Asp.net中Global.asax設定防止Sql注入
阿新 • • 發佈:2019-02-18
更多.net技術就在http://bbs.netluntan.com,群:121058751using System; using System.IO; public partial class Global : System.Web.HttpApplication { protected void Application_Start(object sender, EventArgs e) { //在應用程式啟動時執行的程式碼 } protected void Session_Start(object sender, EventArgs e) { //在新會話啟動時執行的程式碼 } protected void Application_BeginRequest(object sender, EventArgs e) { try { string getkeys = ""; //防止post方法注入 if (System.Web.HttpContext.Current.Request.Form != null) { for (int i = 0; i < System.Web.HttpContext.Current.Request.Form.Count; i++) { getkeys = System.Web.HttpContext.Current.Request.Form.Keys[i]; if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Form[getkeys], 1)) { RecordeWrite(); System.Web.HttpContext.Current.Response.Redirect("/Error/assault.htm"); System.Web.HttpContext.Current.Response.End(); } } } //防止get方法注入 if (System.Web.HttpContext.Current.Request.QueryString != null) { for (int i = 0; i < System.Web.HttpContext.Current.Request.QueryString.Count; i++) { getkeys = System.Web.HttpContext.Current.Request.QueryString.Keys[i]; if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.QueryString[getkeys], 2)) { RecordeWrite(); System.Web.HttpContext.Current.Response.Redirect("/Error/assault.htm"); System.Web.HttpContext.Current.Response.End(); } } } //防止cookie方法注入 if (System.Web.HttpContext.Current.Request.Cookies != null) { for (int i = 0; i < System.Web.HttpContext.Current.Request.Cookies.Count; i++) { getkeys = System.Web.HttpContext.Current.Request.Cookies.AllKeys[i]; if (!ProcessSqlStr(System.Web.HttpContext.Current.Request.Cookies[getkeys].Value, 3)) { RecordeWrite(); System.Web.HttpContext.Current.Response.Redirect("/Error/assault.htm"); System.Web.HttpContext.Current.Response.End(); } } } } catch { } } /// <summary> /// 分析使用者請求是否正常 /// </summary> /// <param name="Str">傳入使用者提交資料</param> /// <param name="type">注入的方式</param> /// <returns>返回是否含有SQL注入式攻擊程式碼</returns> protected bool ProcessSqlStr(string Str, int type) { string SqlStr = ""; if (type == 1) //Post方法提交 { SqlStr = "script|iframe|xp_loginconfig|xp_fixeddrives|Xp_regremovemultistring|Xp_regread|Xp_regwrite|xp_cmdshell|xp_dirtree|exec|insert|select|delete|update|count(|asc(|chr(|substring(|mid(|master|truncate|char(|declare|replace(|varchar(|cast("; } else if (type == 2) //Get方法提交 { SqlStr = "'|script|iframe|xp_loginconfig|xp_fixeddrives|Xp_regremovemultistring|Xp_regread|Xp_regwrite|xp_cmdshell|xp_dirtree|exec|insert|select|delete|update|count(|*|asc(|chr(|substring(|mid(|master|truncate|char(|declare|and|or|=|%|replace(|;|varchar(|cast("; } else if (type == 3) //Cookie提交 { SqlStr = "script|iframe|xp_loginconfig|xp_fixeddrives|Xp_regremovemultistring|Xp_regread|Xp_regwrite|xp_cmdshell|xp_dirtree|exec|insert|select|delete|update|count(|asc(|chr(|substring(|mid(|master|truncate|char(|declare"; } else //預設Post方法提交 { SqlStr = "script|iframe|xp_loginconfig|xp_fixeddrives|Xp_regremovemultistring|Xp_regread|Xp_regwrite|xp_cmdshell|xp_dirtree|exec|insert|select|delete|update|count(|asc(|chr(|substring(|mid(|master|truncate|char(|declare|replace("; } bool ReturnValue = true; try { if (Str != "") { string[] anySqlStr = SqlStr.ToUpper().Split('|'); ; foreach (string ss in anySqlStr) { if (Str.ToUpper().IndexOf(ss) >= 0) { ReturnValue = false; } } } } catch { ReturnValue = false; } return ReturnValue; } /// <summary> /// 記錄攻擊資訊 /// </summary> protected void RecordeWrite() { try { string path = "~/Error/Log/" + DateTime.Today.ToString("dd-mm-yy") + ".txt"; if (!System.IO.File.Exists(System.Web.HttpContext.Current.Server.MapPath(path))) { System.IO.File.Create(System.Web.HttpContext.Current.Server.MapPath(path)).Close(); } using (StreamWriter w = System.IO.File.AppendText(System.Web.HttpContext.Current.Server.MapPath(path))) { w.WriteLine("當前時間:{0}", System.DateTime.Now.ToString()); w.WriteLine("當前IP:{0} ", System.Web.HttpContext.Current.Request.UserHostAddress); w.WriteLine("當前Url:{0} ", System.Web.HttpContext.Current.Request.Url.ToString()); w.WriteLine("__________________________________"); w.Flush(); w.Close(); } } catch { } } protected void Application_AuthenticateRequest(object sender, EventArgs e) { } protected void Application_Error(object sender, EventArgs e) { } protected void Session_End(object sender, EventArgs e) { //在會話結束時執行的程式碼。 // 注意: 只有在 Web.config 檔案中的 sessionstate 模式設定為 // InProc 時,才會引發 Session_End 事件。如果會話模式 //設定為 StateServer 或 SQLServer,則不會引發該事件。 } protected void Application_End(object sender, EventArgs e) { } }