50分求mssql除了以下不安全字符还有那些不安全的字符是需要替换的,暂时多分,到时补

yonghanyang 2009-08-16 12:03:13
(and|or|insert|exec|select|delete|update|count|chr|mid|master|truncate|char|declare|database|backup|\=)([\'| ])
以上用正则替换掉,请高手解答还有那些需要过滤的
...全文
105 点赞 收藏 14
写回复
14 条回复
切换为时间正序
当前发帖距今超过3年,不再开放新的回复
发表回复
yonghanyang 2009-08-25
继续顶
回复
y34ml 2009-08-22
运用注释语句绕过
用/**/代替空格,如:UNION /**/ Select/**/user,pwd,from tbluser
用/**/分割敏感词,如:U/**/ NION /**/ SE/**/ LECT /**/user,pwd from tbluser
0x730079007300610064006D0069006E00 =hex(sysadmin)
0x640062005F006F0077006E0065007200 =hex(db_owner)
回复
yonghanyang 2009-08-22
再次顶起
回复
yonghanyang 2009-08-21
期待高手
回复
xzx99 2009-08-18
学习...
回复
y34ml 2009-08-18
[Quote=引用 7 楼 jiewenxu 的回复:]
VBScript codePublicFunction Checkstr(Str)IfIsnull(Str)Then
CheckStr=""ExitFunctionEndIf
Str=Replace(Str,Chr(0),"")
CheckStr=Replace(Str,"'","''")End Function

我一直使用的过滤函数,只要过滤一个chr(0),其他只要单引号配对,随便你怎么怎么弄,他都无法注入
[/Quote]


<%
--QueryString = ?id=1or%201=1
--输出的sql语句为SELECT * FROM users where uid =1or 1=1在mssql中正常运行
dim sql : sql = "SELECT * FROM users where uid ="
Response.Write(sql & CheckStr(Request.QueryString("id")))
Public Function Checkstr(Str)
If Isnull(Str) Then
CheckStr = ""
Exit Function
End If
Str = Replace(Str,Chr(0),"")
CheckStr = Replace(Str,"'","''")
End Function
%>
回复
y34ml 2009-08-18
[Quote=引用 7 楼 jiewenxu 的回复:]
VBScript codePublicFunction Checkstr(Str)IfIsnull(Str)Then
CheckStr=""ExitFunctionEndIf
Str=Replace(Str,Chr(0),"")
CheckStr=Replace(Str,"'","''")End Function

我一直使用的过滤函数,只要过滤一个chr(0),其他只要单引号配对,随便你怎么怎么弄,他都无法注入
[/Quote]
哈哈,代码要严谨才行,一般的人只对Request.form和Request.QueryString而往往忽略了对cookie进行过滤已经判断,只要仿造cookie你就玩完了
回复
jiewenxu 2009-08-18
	Public Function Checkstr(Str)
If Isnull(Str) Then
CheckStr = ""
Exit Function
End If
Str = Replace(Str,Chr(0),"")
CheckStr = Replace(Str,"'","''")
End Function


我一直使用的过滤函数,只要过滤一个chr(0),其他只要单引号配对,随便你怎么怎么弄,他都无法注入
回复
yonghanyang 2009-08-18
[Quote=引用 4 楼 joking520 的回复:]
只要过滤 ' 单引号 以及对应的ASCII 编码就好了,
另外,MSSQL 2000 小心二进制注入漏洞。
[/Quote]
过滤'肯定不行,只要or 1=1就完蛋了,小心二进制注入漏洞,不懂,给一些例子
回复
chenjianyong94 2009-08-17
给你写个过滤函数,在添加到数据库的时候,先将字符串过滤,调用一下该函数即可。
/// <summary>
/// 去除HTML标记
/// </summary>
/// <param name="NoHTML">包括HTML的源码 </param>
/// <returns>已经去除后的文字</returns>
public static string NoHTML(string Htmlstring)
{
if (Htmlstring == null)
{
return "";
}
else
{
//删除脚本
Htmlstring = Regex.Replace(Htmlstring, @"<script[^>]*?>.*?</script>", "", RegexOptions.IgnoreCase);
//删除HTML
Htmlstring = Regex.Replace(Htmlstring, @"<(.[^>]*)>", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"([\r\n])[\s]+", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"-->", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"<!--.*", "", RegexOptions.IgnoreCase);

Htmlstring = Regex.Replace(Htmlstring, @"&(quot|#34);", "\"", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(amp|#38);", "&", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(lt|#60);", "<", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(gt|#62);", ">", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(nbsp|#160);", " ", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(iexcl|#161);", "\xa1", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(cent|#162);", "\xa2", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(pound|#163);", "\xa3", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&(copy|#169);", "\xa9", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, @"&#(\d+);", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);

//删除与数据库相关的词
Htmlstring = Regex.Replace(Htmlstring, "select ", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "insert ", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "delete from ", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "count''", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "drop table ", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "truncate ", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "asc", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "mid", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "char", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "exec master", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "net localgroup administrators", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " and ", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "net user", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " or ", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, " net ", "", RegexOptions.IgnoreCase);
//Htmlstring = Regex.Replace(Htmlstring,"*", "", RegexOptions.IgnoreCase);
//Htmlstring = Regex.Replace(Htmlstring,"-", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "delete ", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "drop ", "", RegexOptions.IgnoreCase);
Htmlstring = Regex.Replace(Htmlstring, "script", "", RegexOptions.IgnoreCase);

//特殊的字符
Htmlstring = Htmlstring.Replace("<", "");
Htmlstring = Htmlstring.Replace(">", "");
Htmlstring = Htmlstring.Replace("*", "");
Htmlstring = Htmlstring.Replace("--", "");
Htmlstring = Htmlstring.Replace("?", "");
Htmlstring = Htmlstring.Replace(",", "");
Htmlstring = Htmlstring.Replace("/", "");
Htmlstring = Htmlstring.Replace(";", "");
Htmlstring = Htmlstring.Replace("*/", "");
Htmlstring = Htmlstring.Replace("\r\n", "");
Htmlstring = HttpContext.Current.Server.HtmlEncode(Htmlstring).Trim();

return Htmlstring;
}
}
回复
mailbao 2009-08-16
Chr(0
""
<
>
script
SCRIPT
Script
script
object
OBJECT
Object
object
applet
APPLET
Applet
applet
[
]
""
=

select
execute
exec
join
union
where
insert
delete
update
like
drop
create
rename
count
chr
mid
truncate
nchar
char
alter
cast
exists
Chr(13)
回复
joking520 2009-08-16
只要过滤 ' 单引号 以及对应的ASCII 编码就好了,
另外,MSSQL 2000 小心二进制注入漏洞。
回复
cngothic 2009-08-16
注入就是在SQL语句中加上一些条件。
你只要把'过滤吊就没有任何问题。
回复
三楼の郎 2009-08-16
这些都替换掉了,你英文还能输入吗!
回复
发动态
发帖子
ASP
创建于2007-09-28

2.8w+

社区成员

ASP即Active Server Pages,是Microsoft公司开发的服务器端脚本环境。
申请成为版主
社区公告
暂无公告