ASP防网站注入的三种方法,使你的网站更安全

 

当我们发现 ASP 网站被扫描有注入点,该怎么办?是不是很着急啊,试试这三种方法吧 :
 
第一种:
squery=lcase(Request.ServerVariables("QUERY_STRING"))
sURL=lcase(Request.ServerVariables("HTTP_HOST"))
 
SQL_injdata =":|;|>|<|--|sp_|xp_|\|dir|cmd|^|(|)|+|$|'|copy|format|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
 
SQL_inj = split(SQL_Injdata,"|")
 
For SQL_Data=0 To Ubound(SQL_inj)
if instr(squery&sURL,Sql_Inj(Sql_DATA))>0 Then
Response.Write "SQL 通用防注入系统 "
Response.end
end if
next
 
第二种:
SQL_injdata =":|;|>|<|--|sp_|xp_|\|dir|cmd|^|(|)|+|$|'|copy|format|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare"
 
SQL_inj = split(SQL_Injdata,"|")
 
If Request.QueryString<>"" Then
For Each SQL_Get In Request.QueryString
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.QueryString(SQL_Get),Sql_Inj(Sql_DATA))>0 Then
Response.Write "SQL 通用防注入系统 "
Response.end
end if
next
Next
End If
 
If Request.Form<>"" Then
For Each Sql_Post In Request.Form
For SQL_Data=0 To Ubound(SQL_inj)
if instr(Request.Form(Sql_Post),Sql_Inj(Sql_DATA))>0 Then
Response.Write "SQL 通用防注入系统 "
Response.end
end if
next
next
end if
 
第三种
<%
'-------- 定义部份 ------------------
Dim Str_Post,Str_Get,Str_In,Str_Inf,Str_Xh,Str_db,Str_dbstr
' 自定义需要过滤的字串 , " " 分离
Str_In = "' ; and exec insert select delete update count * % chr mid master truncate char declare"
'----------------------------------
%>
 
<%
Str_Inf = split(Str_In," ")
'--------POST 部份 ------------------
If Request.Form<>"" Then
For Each Str_Post In Request.Form
 
For Str_Xh=0 To Ubound(Str_Inf)
If Instr(LCase(Request.Form(Str_Post)),Str_Inf(Str_Xh))<>0 Then
'-------- 写入数据库 ---------- -----
Str_dbstr="DBQ="+server.mappath("SqlIn.mdb")+";DefaultDir=;DRIVER={Microsoft Access Driver (*.mdb)};"
Set Str_db=Server.CreateObject("ADODB.CONNECTION")
Str_db.open Str_dbstr
Str_db.Execute("insert into SqlIn(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','POST','"&Str_Post&"','"&replace(Request.Form(Str_Post),"'","''")&"')")
Str_db.close
Set Str_db = Nothing
'-------- 写入数据库 ---------- -----
Response.Write "<Script Language=JavaScript>alert(' 请不要在参数中包含非法字符尝试注入! ');</Script>"
Response.Write " 非法操作!系统做了如下记录 :<br>"
Response.Write " 操作 IP "&Request.ServerVariables("REMOTE_ADDR")&"<br>"
Response.Write " 操作时间: "&Now&"<br>"
Response.Write " 操作页面: "&Request.ServerVariables("URL")&"<br>"
Response.Write " 提交方式: POST<br>"
Response.Write " 提交参数: "&Str_Post&"<br>"
Response.Write " 提交数据: "&Request.Form(Str_Post)
Response.End
End If
Next
 
Next
End If
'----------------------------------
 
'--------GET 部份 -------------------
If Request.QueryString<>"" Then
For Each Str_Get In Request.QueryString
 
For Str_Xh=0 To Ubound(Str_Inf)
If Instr(LCase(Request.QueryString(Str_Get)),Str_Inf(Str_Xh))<>0 Then
'-------- 写入数据库 ---------- -----
Str_dbstr="DBQ="+server.mappath("SqlIn.mdb")+";DefaultDir=;DRIVER={Microsoft Access Driver (*.mdb)};"
Set Str_db=Server.CreateObject("ADODB.CONNECTION")
Str_db.open Str_dbstr
Str_db.Execute("insert into SqlIn(Sqlin_IP,SqlIn_Web,SqlIn_FS,SqlIn_CS,SqlIn_SJ) values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','GET','"&Str_Get&"','"&replace(Request.QueryString(Str_Get),"'","''")&"')")
Str_db.close
Set Str_db = Nothing
'-------- 写入数据库 ---------- -----
 
Response.Write "<Script Language=JavaScript>alert(' 请不要在参数中包含非法字符尝试注入! );</Script>"
Response.Write " 非法操作!系统做了如下记录 :<br>"
Response.Write " 操作 IP "&Request.ServerVariables("REMOTE_ADDR")&"<br>"
Response.Write " 操作时间: "&Now&"<br>"
Response.Write " 操作页面: "&Request.ServerVariables("URL")&"<br>"
Response.Write " 提交方式: GET<br>"
Response.Write " 提交参数: "&Str_Get&"<br>"
Response.Write " 提交数据: "&Request.QueryString(Str_Get)
Response.End
End If
Next
Next
End If
%>
3 中方法需要你自己建个数据库表
 
 

你可能感兴趣的:(asp,注入,防网站)