim() != "") { //string SqlStr = "and ¦exec ¦insert ¦select ¦delete ¦update ¦count ¦* ¦chr ¦mid ¦master ¦truncate ¦char ¦declare";/¦%2F // string SqlStr = "iframe|xp_loginconfig|xp_fixeddrives|Xp_regremovemultistring|Xp_regread|Xp_regwrite|xp_cmdshell|xp_dirtree|count(|*|asc(|chr(|substring(|mid(|master|truncate|char(|declare|and|or|=|%|replace(|;|varchar(|cast exec¦insert¦select¦delete¦update¦mid¦master¦truncate¦declare¦script¦‘¦%27¦(¦%28¦)¦%29¦+¦%2B¦-¦%2D¦¦;¦%3B¦<¦%3C¦=¦%3D¦>¦%3E¦|¦%7C"; string SqlStr = string.Empty; if(type.Equals("post")) SqlStr = "%5C¦\\¦.jsp¦iframe¦xp_loginconfig¦xp_fixeddrives¦Xp_regremovemultistring¦Xp_regread¦Xp_regwrite¦xp_cmdshell¦xp_dirtree¦count(¦*¦asc(¦chr(¦substring(¦mid(¦master¦truncate¦char(¦declare¦ and ¦ or ¦replace(¦;¦varchar(¦cast¦exec ¦insert ¦select ¦delete ¦update ¦mid¦master ¦truncate ¦declare ¦script¦alert¦%27¦(¦%28¦)¦%29¦‘¦+¦%2B¦%2D¦;¦%3B¦<¦%3C¦%3D¦>¦%3E¦%7C"; else SqlStr = "%5C¦\\¦.jsp¦iframe¦xp_loginconfig¦xp_fixeddrives¦Xp_regremovemultistring¦Xp_regread¦Xp_regwrite¦xp_cmdshell¦xp_dirtree¦count(¦*¦asc(¦chr(¦substring(¦mid(¦master¦truncate¦char(¦declare¦ and ¦ or ¦replace(¦;¦varchar(¦cast¦exec ¦insert ¦select ¦delete ¦update ¦mid¦master ¦truncate ¦declare ¦script¦alert¦%27¦(¦%28¦)¦%29¦+¦%2B¦%2D¦;¦%3B¦<¦%3C¦%3D¦>¦%3E¦%7C"; string[] anySqlStr = SqlStr.Split(‘¦‘); foreach (string ss in anySqlStr) { if (Str.ToLower().IndexOf(ss) >= 0) { ReturnValue = false; break; } } } } catch { ReturnValue = false; } return ReturnValue; } #endregion }
/// <summary> /// 過濾非法字元 /// </summary> public class CheckCharPage : System.Web.UI.Page { protected override void OnPreLoad(EventArgs e) { CheckChar.StartProcessRequest(); } }
asp.net解決SQL注入代碼