时间:2025-01-22 点击: 次 来源:网络 作者:佚名 - 小 + 大
| 使用方法如下: 1. 把以下代码保存为_safe.asp,然后放到站点根目录即可。 <% 'Code by xieyunc On Error Resume Next if request.querystring<>"" then call stophacker(request.querystring,"'|\b(alert|confirm|prompt)\b|<[^>]*?>|^\+/v(8|9)|\bonmouse(over|move)=\b|\b(and|or)\b.+?(>|<|=|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)") if Request.ServerVariables("HTTP_REFERER")<>"" then call test(Request.ServerVariables("HTTP_REFERER"),"'|\b(and|or)\b.+?(>|<|=|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)") if request.Cookies<>"" then call stophacker(request.Cookies,"\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)") call stophacker(request.Form,"^\+/v(8|9)|\b(and|or)\b.{1,6}?(=|>|<|\bin\b|\blike\b)|/\*.+?\*/|<\s*script\b|<\s*img\b|\bEXEC\b|UNION.+?SELECT|UPDATE.+?SET|INSERT\s+INTO.+?VALUES|(SELECT|DELETE).+?FROM|(CREATE|ALTER|DROP|TRUNCATE)\s+(TABLE|DATABASE)") function test(values,re) dim regex set regex=new regexp regex.ignorecase = true regex.global = true regex.pattern = re if regex.test(values) then IP=Request.ServerVariables("HTTP_X_FORWARDED_FOR") If IP = "" Then IP=Request.ServerVariables("REMOTE_ADDR") end if 'slog("<br><br>操作IP: "&ip&"<br>操作时间: " & now() & "<br>操作页面:"&Request.ServerVariables("URL")&"<br>提交方式: "&Request.ServerVariables("Request_Method")&"<br>提交参数: "&l_get&"<br>提交数据: "&l_get2) Response.Write("<div style='position:fixed;top:0px;width:100%;height:100%;background-color:white;color:green;font-weight:bold;border-bottom:5px solid #999;'><br>您的提交带有不合法参数,谢谢合作!<br><br></div>") Response.end end if set regex = nothing end function function stophacker(values,re) dim l_get, l_get2,n_get,regex,IP for each n_get in values for each l_get in values l_get2 = values(l_get) set regex = new regexp regex.ignorecase = true regex.global = true regex.pattern = re if regex.test(l_get2) then IP=Request.ServerVariables("HTTP_X_FORWARDED_FOR") If IP = "" Then IP=Request.ServerVariables("REMOTE_ADDR") end if 'slog("<br><br>操作IP: "&ip&"<br>操作时间: " & now() & "<br>操作页面:"&Request.ServerVariables("URL")&"<br>提交方式: "&Request.ServerVariables("Request_Method")&"<br>提交参数: "&l_get&"<br>提交数据: "&l_get2) Response.Write("<div style='position:fixed;top:0px;width:100%;height:100%;background-color:white;color:green;font-weight:bold;border-bottom:5px solid #999;'><br>您的提交带有不合法参数,谢谢合作!<br><br></div>") Response.end end if set regex = nothing next next end function sub slog(logs) dim toppath,fs,Ts toppath = Server.Mappath("/index.asp") Set fs = CreateObject("scripting.filesystemobject") If Not Fs.FILEEXISTS(toppath) Then Set Ts = fs.createtextfile(toppath, True) Ts.close end if Set Ts= Fs.OpenTextFile(toppath,8) Ts.writeline (logs) Ts.Close Set Ts=nothing Set fs=nothing end sub %> 2.在所需要防护的页面加入代码 <!--#include virtual="/_safe.asp"--> 就可以做到页面防注入、跨站。 如果想整站防注,就在网站的一个公用文件中,如数据库链接文件conn.asp中! 添加<!--#include virtual="/_safe.asp"-->来调用本代码,赶快去试试吧!
|
上一篇:浏览器打开出现404的解决方法