SQL通用防注入程序 ASP完美版
成功志
SQL通用防注入程序 ASP完美版
2011-12-3 ok12

<%

'--------版权说明------------------

'SQL通用防注入程序 完美版


'--------定义部份------------------

Dim
Fy_Post,Fy_Get,Fy_In,Fy_Inf,Fy_Xh,Fy_db,Fy_dbstr,alerts

'自定义需要过滤的字串,用 "|"
分隔

Fy_In =
"'|;|and|exec|insert|select|delete|update|count|*|%|chr|mid|master|truncate|char|declare|or"

'----------------------------------

%>


<%

Fy_Inf = split(Fy_In,"|")

'--------POST部份------------------

If
Request.Form<>"" Then

For Each Fy_Post In Request.Form

    For
Fy_Xh=0 To Ubound(Fy_Inf)

      If
Instr(LCase(Request.Form(Fy_Post)),Fy_Inf(Fy_Xh))<>0 Then

       
'--------写入数据库--头--------

        Conn.Execute("insert into
evset_NoHackSql(Sqlin_IP,SqlIn_Web,SqlIn_TIME,SqlIn_FS,SqlIn_CS,SqlIn_SJ)
values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','"&now&"','POST','"&Fy_Post&"','"&replace(Request.Form(Fy_Post),"'","''")&"')")

       
Conn.close

        Set Conn = Nothing

       
'--------写入数据库--尾--------

   call e_alert()

      End If

   
Next

Next

End If


'--------GET部份-------------------

If Request.QueryString<>""
Then

For Each Fy_Get In Request.QueryString

    For Fy_Xh=0 To
Ubound(Fy_Inf)

      If
Instr(LCase(Request.QueryString(Fy_Get)),Fy_Inf(Fy_Xh))<>0 Then

       
'--------写入数据库--头--------

        Conn.Execute("insert into
evset_NoHackSql(SqlIn_IP,SqlIn_Web,SqlIn_TIME,SqlIn_FS,SqlIn_CS,SqlIn_SJ)
values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','"&now&"','GET','"&Fy_Get&"','"&replace(Request.QueryString(Fy_Get),"'","''")&"')")

       
Conn.close

        Set Conn = Nothing

       
'--------写入数据库--尾--------

   call e_alert()

      End If

   
Next

Next

End If


'--------cookies部份-------------------

If Request.Cookies<>""
Then

For Each Fy_Get In Request.Cookies

    For Fy_Xh=0 To
Ubound(Fy_Inf)

      If
Instr(LCase(Request.Cookies(Fy_Get)),Fy_Inf(Fy_Xh))<>0 Then

       
'--------写入数据库--头--------

        Conn.Execute("insert into
evset_NoHackSql(SqlIn_IP,SqlIn_Web,SqlIn_TIME,SqlIn_FS,SqlIn_CS,SqlIn_SJ)
values('"&Request.ServerVariables("REMOTE_ADDR")&"','"&Request.ServerVariables("URL")&"','"&now&"','Cookies','"&Fy_Get&"','"&replace(Request.Cookies(Fy_Get),"'","''")&"')")

       
Conn.close

        Set Conn = Nothing

       
'--------写入数据库--尾--------

   call e_alert()

      End If

   
Next

Next

End If


Sub e_alert()

alerts = "<"&"Script
Language=JavaScript"&">"

alerts = alerts &
"alert('请不要试图攻击本站,我们已经记录下你的信息!\n\nhttp://"&Request.ServerVariables("HTTP_HOST")&"/\n\nBy:若寒(X.L.B)
QQ:343576462');window.opener=null; window.close();"

alerts = alerts &
"<"&"/Script"&">"

Response.Write alerts 

Response.End

end Sub

%>

发表评论:
昵称

邮件地址 (选填)

个人主页 (选填)

内容