网上找的所谓过滤
<%@ LANGUAGE = VBScript CodePage = 936%>
<%
Option Explicit
Response.Buffer = true
dim GQ,Checki,errc
GQ=request.servervariables("HTTP_USER_AGENT")
errc=false
dim nothis(19)
nothis(0)="net user"
nothis(1)="xp_cmdshell"
nothis(2)="/add"
nothis(3)="exec%20master.dbo.xp_cmdshell"
nothis(4)="net localgroup administrators"
nothis(5)="select"
nothis(6)="count"
nothis(7)="asc"
nothis(8)="char"
nothis(9)="mid"
nothis(10)="'"
nothis(11)=":"
nothis(12)=""""
nothis(13)="insert"
nothis(14)="delete"
nothis(15)="drop"
nothis(16)="truncate"
nothis(17)="from"
nothis(18)="%"
nothis(19)="declare"
for checki= 0 to ubound(nothis)
'--------------Get Filter
if instr(lcase(GQ),nothis(checki))<>0 then
errc=true
exit for
end if
next
if errc then
response.end
end if
Dim Startime
Dim Dvbbs,template
Dim SqlNowString,Conn
'定义数据库类别,1为SQL数据库,0为Access数据库
Const IsSqlDataBase = 1
'论坛缓存名称,如果一个站点有多个论坛请更改成不同名称
Const Forum_CacheName = "aspsky"
'定义运行模式,测试的时候设置1,正常运行的时候设置为0,不输出错误信息有利于安全,
Const IsDeBug = 1
Startime = Timer()
Dim MyBoardOnline
Dim Db
Set Dvbbs = New Cls_Forum
Set MyBoardOnline=new Cls_UserOnlne
Set template = New cls_templates
If IsSqlDataBase = 1 Then
SqlNowString = "GetDate()"
Else
SqlNowString = "Now()"
End If
Sub ConnectionDatabase
Dim ConnStr
If IsSqlDataBase = 1 Then
'sql数据库连接参数:数据库名、用户密码、用户名、连接名(本地用local,外地用IP)
Dim SqlDatabaseName,SqlPassword,SqlUsername,SqlLocalName
SqlDatabaseName = "dvbbs7"
SqlPassword = ""
SqlUsername = "dvbbs"
SqlLocalName = "(local)"
ConnStr = "Provider = Sqloledb; User ID = " & SqlUsername & "; Password = " & SqlPassword & "; Initial Catalog = " & SqlDatabaseName & "; Data Source = " & SqlLocalName & ";"
Else
'免费用户第一次使用请修改本处数据库地址并相应修改data目录中数据库名称,如将dvbbs6.mdb修改为dvbbs6.asp
Db = "data/dvbbs7.mdb"
ConnStr = "Provider = Microsoft.Jet.OLEDB.4.0;Data Source = " & Server.MapPath(db)
End If
On Error Resume Next
Set conn = Server.CreateObject("ADODB.Connection")
conn.open ConnStr
If Err Then
err.Clear
Set Conn = Nothing
Response.Write "数据库连接出错,请检查连接字串。"'注释,需要把这几个字翻译成英文。
Response.End
End If
End Sub
%>
<%
Option Explicit
Response.Buffer = true
dim GQ,Checki,errc
GQ=request.servervariables("HTTP_USER_AGENT")
errc=false
dim nothis(19)
nothis(0)="net user"
nothis(1)="xp_cmdshell"
nothis(2)="/add"
nothis(3)="exec%20master.dbo.xp_cmdshell"
nothis(4)="net localgroup administrators"
nothis(5)="select"
nothis(6)="count"
nothis(7)="asc"
nothis(8)="char"
nothis(9)="mid"
nothis(10)="'"
nothis(11)=":"
nothis(12)=""""
nothis(13)="insert"
nothis(14)="delete"
nothis(15)="drop"
nothis(16)="truncate"
nothis(17)="from"
nothis(18)="%"
nothis(19)="declare"
for checki= 0 to ubound(nothis)
'--------------Get Filter
if instr(lcase(GQ),nothis(checki))<>0 then
errc=true
exit for
end if
next
if errc then
response.end
end if
Dim Startime
Dim Dvbbs,template
Dim SqlNowString,Conn
'定义数据库类别,1为SQL数据库,0为Access数据库
Const IsSqlDataBase = 1
'论坛缓存名称,如果一个站点有多个论坛请更改成不同名称
Const Forum_CacheName = "aspsky"
'定义运行模式,测试的时候设置1,正常运行的时候设置为0,不输出错误信息有利于安全,
Const IsDeBug = 1
Startime = Timer()
Dim MyBoardOnline
Dim Db
Set Dvbbs = New Cls_Forum
Set MyBoardOnline=new Cls_UserOnlne
Set template = New cls_templates
If IsSqlDataBase = 1 Then
SqlNowString = "GetDate()"
Else
SqlNowString = "Now()"
End If
Sub ConnectionDatabase
Dim ConnStr
If IsSqlDataBase = 1 Then
'sql数据库连接参数:数据库名、用户密码、用户名、连接名(本地用local,外地用IP)
Dim SqlDatabaseName,SqlPassword,SqlUsername,SqlLocalName
SqlDatabaseName = "dvbbs7"
SqlPassword = ""
SqlUsername = "dvbbs"
SqlLocalName = "(local)"
ConnStr = "Provider = Sqloledb; User ID = " & SqlUsername & "; Password = " & SqlPassword & "; Initial Catalog = " & SqlDatabaseName & "; Data Source = " & SqlLocalName & ";"
Else
'免费用户第一次使用请修改本处数据库地址并相应修改data目录中数据库名称,如将dvbbs6.mdb修改为dvbbs6.asp
Db = "data/dvbbs7.mdb"
ConnStr = "Provider = Microsoft.Jet.OLEDB.4.0;Data Source = " & Server.MapPath(db)
End If
On Error Resume Next
Set conn = Server.CreateObject("ADODB.Connection")
conn.open ConnStr
If Err Then
err.Clear
Set Conn = Nothing
Response.Write "数据库连接出错,请检查连接字串。"'注释,需要把这几个字翻译成英文。
Response.End
End If
End Sub
%>
作用不言而喻,在程序出现了sql漏洞的时候,还能做到不让对方进行xp_cmdshell的操作,不过作用真的不是很大,只要在sql服务器上稍微做一下权限控制,或者删除xp_cmdshell的存储过程就可以了,实在有够多余,不过还是可以借鉴一下的。
邮箱:james@taogame.com
QQ:785418
微信:jamesying1
QQ群:376248054 通关:cnblogs
技术改变生活,技术改变人生!用技术来创造价值,拥有技术,不仅仅是开发,您将获得更多!如果您觉得我能帮到您,您可以通过扫描下面二维码来【捐助】我!
QQ:785418
微信:jamesying1
QQ群:376248054 通关:cnblogs
技术改变生活,技术改变人生!用技术来创造价值,拥有技术,不仅仅是开发,您将获得更多!如果您觉得我能帮到您,您可以通过扫描下面二维码来【捐助】我!