程序師世界是廣大編程愛好者互助、分享、學習的平台,程序師世界有你更精彩!
首頁
編程語言
C語言|JAVA編程
Python編程
網頁編程
ASP編程|PHP編程
JSP編程
數據庫知識
MYSQL數據庫|SqlServer數據庫
Oracle數據庫|DB2數據庫
 程式師世界 >> 編程語言 >> .NET網頁編程 >> ASP.NET >> ASP.NET基礎 >> asp.net下檢測SQL注入式攻擊代碼

asp.net下檢測SQL注入式攻擊代碼

編輯:ASP.NET基礎
兩個類:
(頁面數據校驗類)PageValidate.cs 基本通用。
代碼如下:
復制代碼 代碼如下:
using System;
using System.Text;
using System.Web;
using System.Web.UI.WebControls;
using System.Text.RegularExpressions;

namespace Common
{
    /// <summary>
    /// 頁面數據校驗類
    /// </summary>
    public class PageValidate
    {
        private static Regex RegNumber = new Regex("^[0-9]+$");
        private static Regex RegNumberSign = new Regex("^[+-]?[0-9]+$");
        private static Regex RegDecimal = new Regex("^[0-9]+[.]?[0-9]+$");
        private static Regex RegDecimalSign = new Regex("^[+-]?[0-9]+[.]?[0-9]+$"); //等價於^[+-]?\d+[.]?\d+$
        private static Regex RegEmail = new Regex("^[\\w-]+@[\\w-]+\\.(com|net|org|edu|mil|tv|biz|info)$");//w 英文字母或數字的字符串,和 [a-zA-Z0-9] 語法一樣
        private static Regex RegCHZN = new Regex("[\u4e00-\u9fa5]");

        public PageValidate()
        {
        }


        #region 數字字符串檢查        

        /// <summary>
        /// 檢查Request查詢字符串的鍵值,是否是數字,最大長度限制
        /// </summary>
        /// <param name="req">Request</param>
        /// <param name="inputKey">Request的鍵值</param>
        /// <param name="maxLen">最大長度</param>
        /// <returns>返回Request查詢字符串</returns>
        public static string FetchInputDigit(HttpRequest req, string inputKey, int maxLen)
        {
            string retVal = string.Empty;
            if(inputKey != null && inputKey != string.Empty)
            {
                retVal = req.QueryString[inputKey];
                if(null == retVal)
                    retVal = req.Form[inputKey];
                if(null != retVal)
                {
                    retVal = SqlText(retVal, maxLen);
                    if(!IsNumber(retVal))
                        retVal = string.Empty;
                }
            }
            if(retVal == null)
                retVal = string.Empty;
            return retVal;
        }        
        /// <summary>
        /// 是否數字字符串
        /// </summary>
        /// <param name="inputData">輸入字符串</param>
        /// <returns></returns>
        public static bool IsNumber(string inputData)
        {
            Match m = RegNumber.Match(inputData);
            return m.Success;
        }        
        /// <summary>
        /// 是否數字字符串 可帶正負號
        /// </summary>
        /// <param name="inputData">輸入字符串</param>
        /// <returns></returns>
        public static bool IsNumberSign(string inputData)
        {
            Match m = RegNumberSign.Match(inputData);
            return m.Success;
        }        
        /// <summary>
        /// 是否是浮點數
        /// </summary>
        /// <param name="inputData">輸入字符串</param>
        /// <returns></returns>
        public static bool IsDecimal(string inputData)
        {
            Match m = RegDecimal.Match(inputData);
            return m.Success;
        }        
        /// <summary>
        /// 是否是浮點數 可帶正負號
        /// </summary>
        /// <param name="inputData">輸入字符串</param>
        /// <returns></returns>
        public static bool IsDecimalSign(string inputData)
        {
            Match m = RegDecimalSign.Match(inputData);
            return m.Success;
        }        

        #endregion

        #region 中文檢測

        /// <summary>
        /// 檢測是否有中文字符
        /// </summary>
        /// <param name="inputData"></param>
        /// <returns></returns>
        public static bool IsHasCHZN(string inputData)
        {
            Match m = RegCHZN.Match(inputData);
            return m.Success;
        }    

        #endregion

        #region 郵件地址
        /// <summary>
        /// 是否是浮點數 可帶正負號
        /// </summary>
        /// <param name="inputData">輸入字符串</param>
        /// <returns></returns>
        public static bool IsEmail(string inputData)
        {
            Match m = RegEmail.Match(inputData);
            return m.Success;
        }        

        #endregion

        #region 其他

        /// <summary>
        /// 檢查字符串最大長度,返回指定長度的串
        /// </summary>
        /// <param name="sqlInput">輸入字符串</param>
        /// <param name="maxLength">最大長度</param>
        /// <returns></returns>            
        public static string SqlText(string sqlInput, int maxLength)
        {            
            if(sqlInput != null && sqlInput != string.Empty)
            {
                sqlInput = sqlInput.Trim();                            
                if(sqlInput.Length > maxLength)//按最大長度截取字符串
                    sqlInput = sqlInput.Substring(0, maxLength);
            }
            return sqlInput;
        }        
        /// <summary>
        /// 字符串編碼
        /// </summary>
        /// <param name="inputData"></param>
        /// <returns></returns>
        public static string HtmlEncode(string inputData)
        {
            return HttpUtility.HtmlEncode(inputData);
        }
        /// <summary>
        /// 設置Label顯示Encode的字符串
        /// </summary>
        /// <param name="lbl"></param>
        /// <param name="txtInput"></param>
        public static void SetLabel(Label lbl, string txtInput)
        {
            lbl.Text = HtmlEncode(txtInput);
        }
        public static void SetLabel(Label lbl, object inputObj)
        {
            SetLabel(lbl, inputObj.ToString());
        }        
        //字符串清理
        public static string InputText(string inputString, int maxLength)
        {            
            StringBuilder retVal = new StringBuilder();

            // 檢查是否為空
            if ((inputString != null) && (inputString != String.Empty))
            {
                inputString = inputString.Trim();

                //檢查長度
                if (inputString.Length > maxLength)
                    inputString = inputString.Substring(0, maxLength);

                //替換危險字符
                for (int i = 0; i < inputString.Length; i++)
                {
                    switch (inputString[i])
                    {
                        case '"':
                            retVal.Append(""");
                            break;
                        case '<':
                            retVal.Append("<");
                            break;
                        case '>':
                            retVal.Append(">");
                            break;
                        default:
                            retVal.Append(inputString[i]);
                            break;
                    }
                }                
                retVal.Replace("'", " ");// 替換單引號
            }
            return retVal.ToString();

        }
        /// <summary>
        /// 轉換成 HTML code
        /// </summary>
        /// <param name="str">string</param>
        /// <returns>string</returns>
        public static string Encode(string str)
        {            
            str = str.Replace("&","&");
            str = str.Replace("'","''");
            str = str.Replace("\"",""");
            str = str.Replace(" "," ");
            str = str.Replace("<","<");
            str = str.Replace(">",">");
            str = str.Replace("\n","<br>");
            return str;
        }
        /// <summary>
        ///解析html成 普通文本
        /// </summary>
        /// <param name="str">string</param>
        /// <returns>string</returns>
        public static string Decode(string str)
        {            
            str = str.Replace("<br>","\n");
            str = str.Replace(">",">");
            str = str.Replace("<","<");
            str = str.Replace(" "," ");
            str = str.Replace(""","\"");
            return str;
        }

        #endregion 

    }
}

通用文件(Global.asax),保存為Global.asax文件名 放到網站根木馬下即可。(其他功能自行補上)
復制代碼 代碼如下:
<script language="C#" runat="server"><!--
    protected void Application_BeginRequest(Object sender, EventArgs e)
        {
            StartProcessRequest();
        }


/// <summary>
/// 處理用戶提交的請求
/// </summary>
private void StartProcessRequest()
{
try
{
string getkeys = "";

if (System.Web.HttpContext.Current.Request.QueryString != null)
{

for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i];
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys]))
{
System.Web.HttpContext.Current.Response.Write("Get,出現錯誤,包含非法字符串");
System.Web.HttpContext.Current.Response.End();
}
}
}
if (System.Web.HttpContext.Current.Request.Form != null)
{
for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i];
if (getkeys == "__VIEWSTATE") continue;
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys]))
{
System.Web.HttpContext.Current.Response.Write("Post,出現錯誤,包含非法字符串");
System.Web.HttpContext.Current.Response.End();
}
}
}
            if(System.Web.HttpContext.Current.Request.Cookies!=null)
            {
             for (int i = 0; i < System.Web.HttpContext.Current.Request.Cookies.Count; i++)
{
getkeys = System.Web.HttpContext.Current.Request.Cookies.Keys[i];
if (getkeys == "__VIEWSTATE") continue;
if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Cookies[getkeys].Value))
{
System.Web.HttpContext.Current.Response.Write("Cookies,出現錯誤,包含非法字符串");
System.Web.HttpContext.Current.Response.End();
}
}
            }

}
catch
{
// 錯誤處理: 處理用戶提交信息!
}
}
/// <summary>
/// 分析用戶請求是否正常
/// </summary>
/// <param name="Str">傳入用戶提交數據 </param>
/// <returns>返回是否含有SQL注入式攻擊代碼 </returns>
private bool ProcessSqlStr(string Str)
{
bool ReturnValue = true;
try
{
if (Str.Trim() != "")
{
                string SqlStr = "select¦insert¦delete¦update¦declare¦sysobjects¦syscolumns¦cast¦truncate¦master¦mid¦exec";

                string[] anySqlStr = SqlStr.Split('¦');
foreach (string ss in anySqlStr)
{
if (Str.ToLower().IndexOf(ss) >= 0)
{
ReturnValue = false;
break;
}
}
}
}
catch
{
ReturnValue = false;
}
return ReturnValue;
}

// --></script>
  1. 上一頁:
  2. 下一頁:
Copyright © 程式師世界 All Rights Reserved