Aspx/Asp.net 防注入程序 V1.0

2024-07-10 13:19:07

字體：大中小

來源：轉載

供稿：網友

雖然說ASP.NET屬于安全性高的腳本語言,但是也經?？吹紸SP.NET網站由于過濾不嚴造成注射.由于ASP.NET基本上配合MMSQL數據庫架設如果權限過大的話很容易被攻擊. 再者在網絡上找不到好的ASP.NET防注射腳本,所以就自己寫了個. 在這里共享出來旨在讓程序員免除SQL注入的困擾.
我寫了兩個版本,VB.NET和C#版本方便不同程序間使用.
描述:
1. XP + IIS5.1 + Access + MSSQL2000 下測試通過。
2. 由于考慮到ASPX大多數和MSSQL數據庫配合使用，在此增加了MSSQL關鍵字。
3. 放到數據庫連接代碼處即可，和ASP用法類似。

復制代碼代碼如下:

public void JK1986_CheckSql()
{
string jk1986_sql = "exec夢select夢drop夢alter夢exists夢union夢and夢or夢xor夢order夢mid夢asc夢execute夢xp_cmdshell夢insert夢update夢delete夢join夢declare夢char夢sp_oacreate夢wscript.shell夢xp_regwrite夢'夢;夢--夢%";
string[] jk_sql = jk1986_sql.Split('夢');
foreach (string jk in jk_sql)
{
// -----------------------防 Post 注入-----------------------
if (Page.Request.Form != null)
{
for (int k = 0; k < Page.Request.Form.Count; k++)
{
string getsqlkey = Page.Request.Form.Keys[k];
string getip;
if (Page.Request.Form[getsqlkey].ToLower().Contains(jk) == true)
{
Response.Write("<script Language=JavaScript>alert('ASP.NET( C#版本 )站長網提示您，請勿提交非法字符！↓//n//nBlog [url=file:////n//nBy]//n//nBy[/url]:Jack');</" + "script>");
Response.Write("非法操作！系統做了如下記錄 ↓" + " ");
if (Request.ServerVariables["HTTP_X_FORWARDED_FOR"] != null )
{
getip = this.Page.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
}
else
{
getip = Page.Request.ServerVariables["REMOTE_ADDR"];
}
Response.Write("操作 I P ：" + getip + " ");
Response.Write("操作時間：" + DateTime.Now.ToString() + " ");
Response.Write("操作頁面：" + Page.Request.ServerVariables["URL"] + " ");
Response.Write("提交方式：P O S T " + " ");
Response.Write("提交參數：" + jk + " ");
Response.Write("提交數據：" + Page.Request.Form[getsqlkey].ToLower() + " ");
Response.End();
}
}
}
// -----------------------防 GET 注入-----------------------
if (Page.Request.QueryString != null)
{
for (int k = 0; k < Page.Request.QueryString.Count; k++)
{
string getsqlkey = Page.Request.QueryString.Keys[k];
string getip;
if (Page.Request.QueryString[getsqlkey].ToLower().Contains(jk) == true)
{
Response.Write("<script Language=JavaScript>alert('ASP.NET( C#版本 )站長安全網提示您，請勿提交非法字符！↓//n//nBlog [url=file:////n//nBy]//n//nBy[/url]:Jack');</" + "script>");
Response.Write("非法操作！系統做了如下記錄 ↓" + " ");
if (Request.ServerVariables["HTTP_X_FORWARDED_FOR"] != null )
{
getip = this.Page.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
}
else
{
getip = Page.Request.ServerVariables["REMOTE_ADDR"];
}
Response.Write("操作 I P ：" + getip + " ");
Response.Write("操作時間：" + DateTime.Now.ToString() + " ");
Response.Write("操作頁面：" + Page.Request.ServerVariables["URL"] + " ");
Response.Write("提交方式：G E T " + " ");
Response.Write("提交參數：" + jk + " ");
Response.Write("提交數據：" + Page.Request.QueryString[getsqlkey].ToLower() + " ");
Response.End();
}
}
}
// -----------------------防 Cookies 注入-----------------------
if (Page.Request.Cookies != null)
{
for (int k = 0; k < Page.Request.Cookies.Count; k++)
{
string getsqlkey = Page.Request.Cookies.Keys[k];
string getip;
if (Page.Request.Cookies[getsqlkey].Value.ToLower().Contains(jk) == true)
{
Response.Write("<script Language=JavaScript>alert('ASP.NET( C#版本 )站長安全網提示您，請勿提交非法字符！↓//n//nBlog [url=file:////n//nBy]//n//nBy[/url]:Jack');</" + "script>");
Response.Write("非法操作！系統做了如下記錄 ↓" + " ");
if (Request.ServerVariables["HTTP_X_FORWARDED_FOR"] != null )
{
getip = this.Page.Request.ServerVariables["HTTP_X_FORWARDED_FOR"];
}
else
{
getip = Page.Request.ServerVariables["REMOTE_ADDR"];
}
Response.Write("操作 I P ：" + getip + " ");
Response.Write("操作時間：" + DateTime.Now.ToString() + " ");
Response.Write("操作頁面：" + Page.Request.ServerVariables["URL"] + " ");
Response.Write("提交方式： Cookies " + " ");
Response.Write("提交參數：" + jk + " ");
Response.Write("提交數據：" + Page.Request.Cookies[getsqlkey].Value.ToLower() + " ");
Response.End();
}
}
}
}
}