导航
  • 主页
会员中心
收藏
消息
创作中心

50分求mssql除了以下不安全字符还有那些不安全的字符是需要替换的,暂时多分,到时补

yonghanyang 2009-08-16 12:03:13
(and|or|insert|exec|select|delete|update|count|chr|mid|master|truncate|char|declare|database|backup|\=)([\'| ])
以上用正则替换掉,请高手解答还有那些需要过滤的
...全文
105 点赞 收藏 14
写回复
14 条回复
切换为时间正序
当前发帖距今超过3年,不再开放新的回复
发表回复
yonghanyang 2009-08-25
继续顶
 回复
y34ml 2009-08-22
运用注释语句绕过
用/**/代替空格,如:UNION /**/ Select/**/user,pwd,from tbluser
用/**/分割敏感词,如:U/**/ NION /**/ SE/**/ LECT /**/user,pwd from tbluser
0x730079007300610064006D0069006E00 =hex(sysadmin)
0x640062005F006F0077006E0065007200 =hex(db_owner)
 回复
yonghanyang 2009-08-22
再次顶起
 回复
yonghanyang 2009-08-21
期待高手
 回复
xzx99 2009-08-18
学习...
 回复
y34ml 2009-08-18
[Quote=引用 7 楼 jiewenxu 的回复:]
VBScript codePublicFunction Checkstr(Str)IfIsnull(Str)Then
CheckStr=""ExitFunctionEndIf
Str=Replace(Str,Chr(0),"")
CheckStr=Replace(Str,"'","''")End Function

我一直使用的过滤函数,只要过滤一个chr(0),其他只要单引号配对,随便你怎么怎么弄,他都无法注入
[/Quote]



<%

--QueryString = ?id=1or%201=1

--输出的sql语句为SELECT * FROM users where uid =1or 1=1在mssql中正常运行

dim sql : sql = "SELECT * FROM users where uid ="

Response.Write(sql & CheckStr(Request.QueryString("id")))

    Public Function Checkstr(Str)

        If Isnull(Str) Then

            CheckStr = ""

            Exit Function 

        End If

        Str = Replace(Str,Chr(0),"")

        CheckStr = Replace(Str,"'","''")

    End Function

%>
回复
y34ml 2009-08-18
[Quote=引用 7 楼 jiewenxu 的回复:]
VBScript codePublicFunction Checkstr(Str)IfIsnull(Str)Then
CheckStr=""ExitFunctionEndIf
Str=Replace(Str,Chr(0),"")
CheckStr=Replace(Str,"'","''")End Function

我一直使用的过滤函数,只要过滤一个chr(0),其他只要单引号配对,随便你怎么怎么弄,他都无法注入
[/Quote]
哈哈,代码要严谨才行,一般的人只对Request.form和Request.QueryString而往往忽略了对cookie进行过滤已经判断,只要仿造cookie你就玩完了
 回复
jiewenxu 2009-08-18
	Public Function Checkstr(Str)

		If Isnull(Str) Then

			CheckStr = ""

			Exit Function 

		End If

		Str = Replace(Str,Chr(0),"")

		CheckStr = Replace(Str,"'","''")

	End Function


我一直使用的过滤函数,只要过滤一个chr(0),其他只要单引号配对,随便你怎么怎么弄,他都无法注入
 回复
yonghanyang 2009-08-18
[Quote=引用 4 楼 joking520 的回复:]
只要过滤 ' 单引号 以及对应的ASCII 编码就好了,
另外,MSSQL 2000 小心二进制注入漏洞。
[/Quote]
过滤'肯定不行,只要or 1=1就完蛋了,小心二进制注入漏洞,不懂,给一些例子
 回复
chenjianyong94 2009-08-17
给你写个过滤函数,在添加到数据库的时候,先将字符串过滤,调用一下该函数即可。
/// <summary>

    /// 去除HTML标记

    /// </summary>

    /// <param name="NoHTML">包括HTML的源码 </param>

    /// <returns>已经去除后的文字</returns>

    public static string NoHTML(string Htmlstring)

    {

        if (Htmlstring == null)

        {

            return "";

        }

        else

        {

            //删除脚本

            Htmlstring = Regex.Replace(Htmlstring, @"<script[^>]*?>.*?</script>", "", RegexOptions.IgnoreCase);

            //删除HTML

            Htmlstring = Regex.Replace(Htmlstring, @"<(.[^>]*)>", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"([\r\n])[\s]+", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"-->", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"<!--.*", "", RegexOptions.IgnoreCase);



            Htmlstring = Regex.Replace(Htmlstring, @"&(quot|#34);", "\"", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(amp|#38);", "&", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(lt|#60);", "<", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(gt|#62);", ">", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(nbsp|#160);", " ", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(iexcl|#161);", "\xa1", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(cent|#162);", "\xa2", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(pound|#163);", "\xa3", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&(copy|#169);", "\xa9", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, @"&#(\d+);", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);



            //删除与数据库相关的词 

            Htmlstring = Regex.Replace(Htmlstring, "select ", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "insert ", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "delete from ", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "count''", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "drop table ", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "truncate ", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "asc", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "mid", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "char", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "xp_cmdshell", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "exec master", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "net localgroup administrators", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, " and ", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "net user", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, " or ", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, " net ", "", RegexOptions.IgnoreCase);

            //Htmlstring =  Regex.Replace(Htmlstring,"*", "", RegexOptions.IgnoreCase);

            //Htmlstring =  Regex.Replace(Htmlstring,"-", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "delete ", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "drop ", "", RegexOptions.IgnoreCase);

            Htmlstring = Regex.Replace(Htmlstring, "script", "", RegexOptions.IgnoreCase);



            //特殊的字符

            Htmlstring = Htmlstring.Replace("<", "");

            Htmlstring = Htmlstring.Replace(">", "");

            Htmlstring = Htmlstring.Replace("*", "");

            Htmlstring = Htmlstring.Replace("--", "");

            Htmlstring = Htmlstring.Replace("?", "");

            Htmlstring = Htmlstring.Replace(",", "");

            Htmlstring = Htmlstring.Replace("/", "");

            Htmlstring = Htmlstring.Replace(";", "");

            Htmlstring = Htmlstring.Replace("*/", "");

            Htmlstring = Htmlstring.Replace("\r\n", "");

            Htmlstring = HttpContext.Current.Server.HtmlEncode(Htmlstring).Trim();



            return Htmlstring;

        }

    }
回复
mailbao 2009-08-16
Chr(0
""
<
>
script
SCRIPT
Script
script
object
OBJECT
Object
object
applet
APPLET
Applet
applet
[
]
""
=

select
execute
exec
join
union
where
insert
delete
update
like
drop
create
rename
count
chr
mid
truncate
nchar
char
alter
cast
exists
Chr(13)
 回复
joking520 2009-08-16
只要过滤 ' 单引号 以及对应的ASCII 编码就好了,
另外,MSSQL 2000 小心二进制注入漏洞。
 回复
cngothic 2009-08-16
注入就是在SQL语句中加上一些条件。
你只要把'过滤吊就没有任何问题。
 回复
三楼の郎 2009-08-16
这些都替换掉了,你英文还能输入吗!
 回复
发动态
发帖子
ASP
创建于2007-09-28

2.8w+

社区成员

35.7w+

社区内容

ASP即Active Server Pages,是Microsoft公司开发的服务器端脚本环境。
申请成为版主
社区公告
暂无公告