首页 › 网页、开发工具「WEB&TOOLS」 › ASP防止挂马攻击和SQL参数注入攻击函数

ctgwglzc 发表于 2009-11-10 00:06:00

ASP防止挂马攻击和SQL参数注入攻击函数

由于最近黑客猖獗，上周末连金山词霸官网也被攻击挂马，对于病毒和黑客没办法做到100%的防备，但至少也要提高网站的安全性能！在这里给出ASP防止挂马攻击和SQL参数注入攻击函数，希望大家做好补丁！
Function FunSQL(Str)
If Isnull(Str) Then
FunSQL = ""
Exit Function
End If
Str=trim(Str)
Str = Replace(Str,Chr(0),"", 1, -1, 1)
Str = Replace(Str, """", """, 1, -1, 1)
Str = Replace(Str,"<","&lt;", 1, -1, 1)
Str = Replace(Str,">","&gt;", 1, -1, 1)
Str = Replace(Str,CHR(42),"&#42;")'“*”
Str = Replace(Str,CHR(44),"&#44;")'“,”
Str = Replace(Str, "script", "script", 1, -1, 0)
Str = Replace(Str, "SCRIPT", "SCRIPT", 1, -1, 0)
Str = Replace(Str, "Script", "Script", 1, -1, 0)
Str = Replace(Str, "script", "Script", 1, -1, 1)
Str = Replace(Str, "object", "object", 1, -1, 0)
Str = Replace(Str, "OBJECT", "OBJECT", 1, -1, 0)
Str = Replace(Str, "Object", "Object", 1, -1, 0)
Str = Replace(Str, "object", "Object", 1, -1, 1)
Str = Replace(Str, "applet", "applet", 1, -1, 0)
Str = Replace(Str, "APPLET", "APPLET", 1, -1, 0)
Str = Replace(Str, "Applet", "Applet", 1, -1, 0)
Str = Replace(Str, "applet", "Applet", 1, -1, 1)
Str = Replace(Str, "[", "[")
Str = Replace(Str, "]", "]")
' Str = Replace(Str, "=", "=", 1, -1, 1)
' Str = Replace(Str, "'", "''", 1, -1, 1)
Str = Replace(Str, "select", "select", 1, -1, 1)
Str = Replace(Str, "execute", "&#101xecute", 1, -1, 1)
Str = Replace(Str, "exec", "&#101xec", 1, -1, 1)
Str = Replace(Str, "join", "join", 1, -1, 1)
Str = Replace(Str, "union", "union", 1, -1, 1)
Str = Replace(Str, "where", "where", 1, -1, 1)
Str = Replace(Str, "insert", "insert", 1, -1, 1)
Str = Replace(Str, "delete", "delete", 1, -1, 1)
Str = Replace(Str, "update", "update", 1, -1, 1)
Str = Replace(Str, "like", "like", 1, -1, 1)
Str = Replace(Str, "drop", "drop", 1, -1, 1)
Str = Replace(Str, "create", "create", 1, -1, 1)
Str = Replace(Str, "rename", "rename", 1, -1, 1)
Str = Replace(Str, "count", "count", 1, -1, 1)
Str = Replace(Str, "chr", "chr", 1, -1, 1)
Str = Replace(Str, "mid", "mid", 1, -1, 1)
Str = Replace(Str, "truncate", "truncate", 1, -1, 1)
Str = Replace(Str, "nchar", "nchar", 1, -1, 1)
Str = Replace(Str, "char", "char", 1, -1, 1)
Str = Replace(Str, "alter", "alter", 1, -1, 1)
Str = Replace(Str, "cast", "cast", 1, -1, 1)
Str = Replace(Str, "exists", "exists", 1, -1, 1)
Str = Replace(Str,Chr(13),"<br>", 1, -1, 1)
' Str = Replace(Str, "*", "＊")
Str = Replace(Str, "%", "％")
Str = Replace(Str, "-", "–")
FunSQL =Replace(Str,"'","&#39;", 1, -1, 1)
End Function这里对 script 的大小写也进行了区分过滤，基本可以解决。我们可以再数据的存储和调用的时候进行过滤判断！

天剑风小流 发表于 2009-11-10 01:26:58

{:2_219:}
CT```ASP挂马 教材來············

雙面啊·······

langziming 发表于 2009-11-10 11:27:07

不大懂，如何用？

天剑风小流 发表于 2009-11-10 13:45:25

{:2_230:}{:2_229:}

好東西···············

lp200611 发表于 2012-10-22 16:48:26

不会用

查看完整版本: ASP防止挂马攻击和SQL参数注入攻击函数