谁有MSSQL数据库,防注入的代码???

chong6 2009-12-21 01:25:19
这世界太可笑了!!!

搜索的全部都不能用,来这里找人解决纺注入的问题,没人能给个好使的防注入代码?
...全文
119 4 打赏 收藏 转发到动态 举报
写回复
用AI写文章
4 条回复
切换为时间正序
请发表友善的回复…
发表回复
街头小贩 2009-12-21
  • 打赏
  • 举报
 回复
防注入:
1.判断数据类型,防止1=1或写SQL语句的情况
2.过滤任何字符串
3.仔细校验你的代码.辟免代码漏洞

在MSDN有一个专题是讲WEB安全的有时间听一听:http://www.microsoft.com/china/msdn/events/webcasts/shared/webcast/Series/DigitalSecurity.aspx
讲的很好
街头小贩 2009-12-21
  • 打赏
  • 举报
 回复
个人拙见:
防注入:
1.判断数据类型,可以访问1=1或写SQL语句的形式
2.过滤任务字符
3.仔细校验你的代码.辟免代码漏洞

给你个过滤参数的函数吧!



Function Checkstr(Str)

       If IsNull(Str) Then

                  CheckStr = ""

                  Exit Function 

       End If

       Str = Replace(Str,Chr(0),"", 1, -1, 1)

       Str = Replace(Str, """", """, 1, -1, 1)

       Str = Replace(Str, "script", "script", 1, -1, 0)

       Str = Replace(Str, "SCRIPT", "SCRIPT", 1, -1, 0)

       Str = Replace(Str, "Script", "Script", 1, -1, 0)

       Str = Replace(Str, "script", "Script", 1, -1, 1)

       Str = Replace(Str, "object", "object", 1, -1, 0)

       Str = Replace(Str, "OBJECT", "OBJECT", 1, -1, 0)

       Str = Replace(Str, "Object", "Object", 1, -1, 0)

       Str = Replace(Str, "object", "Object", 1, -1, 1)

       Str = Replace(Str, "applet", "applet", 1, -1, 0)

       Str = Replace(Str, "APPLET", "APPLET", 1, -1, 0)

       Str = Replace(Str, "Applet", "Applet", 1, -1, 0)

       Str = Replace(Str, "applet", "Applet", 1, -1, 1)

       Str = Replace(Str, "[", "[")

       Str = Replace(Str, "]", "]")

       Str = Replace(Str, """", "", 1, -1, 1)

       Str = Replace(Str, "=", "=", 1, -1, 1)

       Str = Replace(Str, "'", "''", 1, -1, 1)

       Str = Replace(Str, "select", "select", 1, -1, 1)

       Str = Replace(Str, "execute", "&#101xecute", 1, -1, 1)

       Str = Replace(Str, "exec", "&#101xec", 1, -1, 1)

       Str = Replace(Str, "join", "join", 1, -1, 1)

       Str = Replace(Str, "union", "union", 1, -1, 1)

       Str = Replace(Str, "where", "where", 1, -1, 1)

       Str = Replace(Str, "insert", "insert", 1, -1, 1)

       Str = Replace(Str, "delete", "delete", 1, -1, 1)

       Str = Replace(Str, "update", "update", 1, -1, 1)

       Str = Replace(Str, "like", "like", 1, -1, 1)

       Str = Replace(Str, "drop", "drop", 1, -1, 1)

       Str = Replace(Str, "create", "create", 1, -1, 1)

       Str = Replace(Str, "rename", "rename", 1, -1, 1)

       Str = Replace(Str, "count", "count", 1, -1, 1)

       Str = Replace(Str, "chr", "chr", 1, -1, 1)

       Str = Replace(Str, "mid", "mid", 1, -1, 1)

       Str = Replace(Str, "truncate", "truncate", 1, -1, 1)

       Str = Replace(Str, "nchar", "nchar", 1, -1, 1)

       Str = Replace(Str, "char", "char", 1, -1, 1)

       Str = Replace(Str, "alter", "alter", 1, -1, 1)

       Str = Replace(Str, "cast", "cast", 1, -1, 1)

       Str = Replace(Str, "exists", "exists", 1, -1, 1)

       CheckStr = Replace(Str,"'","''", 1, -1, 1)

End Function
sniper1534 2009-12-21
  • 打赏
  • 举报
 回复
<%



'--------定义部份------------------
Dim Neeao_Application_Value
Dim Neeao_Post,Neeao_Get,Neeao_Inject,Neeao_Inject_Keyword,Neeao_Kill_IP,Neeao_Write_Data
Dim Neeao_Alert_Url,Neeao_Alert_Info,Neeao_Kill_Info,Neeao_Alert_Type
Dim Neeao_Sec_Forms,Neeao_Sec_Form_open,Neeao_Sec_Form
'Call PutApplicationValue()
If IsArray(Application("Neeao_config_info"))=False Then Call PutApplicationValue()
Neeao_Application_Value = Application("Neeao_config_info")
'获取配置信息
Neeao_Inject = Neeao_Application_Value(0)
Neeao_Kill_IP = Neeao_Application_Value(1)
Neeao_Write_Data = Neeao_Application_Value(2)
Neeao_Alert_Url = Neeao_Application_Value(3)
Neeao_Alert_Info = Neeao_Application_Value(4)
Neeao_Kill_Info = Neeao_Application_Value(5)
Neeao_Alert_Type = Neeao_Application_Value(6)
Neeao_Sec_Forms = Neeao_Application_Value(7)
Neeao_Sec_Form_open = Neeao_Application_Value(8)

'安全页面参数
Neeao_Sec_Form = split(Neeao_Sec_Forms,"|")
Neeao_Inject_Keyword = split(Neeao_Inject,"|")

If Neeao_Kill_IP=1 Then Stop_IP

If Request.Form<>"" Then StopInjection(Request.Form)

If Request.QueryString<>"" Then StopInjection(Request.QueryString)

If Request.Cookies<>"" Then StopInjection(Request.Cookies)


Function Stop_IP()
Dim Sqlin_IP,rsKill_IP,Kill_IPsql
Sqlin_IP=Request.ServerVariables("REMOTE_ADDR")
Kill_IPsql="select Sqlin_IP from SqlIn where Sqlin_IP='"&Sqlin_IP&"' and kill_ip=1"
Set rsKill_IP=conn.execute(Kill_IPsql)
If Not(rsKill_IP.eof or rsKill_IP.bof) Then
N_Alert(Neeao_Kill_Info)
Response.End
End If
rsKill_IP.close
End Function



'sql通用防注入主函数
Function StopInjection(values)
Dim Neeao_Get,Neeao_i
For Each Neeao_Get In values

If Neeao_Sec_Form_open = 1 Then
For Neeao_i=0 To UBound(Neeao_Sec_Form)
If Instr(LCase(SelfName),Neeao_Sec_Form(Neeao_i))> 0 Then
Exit Function
else
Call Select_BadChar(values,Neeao_Get)
End If
Next

Else
Call Select_BadChar(values,Neeao_Get)
End If
Next
End Function

Function Select_BadChar(values,Neeao_Get)
Dim Neeao_Xh
Dim Neeao_ip,Neeao_url,Neeao_sql
Neeao_ip=Request.ServerVariables("HTTP_X_FORWARDED_FOR")
if Neeao_ip="" then Neeao_ip = Request.ServerVariables("REMOTE_ADDR")
Neeao_url = Request.ServerVariables("URL")

For Neeao_Xh=0 To Ubound(Neeao_Inject_Keyword)
If Instr(LCase(values(Neeao_Get)),Neeao_Inject_Keyword(Neeao_Xh))<>0 Then
response.write Neeao_Inject_Keyword(Neeao_Xh)
If Neeao_Write_Data = 1 Then
Neeao_sql = "insert into SqlIn(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Neeao_ip&"','"&Neeao_url&"','"&intype(values)&"','"&Neeao_Get&"','"&N_Replace(values(Neeao_Get))&"')"
'response.write Neeao_sql
conn.Execute(Neeao_sql)



End If
N_Alert(Neeao_Alert_Info)
Response.End
End If
Next
End Function

'输出警告信息
Function N_Alert(Neeao_Alert_Info)
Dim str
'response.write "test"
str = "<"&"Script Language=JavaScript"&">"
Select Case Neeao_Alert_Type
Case 1
str = str & "window.opener=null; window.close();"
Case 2
str = str & "alert('"&Neeao_Alert_Info&"');window.opener=null; window.close();"
Case 3
str = str & "location.href='"&Neeao_Alert_Url&"';"
Case 4
str = str & "alert('"&Neeao_Alert_Info&"');location.href='"&Neeao_Alert_Url&"';"
end Select
str = str & "<"&"/Script"&">"
response.write str
End Function

'判断注入类型函数
Function intype(values)
Select Case values
Case Request.Form
intype = "Post"
Case Request.QueryString
intype = "Get"
Case Request.Cookies
intype = "Cookies"
end Select
End Function

'干掉xss脚本
Function N_Replace(N_urlString)
N_urlString = Replace(N_urlString,"'","''")
N_urlString = Replace(N_urlString, ">", ">")
N_urlString = Replace(N_urlString, "<", "<")
N_Replace = N_urlString
End Function

Sub PutApplicationValue()
dim infosql,rsinfo
set rsinfo=conn.execute("select N_In,Kill_IP,WriteSql,alert_url,alert_info,kill_info,N_type,Sec_Forms,Sec_Form_open from sqlin_config where id=1")
Redim ApplicationValue(9)
dim i
for i=0 to 8
ApplicationValue(i)=rsinfo(i)
next
set rsinfo=nothing
Application.Lock
set Application("Neeao_config_info")=nothing
Application("Neeao_config_info")=ApplicationValue
Application.unlock
end Sub

'获取本页文件名
Function SelfName()
SelfName = Mid(Request.ServerVariables("URL"),InstrRev(Request.ServerVariables("URL"),"/")+1)
End Function

%>

gingerkang 2009-12-21
  • 打赏
  • 举报
 回复
确实可笑,不过不是这个世界
探究mssql注入第一课 本地搭建mssql注入环境
MSSQL注入攻击者通过输入恶意SQL代码,尝试获取未授权的数据访问、修改或破坏数据库信息。本教程将带你深入了解mssql注入,并指导你如何在本地环境中搭建一个模拟环境来学习和研究这种攻击。 首先,我们需要理解...
nodejs+mssql+SQL Server实现增删改查
在IT行业中,Node.js是一个基于Chrome V8引擎的JavaScript运行环境,它允许开发人员使用JavaScript进行服务器端...在处理数据库操作时,记得始终确保数据安全,避免SQL注入等风险,并对可能出现的错误进行妥善处理。
ASP.NET SQL注入程序封闭类
内容索引:.NET源码,其它类别,SQL注 一个C#SQL注入程序,已经封装,使用方便,Access或 MSSQL2000 都可以使用,大多数和MSSQL配合使用,在此增加了MSSQL关键字,使用时将此代码放到数据库连接代码处即可,和ASP...
Java图书管理系统
功能:借书、还书、借书上线限制、图书管理(增加、删除、修改)、学生管理(学生借书证注册、信息修改、删除)、管理员等级(超级管理员、图书管理员、学生管理员)、标准的界面设计、SQL代码注入、异常处理等...
spring和mybatis整合所需的jar包
Spring作为一个全面的轻量级应用框架,提供了依赖注入、AOP(面向切面编程)、事务管理等核心功能,而MyBatis则是一个简单易用的持久层框架,它将SQL语句与Java代码分离,使得数据库操作更加灵活。 在整合Spring和...
ASP

28,406

社区成员

356,946

社区内容

发帖
与我相关
我的任务
社区描述
ASP即Active Server Pages,是Microsoft公司开发的服务器端脚本环境。
社区管理员
  • ASP
  • 无·法
加入社区
  • 近7日
  • 近30日
  • 至今

加载中

查看更多榜单
社区公告
暂无公告

试试用AI创作助手写篇文章吧

+ 用AI写文章